3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448

Reason

Machine shutdown

General

Target

3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe
Size

5.4MB
MD5

6afa9397a7cd80ffe2f8d30828269e36
SHA1

c7976bb175b4d26cc790f925280551a7fcecfff1
SHA256

3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448
SHA512

de139d2dd1d569b48b6bb79098ed0198771c3187ae0dae8171ab5a89287492711bd712eb432fb822128df0694820e97161a712ddc4e6dd264d2ec30b3b44b230
SSDEEP

98304:NxV6zRhld9E1BlYb9uto2jgrGeweoSYp2prwvLWaNFXvow17IugzlHbGSZBN7fZm:vV8ld98BlON2jnbNswvBXvowJgzl7GSO

Score

10^/10

agilenet evasion persistence themida trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,, C:\\Users\\Admin\\AppData\\Local\\Temp\\3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe"	3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe

Loads dropped DLL 1 IoCs

Processes:

3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe

pid process

2704 3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe

pid	process
2704	3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2704-120-0x000001CDC1D50000-0x000001CDC22B6000-memory.dmp	agile_net

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\322ea8b2-5b77-44ff-8f35-2130db963898\AgileDotNetRT64.dll	themida
behavioral1/memory/2704-122-0x00007FFC6F480000-0x00007FFC6FCEC000-memory.dmp	themida
behavioral1/memory/2704-123-0x00007FFC6F480000-0x00007FFC6FCEC000-memory.dmp	themida
behavioral1/memory/2704-127-0x00007FFC6F480000-0x00007FFC6FCEC000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe

pid process

2704 3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe

pid	process
2704	3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe

description pid process

Token: SeShutdownPrivilege 2704 3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4712 LogonUI.exe

description	pid	process
Token: SeShutdownPrivilege	2704	3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe

pid	process
4712	LogonUI.exe

System policy modification 1 TTPs 8 IoCs

evasion

Modify Registry

T1112

Processes:

3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0"	3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe

C:\Users\Admin\AppData\Local\Temp\3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe
"C:\Users\Admin\AppData\Local\Temp\3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2704

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3adc855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

3

T1112

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\322ea8b2-5b77-44ff-8f35-2130db963898\AgileDotNetRT64.dll
Filesize
3.1MB

MD5
4d8082b3de02f82db9a515e9dab5d2b6

SHA1
057a20ade70244601d0fe50f7011c95bae335ea5

SHA256
936b1537b6efcece032c05661238b06beefc61ff76e82b7c5d9fe558a9360a4c

SHA512
7b9153e9948e0f911fcb0b145678a56cac4abd948fa99e07c331760f02dce096cf3be7d2d8493cf7a76460c7172e24eaa45c1283a28353501b2876c54752c60d

Download Submit
memory/2704-120-0x000001CDC1D50000-0x000001CDC22B6000-memory.dmp

Filesize
5.4MB

Download
memory/2704-122-0x00007FFC6F480000-0x00007FFC6FCEC000-memory.dmp

Filesize
8.4MB

Download
memory/2704-123-0x00007FFC6F480000-0x00007FFC6FCEC000-memory.dmp

Filesize
8.4MB

Download
memory/2704-124-0x00007FFC8E190000-0x00007FFC8E36B000-memory.dmp

Filesize
1.9MB

Download
memory/2704-125-0x00007FFC81940000-0x00007FFC81A6C000-memory.dmp

Filesize
1.2MB

Download
memory/2704-126-0x00007FFC8E190000-0x00007FFC8E36B000-memory.dmp

Filesize
1.9MB

Download
memory/2704-127-0x00007FFC6F480000-0x00007FFC6FCEC000-memory.dmp

Filesize
8.4MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads