Analysis
-
max time kernel
239s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
29-06-2024 05:26
Errors
General
-
Target
windows-malware-master/WinXP Horror Edition/WinXP.Horror.Destructive (Created By WobbyChip).exe
-
Size
57.9MB
-
MD5
063ea883f8c67d3bb22e0a465136ca4c
-
SHA1
3a168a9153ee32b86d9a5411b0af13846c55ee1d
-
SHA256
3b64ce283febf3207dd20c99fc53de65b07044231eb544c4c41de374a2571c5c
-
SHA512
2dd6be23a5af8c458b94eeb5a4e83fc8cacb3fd2c2566b5682eee286c01726dca90db3d9b4e218eeded9b0c9bce8ba3c9ca9cc497e3a57aab580633a038e4b74
-
SSDEEP
1572864:aj6L5PLk/mBCSyKOYl39GFoFEujFMm+B997DaNHN1oS72fnD9hRzZ01tO0DpvrvI:i6cSzV9GCFEujFMm+B997DaNHN1oS72X
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Modifies Control Panel 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
System policy modification 1 TTPs 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\windows-malware-master\WinXP Horror Edition\WinXP.Horror.Destructive (Created By WobbyChip).exe"C:\Users\Admin\AppData\Local\Temp\windows-malware-master\WinXP Horror Edition\WinXP.Horror.Destructive (Created By WobbyChip).exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4ac 0x4dc1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2572-0-0x0000000005BB0000-0x0000000005BB1000-memory.dmpFilesize
4KB
-
memory/2572-1-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/2572-2-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/2572-3-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/2572-9-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/2572-14-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/2572-15-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/2572-16-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/2572-19-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/2572-20-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/2572-21-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/2572-22-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/2572-23-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/2572-24-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/2572-25-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB