Analysis
-
max time kernel
98s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:40
Static task
static1
Behavioral task
behavioral1
Sample
2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe
Resource
win10v2004-20220414-en
General
-
Target
2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe
-
Size
120KB
-
MD5
b03c60229836a25ed02c941f8a170a18
-
SHA1
c610255e9912872193fafaba4f78ce2005d54aab
-
SHA256
2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8
-
SHA512
fe61e0c5bb1aa65fe585398426aca12275f94e33a50d1dbbcefd108f9cb1d3b4bd9d33785de1b046af7e7c5ac6bc1f79f4c219d4c44795e0662df376781ac24a
Malware Config
Signatures
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 1 TTPs
-
Processes:
2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\System32\\System.exe" 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe -
Processes:
2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe -
Drops file in System32 directory 2 IoCs
Processes:
2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exedescription ioc process File created C:\Windows\SysWOW64\System.exe 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe File opened for modification C:\Windows\SysWOW64\System.exe 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "13" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe -
Modifies registry class 3 IoCs
Processes:
2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\MIME\Database 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exeShutdown.exedescription pid process Token: SeBackupPrivilege 2864 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe Token: SeShutdownPrivilege 3212 Shutdown.exe Token: SeRemoteShutdownPrivilege 3212 Shutdown.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exeLogonUI.exepid process 2864 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe 2864 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe 3856 LogonUI.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exenet.exenet.exedescription pid process target process PID 2864 wrote to memory of 1468 2864 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe netsh.exe PID 2864 wrote to memory of 1468 2864 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe netsh.exe PID 2864 wrote to memory of 1468 2864 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe netsh.exe PID 2864 wrote to memory of 1588 2864 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe net.exe PID 2864 wrote to memory of 1588 2864 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe net.exe PID 2864 wrote to memory of 1588 2864 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe net.exe PID 2864 wrote to memory of 1752 2864 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe net.exe PID 2864 wrote to memory of 1752 2864 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe net.exe PID 2864 wrote to memory of 1752 2864 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe net.exe PID 1752 wrote to memory of 2612 1752 net.exe net1.exe PID 1752 wrote to memory of 2612 1752 net.exe net1.exe PID 1752 wrote to memory of 2612 1752 net.exe net1.exe PID 1588 wrote to memory of 2628 1588 net.exe net1.exe PID 1588 wrote to memory of 2628 1588 net.exe net1.exe PID 1588 wrote to memory of 2628 1588 net.exe net1.exe PID 2864 wrote to memory of 3212 2864 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe Shutdown.exe PID 2864 wrote to memory of 3212 2864 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe Shutdown.exe PID 2864 wrote to memory of 3212 2864 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe Shutdown.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe"C:\Users\Admin\AppData\Local\Temp\2dc9bd6ddc22b244f6b94ae0c9c23073c8942a5bb5663dc298cd56a9f4e02cf8.exe"1⤵
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable2⤵
-
C:\Windows\SysWOW64\net.exenet stop security center2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop security center3⤵
-
C:\Windows\SysWOW64\net.exenet stop WinDefend2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend3⤵
-
C:\Windows\SysWOW64\Shutdown.exeShutdown -r2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39ef055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1468-132-0x0000000000000000-mapping.dmp
-
memory/1588-133-0x0000000000000000-mapping.dmp
-
memory/1752-134-0x0000000000000000-mapping.dmp
-
memory/2612-135-0x0000000000000000-mapping.dmp
-
memory/2628-136-0x0000000000000000-mapping.dmp
-
memory/3212-137-0x0000000000000000-mapping.dmp