0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f

Reason

Machine shutdown

General

Target

0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe
Size

46KB
MD5

2dd14afcc7e1566980af3e1485109f9c
SHA1

77fb3de68b63bd8e0a05277dc6b858fa7384a860
SHA256

0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f
SHA512

fe9497d2fae6e8ff677c90d37d00237590f6b48b893dfbec6d7b5dcd473202133836fbcf7f669f4e4442eead15cac557316b4f47e497cc9aa49751927cffc5b0
SSDEEP

768:0C38y4disgWSU1YlmDPoYSbRR9P+srOTrG:0CR4ggSU1Y4PoB+sC

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3692	x2z8.exe
852	x2z8.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	x2z8.exe
File opened for modification	\??\PHYSICALDRIVE0	0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1052 set thread context of 4496	1052	0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe	79
PID 3692 set thread context of 852	3692	x2z8.exe	81

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "174"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	852	x2z8.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3476	LogonUI.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 4496	1052	0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe	79
PID 1052 wrote to memory of 4496	1052	0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe	79
PID 1052 wrote to memory of 4496	1052	0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe	79
PID 1052 wrote to memory of 4496	1052	0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe	79
PID 1052 wrote to memory of 4496	1052	0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe	79
PID 4496 wrote to memory of 3692	4496	0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe	80
PID 4496 wrote to memory of 3692	4496	0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe	80
PID 4496 wrote to memory of 3692	4496	0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe	80
PID 3692 wrote to memory of 852	3692	x2z8.exe	81
PID 3692 wrote to memory of 852	3692	x2z8.exe	81
PID 3692 wrote to memory of 852	3692	x2z8.exe	81
PID 3692 wrote to memory of 852	3692	x2z8.exe	81
PID 3692 wrote to memory of 852	3692	x2z8.exe	81

C:\Users\Admin\AppData\Local\Temp\0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe
"C:\Users\Admin\AppData\Local\Temp\0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Users\Admin\AppData\Local\Temp\0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe
  "C:\Users\Admin\AppData\Local\Temp\0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Users\Admin\AppData\Local\Temp\x2z8.exe
    C:\Users\Admin\AppData\Local\Temp\\x2z8.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Users\Admin\AppData\Local\Temp\x2z8.exe
      "C:\Users\Admin\AppData\Local\Temp\x2z8.exe"
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      Suspicious use of AdjustPrivilegeToken
      PID:852

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39d9055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fpath.txt

Filesize
102B

MD5
89f26c68f71323d51c7c61fad807955f

SHA1
93b4d24ee03d702cabc3bfe02e24dadc0a7b689f

SHA256
87d0767ec44e138da222453596dbb86f62dd1c23685ec17cf9d66e0af56640d4

SHA512
6a800f63b020424230e82359c8a9fa959b3ad2db73c4c7bccb4c5e3bf4fea4f5ab9ead55b5b9a9ef3c07ea1be127ec5aefd9d11229de5ceb1b9e84c66f313ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
46KB

MD5
2dd14afcc7e1566980af3e1485109f9c

SHA1
77fb3de68b63bd8e0a05277dc6b858fa7384a860

SHA256
0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f

SHA512
fe9497d2fae6e8ff677c90d37d00237590f6b48b893dfbec6d7b5dcd473202133836fbcf7f669f4e4442eead15cac557316b4f47e497cc9aa49751927cffc5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
46KB

MD5
2dd14afcc7e1566980af3e1485109f9c

SHA1
77fb3de68b63bd8e0a05277dc6b858fa7384a860

SHA256
0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f

SHA512
fe9497d2fae6e8ff677c90d37d00237590f6b48b893dfbec6d7b5dcd473202133836fbcf7f669f4e4442eead15cac557316b4f47e497cc9aa49751927cffc5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
46KB

MD5
2dd14afcc7e1566980af3e1485109f9c

SHA1
77fb3de68b63bd8e0a05277dc6b858fa7384a860

SHA256
0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f

SHA512
fe9497d2fae6e8ff677c90d37d00237590f6b48b893dfbec6d7b5dcd473202133836fbcf7f669f4e4442eead15cac557316b4f47e497cc9aa49751927cffc5b0

Download Submit
memory/852-146-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/4496-133-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/4496-135-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/4496-138-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

Errors