4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720

Analysis

max time kernel
9s
max time network
18s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 22:33

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe
Size

720KB
MD5

03431f0754a08d5d258e0ee953d0d760
SHA1

22df5899239d697d64dbdd81ee344ccdb8637da6
SHA256

4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720
SHA512

667e95b49a2c32045ae6d8491413392db98ba6b077ad546507f979ae988b9ac93a9884b3c6fd8f07eec8311e5ad1b4ae45c4d0cd05ee0d8e7a67650f86f99a58
SSDEEP

12288:xhSidauH42shOZrxLmWnI5Oi77u7I02O5lu7I02O5OKXDFc4:xINo49hOZrxLvnIFi7I02b7I02dKXDFp

Score

8^/10

evasion

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe

Disables Task Manager via registry modification
evasion

Kills process with taskkill 7 IoCs

evasion

pid	Process
2412	taskkill.exe
1308	taskkill.exe
2428	taskkill.exe
2928	taskkill.exe
1344	taskkill.exe
952	taskkill.exe
4596	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "223"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "jpegfile"	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.inf\ = "jpegfile"	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "jpegfile"	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "jpegfile"	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe
Token: SeShutdownPrivilege	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe
Token: SeDebugPrivilege	4596	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe
4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe
1176	LogonUI.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 4788	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	83
PID 4312 wrote to memory of 4788	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	83
PID 4312 wrote to memory of 4788	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	83
PID 4312 wrote to memory of 3064	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	90
PID 4312 wrote to memory of 3064	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	90
PID 4312 wrote to memory of 3064	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	90
PID 4312 wrote to memory of 2460	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	89
PID 4312 wrote to memory of 2460	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	89
PID 4312 wrote to memory of 2460	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	89
PID 4312 wrote to memory of 2412	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	86
PID 4312 wrote to memory of 2412	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	86
PID 4312 wrote to memory of 2412	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	86
PID 4312 wrote to memory of 4596	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	85
PID 4312 wrote to memory of 4596	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	85
PID 4312 wrote to memory of 4596	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	85
PID 4312 wrote to memory of 1308	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	92
PID 4312 wrote to memory of 1308	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	92
PID 4312 wrote to memory of 1308	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	92
PID 4312 wrote to memory of 2428	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	93
PID 4312 wrote to memory of 2428	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	93
PID 4312 wrote to memory of 2428	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	93
PID 4312 wrote to memory of 2928	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	94
PID 4312 wrote to memory of 2928	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	94
PID 4312 wrote to memory of 2928	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	94
PID 4312 wrote to memory of 1344	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	97
PID 4312 wrote to memory of 1344	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	97
PID 4312 wrote to memory of 1344	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	97
PID 4312 wrote to memory of 952	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	100
PID 4312 wrote to memory of 952	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	100
PID 4312 wrote to memory of 952	4312	4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe	100
PID 4788 wrote to memory of 2848	4788	net.exe	102
PID 4788 wrote to memory of 2848	4788	net.exe	102
PID 4788 wrote to memory of 2848	4788	net.exe	102
PID 2460 wrote to memory of 224	2460	net.exe	107
PID 2460 wrote to memory of 224	2460	net.exe	107
PID 2460 wrote to memory of 224	2460	net.exe	107
PID 3064 wrote to memory of 4000	3064	net.exe	108
PID 3064 wrote to memory of 4000	3064	net.exe	108
PID 3064 wrote to memory of 4000	3064	net.exe	108

C:\Users\Admin\AppData\Local\Temp\4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe
"C:\Users\Admin\AppData\Local\Temp\4a280e67ca75bc6a40955e07ddc640fea21343d773d2819bede257c8b9d88720.exe"
1⤵
- Disables RegEdit via registry modification
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Windows\SysWOW64\net.exe
  net user Administrator beipandexiachang
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user Administrator beipandexiachang
    3⤵
    PID:2848
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im KVXP.kxp
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4596
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im kavsvc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\SysWOW64\net.exe
  net user administrators 123456 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user administrators 123456 /add
    3⤵
    PID:224
- C:\Windows\SysWOW64\net.exe
  net user 123456 beipandexiachang /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user 123456 beipandexiachang /add
    3⤵
    PID:4000
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Rav.exe
  2⤵
  - Kills process with taskkill
  PID:1308
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Ravmon.exe
  2⤵
  - Kills process with taskkill
  PID:2428
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Mcshield.exe
  2⤵
  - Kills process with taskkill
  PID:2928
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im VsTskMgr.exe
  2⤵
  - Kills process with taskkill
  PID:1344
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im 360tray.exe
  2⤵
  - Kills process with taskkill
  PID:952

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv 1GorwCxTkUis4q65Fvn6LA.0
1⤵
PID:2144

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39f9855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1176

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads