Overview

overview

8

Static

static

URLScan

urlscan

https://www.syssel.n...

windows10_x64

Analysis

  • max time kernel
    73s
  • max time network
    73s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    17-12-2020 14:14

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    https://www.syssel.net/hoefs/software_uxtheme.php?lang=en

  • Sample

    201217-hlzznj36na

Score
8/10
bootkitdiscoveryexploitransomware

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs

    Enables rebooting of the machine without requiring login credentials.

    ransomwarebootkit
  • Possible privilege escalation attempt 4 IoCs
    exploit
  • Loads dropped DLL 18 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 96 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 17 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.syssel.net/hoefs/software_uxtheme.php?lang=en
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4712
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4712 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4108
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C75WK71L\UltraUXThemePatcher_4.0.0.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C75WK71L\UltraUXThemePatcher_4.0.0.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:548
      • C:\Windows\system32\takeown.exe
        "C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeui.dll"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:4360
      • C:\Windows\system32\icacls.exe
        "C:\Windows\system32\icacls.exe" "C:\Windows\system32\themeui.dll" /grant Admin:(d,wdac)
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2884
      • C:\Windows\system32\takeown.exe
        "C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\uxinit.dll"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2500
      • C:\Windows\system32\icacls.exe
        "C:\Windows\system32\icacls.exe" "C:\Windows\system32\uxinit.dll" /grant Admin:(d,wdac)
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1084
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4500
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
    1⤵
    • Checks SCSI registry key(s)
    • Modifies data under HKEY_USERS
    PID:2928
  • C:\Windows\system32\srtasks.exe
    C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4632
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa3ad5855 /state1:0x41c64e6d
    1⤵
    • Modifies WinLogon to allow AutoLogon
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

File Permissions Modification

1
T1222

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    595841f5dc95a3e87ab99e8301770ee2

    SHA1

    a247b501b03b452e712e501e369d7e5d147ff07d

    SHA256

    966e758da0bd9eafa887314f64319bdcdbefd34a019ed558623a0dd58657d400

    SHA512

    e9f3e54375eb7440f4556c16728080d697010b80bd3bc971e1bafd07c428a2bf6d310efe61c9c859a0c794ea7de6956f82216e139d7990da6d71d8acbd379e4b

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
    MD5

    d8202f6a3883da867d0610e0efc9b004

    SHA1

    564094d6a70e022ceb1c689477cf52753aa92512

    SHA256

    0e9f6f61c50672b7d005d48bc642d2d4cad6661d4af6111040539370495f986a

    SHA512

    5f9fad4c28a61f30a1bbaa10375072b7239dbb170c182d176e2476a8353af81a0e5edc9c12ed053953a567dc91f2f3fa12301610797e5e88013388f4a3f6d3ec

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FC80157CAF0684285CD0FAEEC7613BC2
    MD5

    98484a62a5fa7df5c0995113fe6fc277

    SHA1

    6b4633be34d3953f9eb2579471207e889e8d921d

    SHA256

    2941a490e64e474632e79ed00b9e14b2f5497e82fd01e188ed2076a9dbc12eaf

    SHA512

    0e44eda68625de85f7bb0e37029af1ce91e85b29cc854cdc7c25aa6e1f91dd9123f5ac0c0ddb09b6f9a0a3d30840932d498ce6e98a1f4d1d6c756e108983fabd

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    ed2f897e6a71ae727cd64a224ad4c53a

    SHA1

    2f60db711d874041e932616dae4f9b4d4159e96c

    SHA256

    0f5712bc7c4140625fde88caab25dc0aca7f8b13e995f247e41362a3fab1c87a

    SHA512

    75bfbc4c681bd3f0356ab26135204edfe15e83cc828b4d9925e6ce93ecb15c4f6d4b7e25aeca5425182addb38fb1163c9a5cacf0990b71a0a50112cf8bd4be29

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
    MD5

    41f36a16c538c16ecc02dba44f1ff5dc

    SHA1

    d63131e8443123cbfb8c89dcd9e10d619032a102

    SHA256

    36adc68ed4f73fd62ae960f39cd3b19a6c79b078646012e926f52f5a9fc96cf4

    SHA512

    40fabfdc33a26b0b85ebc749bed27625e2b12877f16fc7793d94ce25a1a2451b62cae8091d5fa845c9fa6d10843d0f4e313b93200567e05f6d8e123e73855ad4

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FC80157CAF0684285CD0FAEEC7613BC2
    MD5

    bc89899d52a02c9be86c1bb6237392b4

    SHA1

    2b37f14bbd0cfeb83f8036ab7c013b14380fd1e5

    SHA256

    6117e22e44c85560d76e21e3fa367e7f771de42963d853e742c8c1ca9c79b7ba

    SHA512

    020c3ba77a3dab22a1f78cfa6436ed3f0146e8605cfdd0453ec1a7f5fdf737257d4ccd31230dd46602e38bcfbe0fa07daf87b26345ad48d519605ba261d6ffc9

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C75WK71L\UltraUXThemePatcher_4.0.0.exe
    MD5

    2ce462ca6328e3d0a82e29f105bac477

    SHA1

    29911f1d023b7ed28c03344f2888cfebe2bd8780

    SHA256

    c858d85422ba6e7c619317a5cb869e92ecadaeb9bd323de821462c2c9fb8cff3

    SHA512

    33d80e99f24d47000b04cfb339ff6ecf309ef156f10dc3491f94beb580479907c4eae4206af33b9c259ce9d4264a58a4ab7faa879f1277a8481a8b85f38ae17c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C75WK71L\UltraUXThemePatcher_4.0.0.exe.vxrlrlp.partial
    MD5

    2ce462ca6328e3d0a82e29f105bac477

    SHA1

    29911f1d023b7ed28c03344f2888cfebe2bd8780

    SHA256

    c858d85422ba6e7c619317a5cb869e92ecadaeb9bd323de821462c2c9fb8cff3

    SHA512

    33d80e99f24d47000b04cfb339ff6ecf309ef156f10dc3491f94beb580479907c4eae4206af33b9c259ce9d4264a58a4ab7faa879f1277a8481a8b85f38ae17c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\XVQWSYPA.cookie
    MD5

    cc9f8aebebbd1ea55742514f569fce9e

    SHA1

    c4286864f65a62d6a7dfa63ffba628e196f911e3

    SHA256

    38c3d6bafa5c1a1b849eb03f445ab5761357fe4d21f02a8890ba013a1aca225c

    SHA512

    d0970be506b0e0db243052a7bd80343656b63b8b2dcf184c845b047d7c37d359c2072ceccf2f329ff1147e14704e75cd1df798be760aa50a1e978707ad425e83

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsm7E8E.tmp\SysRestore.dll
    MD5

    4310bd09fc2300b106f0437b6e995330

    SHA1

    c6790a68e410d4a619b9b59e7540b702a98ad661

    SHA256

    c686b4df9b4db50fc1ddb7be4cd50d4b1d75894288f4dc50571b79937d7c0d7e

    SHA512

    49e286ccd285871db74867810c9cf243e3c1522ce7b4c0d1d01bafe72552692234cf4b4d787b900e9c041b8a2c12f193b36a6a35c64ffd5deef0e1be9958b1f7

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsm7E8E.tmp\System.dll
    MD5

    564bb0373067e1785cba7e4c24aab4bf

    SHA1

    7c9416a01d821b10b2eef97b80899d24014d6fc1

    SHA256

    7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

    SHA512

    22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsm7E8E.tmp\nsDialogs.dll
    MD5

    48f3e7860e1de2b4e63ec744a5e9582a

    SHA1

    420c64d802a637c75a53efc8f748e1aede3d6dc6

    SHA256

    6bf9cccd8a600f4d442efe201e8c07b49605ba35f49a4b3ab22fa2641748e156

    SHA512

    28716ddea580eeb23d93d1ff6ea0cf79a725e13c8f8a17ec9dfacb1fe29c7981ad84c03aed05663adc52365d63d19ec2f366762d1c685e3a9d93037570c3c583

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsm7E8E.tmp\nsisFile.dll
    MD5

    b7d0d765c151d235165823b48554e442

    SHA1

    fe530e6c6fd60392d4ce611b21ec9daad3f1bc84

    SHA256

    a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587

    SHA512

    5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsm7E8E.tmp\nsisFile.dll
    MD5

    b7d0d765c151d235165823b48554e442

    SHA1

    fe530e6c6fd60392d4ce611b21ec9daad3f1bc84

    SHA256

    a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587

    SHA512

    5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsm7E8E.tmp\nsisFile.dll
    MD5

    b7d0d765c151d235165823b48554e442

    SHA1

    fe530e6c6fd60392d4ce611b21ec9daad3f1bc84

    SHA256

    a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587

    SHA512

    5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsm7E8E.tmp\nsisFile.dll
    MD5

    b7d0d765c151d235165823b48554e442

    SHA1

    fe530e6c6fd60392d4ce611b21ec9daad3f1bc84

    SHA256

    a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587

    SHA512

    5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsm7E8E.tmp\nsisFile.dll
    MD5

    b7d0d765c151d235165823b48554e442

    SHA1

    fe530e6c6fd60392d4ce611b21ec9daad3f1bc84

    SHA256

    a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587

    SHA512

    5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsm7E8E.tmp\nsisFile.dll
    MD5

    b7d0d765c151d235165823b48554e442

    SHA1

    fe530e6c6fd60392d4ce611b21ec9daad3f1bc84

    SHA256

    a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587

    SHA512

    5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsm7E8E.tmp\nsisFile.dll
    MD5

    b7d0d765c151d235165823b48554e442

    SHA1

    fe530e6c6fd60392d4ce611b21ec9daad3f1bc84

    SHA256

    a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587

    SHA512

    5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsm7E8E.tmp\nsisFile.dll
    MD5

    b7d0d765c151d235165823b48554e442

    SHA1

    fe530e6c6fd60392d4ce611b21ec9daad3f1bc84

    SHA256

    a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587

    SHA512

    5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsm7E8E.tmp\nsisFile.dll
    MD5

    b7d0d765c151d235165823b48554e442

    SHA1

    fe530e6c6fd60392d4ce611b21ec9daad3f1bc84

    SHA256

    a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587

    SHA512

    5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsm7E8E.tmp\nsisFile.dll
    MD5

    b7d0d765c151d235165823b48554e442

    SHA1

    fe530e6c6fd60392d4ce611b21ec9daad3f1bc84

    SHA256

    a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587

    SHA512

    5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsm7E8E.tmp\nsisFile.dll
    MD5

    b7d0d765c151d235165823b48554e442

    SHA1

    fe530e6c6fd60392d4ce611b21ec9daad3f1bc84

    SHA256

    a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587

    SHA512

    5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsm7E8E.tmp\nsisFile.dll
    MD5

    b7d0d765c151d235165823b48554e442

    SHA1

    fe530e6c6fd60392d4ce611b21ec9daad3f1bc84

    SHA256

    a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587

    SHA512

    5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsm7E8E.tmp\nsisFile.dll
    MD5

    b7d0d765c151d235165823b48554e442

    SHA1

    fe530e6c6fd60392d4ce611b21ec9daad3f1bc84

    SHA256

    a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587

    SHA512

    5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsm7E8E.tmp\nsisFile.dll
    MD5

    b7d0d765c151d235165823b48554e442

    SHA1

    fe530e6c6fd60392d4ce611b21ec9daad3f1bc84

    SHA256

    a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587

    SHA512

    5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsm7E8E.tmp\nsisFile.dll
    MD5

    b7d0d765c151d235165823b48554e442

    SHA1

    fe530e6c6fd60392d4ce611b21ec9daad3f1bc84

    SHA256

    a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587

    SHA512

    5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

    Download Submit
  • memory/548-8-0x0000000000000000-mapping.dmp
    Download
  • memory/1084-33-0x0000000000000000-mapping.dmp
    Download
  • memory/2500-32-0x0000000000000000-mapping.dmp
    Download
  • memory/2884-31-0x0000000000000000-mapping.dmp
    Download
  • memory/4108-2-0x0000000000000000-mapping.dmp
    Download
  • memory/4360-30-0x0000000000000000-mapping.dmp
    Download