7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee

Reason

Machine shutdown

General

Target

7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe
Size

96KB
MD5

8b7998d0f4236f4d0bb2c145a27fcf77
SHA1

72a366ce17c86fae0ffe25411f11a6704637f454
SHA256

7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee
SHA512

5ee0e46758a9142debbcb35dc1701c319651d0d4061867f11ce5fd50032cafe109cdec96b476e9aec84d5eaa718d98eb47d35437cdb6b988facb70ec3eca574f
SSDEEP

1536:7mGuD0/OD6fctEwAynAnOQjbQokSrHPHvFHJR+ltYGpMPkjBBPZW8HaYD2BzyAoP:6GlctCDQpSrHvvFHJRP3QBPZW8HhD2Bq

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wscntfy.exe	7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe
File opened for modification	C:\Windows\SysWOW64\wscntfy.exe	7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer Phishing Filter 1 TTPs 4 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\PhishingFilter	7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\Enabled = "0"	7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\PhishingFilter	7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\PhishingFilter\Enabled = "0"	7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "182"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PhishingFilter\Enabled = "0"	7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PhishingFilter	7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1484	shutdown.exe
Token: SeRemoteShutdownPrivilege	1484	shutdown.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
792	7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe
792	7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe
3480	LogonUI.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 1484	792	7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe	87
PID 792 wrote to memory of 1484	792	7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe	87
PID 792 wrote to memory of 1484	792	7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe	87

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe

C:\Users\Admin\AppData\Local\Temp\7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe
"C:\Users\Admin\AppData\Local\Temp\7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe"
1⤵
- Modifies firewall policy service
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer Phishing Filter
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:792
- C:\Windows\SysWOW64\shutdown.exe
  "C:\Windows\System32\shutdown.exe" -r -f -t 10
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1484

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3998055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3480