hxxps://github[.]com/TheDarkMythos/windows-malware

Analysis

max time kernel
136s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/TheDarkMythos/windows-malware

Score

10^/10

discovery evasion exploit persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\MicrosoftWindowsServicesEtc\\xRunReg.vbs\""	wscript.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

wscript.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1"	wscript.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Possible privilege escalation attempt 4 IoCs

exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid	Process
3936	takeown.exe
3384	icacls.exe
640	takeown.exe
2860	icacls.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MrsMajor2.0.exeMrsMajor2.0.exeMrsMajor2.0.exewscript.exeGetReady.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	MrsMajor2.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	MrsMajor2.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	MrsMajor2.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	GetReady.exe

Executes dropped EXE 6 IoCs

Processes:

MrsMajor2.0.exeMrsMajor2.0.exeMrsMajor2.0.exeeula32.exeGetReady.exenotmuch.exe

pid	Process
792	MrsMajor2.0.exe
3764	MrsMajor2.0.exe
4440	MrsMajor2.0.exe
1604	eula32.exe
3084	GetReady.exe
952	notmuch.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid	Process
3936	takeown.exe
3384	icacls.exe
640	takeown.exe
2860	icacls.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

wscript.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico"	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MajorX = "wscript.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xRun.vbs\""	wscript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
69	raw.githubusercontent.com
70	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

Processes:

cmd.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\taskmgr.exe	cmd.exe
File opened for modification	C:\Windows\System32\sethc.exe	cmd.exe

Drops file in Program Files directory 37 IoCs

Processes:

wscript.exe

description	ioc	Process
File created	C:\program files\MicrosoftWindowsServicesEtc\breakrule.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\majorlist.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\WinScrew.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\bsod.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\WinScrew.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\xRun.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\xRunReg.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\DgzRun.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\Major.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\majordared.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\AppKill.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\clingclang.wav	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\NotMuch.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\healgen.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\cmd.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\checker.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\excursor.ani	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\GetReady.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\CallFunc.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\GetReady.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\Major.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\example.txt	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\fexec.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\runner32s.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\majorsod.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\breakrule.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\majorsod.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\runner32s.vbs	wscript.exe
File opened for modification	C:\program files\MicrosoftWindowsServicesEtc\AppKill.bat	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\bsod.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\eula32.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\rsod.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\RuntimeChecker.exe	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\weird\RuntimeChecker.vbs	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\fileico.ico	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\data\thetruth.jpg	wscript.exe
File created	C:\program files\MicrosoftWindowsServicesEtc\majorlist.exe	wscript.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MrsMajor2.0.exeMrsMajor2.0.exeMrsMajor2.0.exeeula32.exeGetReady.exenotmuch.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MrsMajor2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MrsMajor2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MrsMajor2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eula32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GetReady.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notmuch.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

wscript.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Cursors	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani"	wscript.exe

Modifies registry class 11 IoCs

Processes:

wscript.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon	wscript.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 670066.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	Process
1028	msedge.exe
1028	msedge.exe
1476	msedge.exe
1476	msedge.exe
1456	identity_helper.exe
1456	identity_helper.exe
3124	msedge.exe
3124	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid	Process
4