Analysis
-
max time kernel
151s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-11-2020 08:13
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe
-
Size
1.2MB
-
MD5
94e0fdb02e15e6aa0cbb0d0241a79c8d
-
SHA1
fb2eae92ce3a5c8b558668db9ef5560451d6528d
-
SHA256
1e43c91ddfe9fab0e41657d423fe3c4fb87aad1993e5fb3f173bb36a268273f7
-
SHA512
341b1de271b3e861b4c9deb2a1d2a6a017e1ae0ca1700283f990385156ea9e3928d0a3a19f54ee97e0bb9a2765b8c670660c0a13695a520f2b79bfdc3eb953cd
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\WINDOWS\\boohbahshell.exe" SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe -
Disables Task Manager via registry modification
-
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Drops file in Windows directory 2 IoCs
Processes:
SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exedescription ioc process File created C:\WINDOWS\boohbahshell.exe SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe File created C:\WINDOWS\boohbahmain.exe SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe -
Suspicious behavior: LoadsDriver 35773 IoCs
Processes:
pid process 3808 3748 1904 3680 3712 4052 3084 2824 3248 416 508 2840 3148 2636 3672 2596 212 208 1940 1364 940 3656 2912 2308 2224 3184 2696 2620 3464 3368 1308 1172 1340 1168 1532 4080 748 3740 2132 2128 3804 2088 3268 2568 3468 1264 3824 3908 900 2936 3936 3768 3932 3976 3036 644 3904 3424 2856 3836 3868 3872 3760 3708 -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 960 LogonUI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Windows directory
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad1055 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx