Analysis
-
max time kernel
7s -
max time network
10s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-03-2021 18:20
Static task
static1
Behavioral task
behavioral1
Sample
e28a0b40_extracted.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
e28a0b40_extracted.exe
Resource
win10v20201028
Errors
General
-
Target
e28a0b40_extracted.exe
-
Size
71KB
-
MD5
db2da08dff1c398dc9690419cbe36673
-
SHA1
a45d06df8f11bdb3ab10ec44ed4c9040fe154afe
-
SHA256
9a463e6f526a181780da19ab9f569e1b1c131288c2d1ab18b3c18a656f9bf06d
-
SHA512
5774296dd59362d6fc515aa58a1d05c5d232c8a0f3a08c34439947dc85080b9b7f697ca39f9439d5890a38d9cf385d13443b2ebdc7f6adbbacc2ed4d01bb0ea6
Malware Config
Signatures
-
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
e28a0b40_extracted.exedescription ioc process File opened for modification \??\PhysicalDrive0 e28a0b40_extracted.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
shutdown.exeshutdown.exedescription pid process Token: SeShutdownPrivilege 2548 shutdown.exe Token: SeRemoteShutdownPrivilege 2548 shutdown.exe Token: SeShutdownPrivilege 2820 shutdown.exe Token: SeRemoteShutdownPrivilege 2820 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 1912 LogonUI.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e28a0b40_extracted.exedescription pid process target process PID 1316 wrote to memory of 2548 1316 e28a0b40_extracted.exe shutdown.exe PID 1316 wrote to memory of 2548 1316 e28a0b40_extracted.exe shutdown.exe PID 1316 wrote to memory of 2548 1316 e28a0b40_extracted.exe shutdown.exe PID 1316 wrote to memory of 2820 1316 e28a0b40_extracted.exe shutdown.exe PID 1316 wrote to memory of 2820 1316 e28a0b40_extracted.exe shutdown.exe PID 1316 wrote to memory of 2820 1316 e28a0b40_extracted.exe shutdown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e28a0b40_extracted.exe"C:\Users\Admin\AppData\Local\Temp\e28a0b40_extracted.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\shutdown.exeshutdown.exe -r -f -t 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\shutdown.exeC:\Windows\System32\shutdown.exe -r -f -t 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ac8855 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx