Overview
overview
10Static
static
10Trojan/BlueScreen.exe
windows10-ltsc 2021-x64
5Trojan/Bolbi.vbs
windows10-ltsc 2021-x64
10Trojan/Carewmr.vbs
windows10-ltsc 2021-x64
4Trojan/Dud...an.bat
windows10-ltsc 2021-x64
1Trojan/Fra...n.docx
windows10-ltsc 2021-x64
1Trojan/Grave.apk
windows10-ltsc 2021-x64
3Trojan/L0Lz.bat
windows10-ltsc 2021-x64
8Trojan/Malum.apk
windows10-ltsc 2021-x64
3Trojan/Mis...st.exe
windows10-ltsc 2021-x64
8Trojan/Mis...er.exe
windows10-ltsc 2021-x64
8Trojan/Mis...RC.exe
windows10-ltsc 2021-x64
8Trojan/Mob...re.apk
windows10-ltsc 2021-x64
3Trojan/Mrs...or.exe
windows10-ltsc 2021-x64
MrsMajor2.0.exe
windows10-ltsc 2021-x64
Trojan/Mrs....0.exe
windows10-ltsc 2021-x64
10Trojan/Offiz.html
windows10-ltsc 2021-x64
4Trojan/Spa...rk.exe
windows10-ltsc 2021-x64
7Trojan/Spa...rk.exe
windows10-ltsc 2021-x64
9Trojan/XCS...f54ca6
windows10-ltsc 2021-x64
3Trojan/XCS...2aed41
windows10-ltsc 2021-x64
3Trojan/XCS...b54692
windows10-ltsc 2021-x64
3Trojan/XCS...00f6c1
windows10-ltsc 2021-x64
3Trojan/elite.apk
windows10-ltsc 2021-x64
3Trojan/mobelejen.apk
windows10-ltsc 2021-x64
3Trojan/vi4a.apk
windows10-ltsc 2021-x64
3Analysis
-
max time kernel
97s -
max time network
208s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
06-12-2024 10:38
Behavioral task
behavioral1
Sample
Trojan/BlueScreen.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
Trojan/Bolbi.vbs
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
Trojan/Carewmr.vbs
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
Trojan/DudleyTrojan.bat
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral5
Sample
Trojan/Frankenstein.docx
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral6
Sample
Trojan/Grave.apk
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral7
Sample
Trojan/L0Lz.bat
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral8
Sample
Trojan/Malum.apk
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral9
Sample
Trojan/Mist/MistInfected_newest.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral10
Sample
Trojan/Mist/MistInstaller.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral11
Sample
Trojan/Mist/MistInstallerRC.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral12
Sample
Trojan/Mobile_Legends_Adventure.apk
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral13
Sample
Trojan/MrsMajors/BossDaMajor/BossDaMajor.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral14
Sample
MrsMajor2.0.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral15
Sample
Trojan/MrsMajors/MrsMajor3.0.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral16
Sample
Trojan/Offiz.html
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral17
Sample
Trojan/Spark/NETFramework.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral18
Sample
Trojan/Spark/Spark.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral19
Sample
Trojan/XCSSETMacMalware/TrojanSpy.MacOS.XCSSET.A.6614978ab256f922d7b6dbd7cc15c6136819f4bcfb5a0fead480561f0df54ca6
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral20
Sample
Trojan/XCSSETMacMalware/TrojanSpy.MacOS.XCSSET.A.6fa938770e83ef2e177e8adf4a2ea3d2d5b26107c30f9d85c3d1a557db2aed41
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral21
Sample
Trojan/XCSSETMacMalware/TrojanSpy.MacOS.XCSSET.A.ac3467a04eeb552d92651af1187bdc795100ea77a7a1ac755b4681c654b54692
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral22
Sample
Trojan/XCSSETMacMalware/TrojanSpy.MacOS.XCSSET.A.d11a549e6bc913c78673f4e142e577f372311404766be8a3153792de9f00f6c1
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral23
Sample
Trojan/elite.apk
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral24
Sample
Trojan/mobelejen.apk
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral25
Sample
Trojan/vi4a.apk
Resource
win10ltsc2021-20241023-en
General
-
Target
Trojan/L0Lz.bat
-
Size
6KB
-
MD5
74f8a282848b8a26ceafe1f438e358e0
-
SHA1
007b350c49b71b47dfc8dff003980d5f8da32b3a
-
SHA256
fc94130b45112bdf7fe64713eb807f4958cdcdb758c25605ad9318cd5a8e17ae
-
SHA512
3f73c734432b7999116452e673d734aa3f5fe9005efa7285c76d28a98b4c5d2620e772f421e030401ad223abbb07c6d0e79b91aa97b7464cb21e3dc0b49c5a81
-
SSDEEP
192:tlYUT1jLPD5mZkRr3TfLQ4/zus8joPRJRqU1jXEmo:tlY85XW
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 852 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat xcopy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat xcopy.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Kills process with taskkill 1 IoCs
pid Process 4220 taskkill.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4220 taskkill.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 4196 wrote to memory of 1476 4196 cmd.exe 82 PID 4196 wrote to memory of 1476 4196 cmd.exe 82 PID 1476 wrote to memory of 1572 1476 net.exe 83 PID 1476 wrote to memory of 1572 1476 net.exe 83 PID 4196 wrote to memory of 4256 4196 cmd.exe 84 PID 4196 wrote to memory of 4256 4196 cmd.exe 84 PID 4256 wrote to memory of 1040 4256 net.exe 85 PID 4256 wrote to memory of 1040 4256 net.exe 85 PID 4196 wrote to memory of 3196 4196 cmd.exe 86 PID 4196 wrote to memory of 3196 4196 cmd.exe 86 PID 3196 wrote to memory of 4072 3196 net.exe 87 PID 3196 wrote to memory of 4072 3196 net.exe 87 PID 4196 wrote to memory of 4220 4196 cmd.exe 88 PID 4196 wrote to memory of 4220 4196 cmd.exe 88 PID 4196 wrote to memory of 4232 4196 cmd.exe 90 PID 4196 wrote to memory of 4232 4196 cmd.exe 90 PID 4232 wrote to memory of 4528 4232 net.exe 91 PID 4232 wrote to memory of 4528 4232 net.exe 91 PID 4196 wrote to memory of 4648 4196 cmd.exe 92 PID 4196 wrote to memory of 4648 4196 cmd.exe 92 PID 4648 wrote to memory of 3800 4648 net.exe 93 PID 4648 wrote to memory of 3800 4648 net.exe 93 PID 4196 wrote to memory of 852 4196 cmd.exe 94 PID 4196 wrote to memory of 852 4196 cmd.exe 94 PID 4196 wrote to memory of 1184 4196 cmd.exe 95 PID 4196 wrote to memory of 1184 4196 cmd.exe 95 PID 1184 wrote to memory of 2288 1184 net.exe 96 PID 1184 wrote to memory of 2288 1184 net.exe 96 PID 4196 wrote to memory of 2040 4196 cmd.exe 97 PID 4196 wrote to memory of 2040 4196 cmd.exe 97 PID 4196 wrote to memory of 252 4196 cmd.exe 98 PID 4196 wrote to memory of 252 4196 cmd.exe 98 PID 4196 wrote to memory of 4280 4196 cmd.exe 99 PID 4196 wrote to memory of 4280 4196 cmd.exe 99 PID 4196 wrote to memory of 3772 4196 cmd.exe 100 PID 4196 wrote to memory of 3772 4196 cmd.exe 100
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Trojan\L0Lz.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵PID:1572
-
-
-
C:\Windows\system32\net.exenet stop "SDRSVC"2⤵
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC"3⤵PID:1040
-
-
-
C:\Windows\system32\net.exenet stop "WinDefend"2⤵
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WinDefend"3⤵PID:4072
-
-
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im "MSASCui.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4220
-
-
C:\Windows\system32\net.exenet stop "security center"2⤵
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "security center"3⤵PID:4528
-
-
-
C:\Windows\system32\net.exenet stop sharedaccess2⤵
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sharedaccess3⤵PID:3800
-
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode-disable2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:852
-
-
C:\Windows\system32\net.exenet stop "wuauserv"2⤵
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wuauserv"3⤵PID:2288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo tasklist "2⤵PID:2040
-
-
C:\Windows\system32\find.exefind /I "L0Lz"2⤵PID:252
-
-
C:\Windows\system32\xcopy.exeXCOPY "BitcoinMiner.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"2⤵
- Drops startup file
PID:4280
-
-
C:\Windows\system32\xcopy.exeXCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"2⤵PID:3772
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276B
MD5873e37981c491d46b8648018c2512457
SHA18212272874b761052d3b51c30031a1555e23dcc5
SHA2565e2757b28e2fc1ec2085807ea98ec9c2da5dcb15e3a72eccf2a00fdd512d1798
SHA51293578dba6680a80ef7071c2780e1e71c4ddf3e51ae58c8efa2b3d726da8eabadbd54a902d0d438f216f31003b713b59ae07abf2c914a8221faebf06e1966ac26