Analysis
-
max time kernel
6s -
max time network
9s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
05-10-2022 15:29
Behavioral task
behavioral1
Sample
3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe
Resource
win10-20220901-en
Errors
General
-
Target
3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe
-
Size
5.4MB
-
MD5
6afa9397a7cd80ffe2f8d30828269e36
-
SHA1
c7976bb175b4d26cc790f925280551a7fcecfff1
-
SHA256
3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448
-
SHA512
de139d2dd1d569b48b6bb79098ed0198771c3187ae0dae8171ab5a89287492711bd712eb432fb822128df0694820e97161a712ddc4e6dd264d2ec30b3b44b230
-
SSDEEP
98304:NxV6zRhld9E1BlYb9uto2jgrGeweoSYp2prwvLWaNFXvow17IugzlHbGSZBN7fZm:vV8ld98BlON2jnbNswvBXvowJgzl7GSO
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,, C:\\Users\\Admin\\AppData\\Local\\Temp\\3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe" 3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe -
Processes:
3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe -
Loads dropped DLL 1 IoCs
Processes:
3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exepid process 2704 3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2704-120-0x000001CDC1D50000-0x000001CDC22B6000-memory.dmp agile_net -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\322ea8b2-5b77-44ff-8f35-2130db963898\AgileDotNetRT64.dll themida behavioral1/memory/2704-122-0x00007FFC6F480000-0x00007FFC6FCEC000-memory.dmp themida behavioral1/memory/2704-123-0x00007FFC6F480000-0x00007FFC6FCEC000-memory.dmp themida behavioral1/memory/2704-127-0x00007FFC6F480000-0x00007FFC6FCEC000-memory.dmp themida -
Processes:
3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exepid process 2704 3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exedescription pid process Token: SeShutdownPrivilege 2704 3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 4712 LogonUI.exe -
System policy modification 1 TTPs 8 IoCs
Processes:
3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" 3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" 3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" 3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" 3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" 3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe"C:\Users\Admin\AppData\Local\Temp\3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3adc855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\322ea8b2-5b77-44ff-8f35-2130db963898\AgileDotNetRT64.dllFilesize
3.1MB
MD54d8082b3de02f82db9a515e9dab5d2b6
SHA1057a20ade70244601d0fe50f7011c95bae335ea5
SHA256936b1537b6efcece032c05661238b06beefc61ff76e82b7c5d9fe558a9360a4c
SHA5127b9153e9948e0f911fcb0b145678a56cac4abd948fa99e07c331760f02dce096cf3be7d2d8493cf7a76460c7172e24eaa45c1283a28353501b2876c54752c60d
-
memory/2704-120-0x000001CDC1D50000-0x000001CDC22B6000-memory.dmpFilesize
5.4MB
-
memory/2704-122-0x00007FFC6F480000-0x00007FFC6FCEC000-memory.dmpFilesize
8.4MB
-
memory/2704-123-0x00007FFC6F480000-0x00007FFC6FCEC000-memory.dmpFilesize
8.4MB
-
memory/2704-124-0x00007FFC8E190000-0x00007FFC8E36B000-memory.dmpFilesize
1.9MB
-
memory/2704-125-0x00007FFC81940000-0x00007FFC81A6C000-memory.dmpFilesize
1.2MB
-
memory/2704-126-0x00007FFC8E190000-0x00007FFC8E36B000-memory.dmpFilesize
1.9MB
-
memory/2704-127-0x00007FFC6F480000-0x00007FFC6FCEC000-memory.dmpFilesize
8.4MB