da641c3cfe9c99896d5d3553f938e5b9dca924619d0f25aecebdb0961146098c | Triage

Resubmissions

28/09/2022, 12:09 UTC

220928-pbfk1sfge6 6

28/09/2022, 12:06 UTC

220928-n91heafgd8 6

25/09/2022, 08:14 UTC

220925-j43y5adhe6 1

25/09/2022, 08:12 UTC

220925-j338hafbgj 1

23/09/2022, 03:48 UTC

220923-ec7qsadae9 6

23/09/2022, 03:47 UTC

220923-ecqr9sdae4 6

12/09/2022, 05:17 UTC

220912-fy11ssgddn 6

11/09/2022, 20:06 UTC

220911-yvq1jacbc5 6

09/09/2022, 02:19 UTC

220909-cr3z2agcg9 6

06/09/2022, 05:13 UTC

220906-fwe1jsfdg2 6

Analysis

max time kernel
26s
max time network
29s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
06/09/2022, 05:13 UTC

Sharing

Reason

Machine shutdown

Report Analysis Logs

General

Target

MPM_FILM.exe
Size

640KB
MD5

c341201d49eb16883d168568711b43c8
SHA1

b5430ebb3c4283e0d8ba945d82294485f6323c69
SHA256

da641c3cfe9c99896d5d3553f938e5b9dca924619d0f25aecebdb0961146098c
SHA512

8e6deb15ff19bc4575181042d15dd07b9730563aac2c80b888fcbdeca325da6c1be22079ce5b32c51399f280e96cfa806c631b6232354f0053d13df10b92ae6d
SSDEEP

12288:nLkND5t6BvD/B0MSscDZZN2VOaZLKTKvn8TU3M2pjGwvi:n4zcDJK1ZL6LZLqKf8TU3MsG

Score

6^/10

bootkit persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run	MPM_FILM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\CustomMBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPM_FILM.exe -BypassWarning"	MPM_FILM.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MPM_FILM.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task

pid	Process
4272	schtasks.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4124	MPM_FILM.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4124	MPM_FILM.exe
1652	LogonUI.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 4272	4124	MPM_FILM.exe	66
PID 4124 wrote to memory of 4272	4124	MPM_FILM.exe	66
PID 4124 wrote to memory of 4272	4124	MPM_FILM.exe	66

C:\Users\Admin\AppData\Local\Temp\MPM_FILM.exe
"C:\Users\Admin\AppData\Local\Temp\MPM_FILM.exe"
1⤵
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Create /TN CustomMBR /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\MPM_FILM.exe -BypassWarning"
  2⤵
  - Creates scheduled task(s)
  PID:4272

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad7055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1652

Network

No results found

20.189.173.15:443

230 B
5
20.189.173.15:443

52 B
1

No results found

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Bootkit

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4124-116-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-117-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-118-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-119-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-120-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-121-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-122-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-123-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-124-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-125-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-126-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-127-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-128-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-129-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-130-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-131-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-132-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-133-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-134-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-135-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-136-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-137-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-138-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-139-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-141-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-140-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-142-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-143-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-144-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-145-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-146-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-148-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-147-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-149-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-150-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-151-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-152-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-153-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-154-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-155-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-157-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-156-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-159-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-158-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-160-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4124-164-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-162-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-166-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-167-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-165-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-163-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-168-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-169-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-170-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-171-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-172-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-173-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-175-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-174-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-176-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-177-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download