Analysis
-
max time kernel
39s -
max time network
42s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-01-2021 17:17
Static task
static1
Behavioral task
behavioral1
Sample
VTPatcher.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
VTPatcher.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Errors
Reason
Machine shutdown
General
-
Target
VTPatcher.exe
-
Size
123KB
-
MD5
887f4256e86487df513fc0f91f5e6cb7
-
SHA1
892ca49a0108af495a31fd6d225915d62ec2d136
-
SHA256
e6cd1af91356aeab2550acec945681ed5e82eb9660936b4f4e73509c0c602aae
-
SHA512
123c19f36c19b93f216a56b394fd4c4ffaf1ae18438b8d916e5278d5355b7b20a9a7f12f56dacd6d741932ef5d036304b966aa93f540578f177961453e229915
Score
8/10
Malware Config
Signatures
-
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
VTPatcher.exedescription pid process Token: SeDebugPrivilege 2092 VTPatcher.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
LogonUI.exepid process 2812 LogonUI.exe 2812 LogonUI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\VTPatcher.exe"C:\Users\Admin\AppData\Local\Temp\VTPatcher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad1855 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2092-2-0x00007FFFD26D0000-0x00007FFFD30BC000-memory.dmpFilesize
9.9MB
-
memory/2092-3-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/2092-5-0x0000000000840000-0x0000000000841000-memory.dmpFilesize
4KB
-
memory/2092-6-0x00000000026D0000-0x00000000026D2000-memory.dmpFilesize
8KB