Analysis
-
max time kernel
18s -
max time network
22s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2022 15:29
Behavioral task
behavioral1
Sample
6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe
Resource
win10v2004-20220812-en
Errors
General
-
Target
6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe
-
Size
5.4MB
-
MD5
c2f7575dba870997fa78d2ac6206704e
-
SHA1
2ed5db2d983bd62157960049ca6339d3387949f1
-
SHA256
6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d
-
SHA512
2ab83c93aa4fabea90a04235745457e80c2431dee6b0c63ba02ff63f52b2d0ea2e24570e90da704465a6f41409bd2474efdb22c52cc6178ef0a1f4f4a99dc2f6
-
SSDEEP
98304:vxV6zRhld9E1BlYb9uto2jgrGeweoSYp2prwvLWaNFXvow17IugzlHbGSZBN7fZm:5V8ld98BlON2jnbNswvBXvowJgzl7GSO
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,, C:\\Users\\Admin\\AppData\\Local\\Temp\\6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe" 6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe -
Processes:
6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe -
Loads dropped DLL 2 IoCs
Processes:
6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exepid process 5016 6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe 5016 6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/5016-132-0x000001EE04990000-0x000001EE04EF6000-memory.dmp agile_net -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\767d5d80-8aab-4c3c-b5ab-b2f609ab34c1\AgileDotNetRT64.dll themida C:\Users\Admin\AppData\Local\Temp\767d5d80-8aab-4c3c-b5ab-b2f609ab34c1\AgileDotNetRT64.dll themida behavioral1/memory/5016-135-0x000001EE1F3D0000-0x000001EE1FC3C000-memory.dmp themida behavioral1/memory/5016-138-0x000001EE1F3D0000-0x000001EE1FC3C000-memory.dmp themida behavioral1/memory/5016-140-0x000001EE1F3D0000-0x000001EE1FC3C000-memory.dmp themida -
Processes:
6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exepid process 5016 6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "169" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exedescription pid process Token: SeShutdownPrivilege 5016 6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 3480 LogonUI.exe -
System policy modification 1 TTPs 8 IoCs
Processes:
6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" 6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" 6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" 6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" 6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" 6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe"C:\Users\Admin\AppData\Local\Temp\6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39ef055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\767d5d80-8aab-4c3c-b5ab-b2f609ab34c1\AgileDotNetRT64.dllFilesize
3.1MB
MD54d8082b3de02f82db9a515e9dab5d2b6
SHA1057a20ade70244601d0fe50f7011c95bae335ea5
SHA256936b1537b6efcece032c05661238b06beefc61ff76e82b7c5d9fe558a9360a4c
SHA5127b9153e9948e0f911fcb0b145678a56cac4abd948fa99e07c331760f02dce096cf3be7d2d8493cf7a76460c7172e24eaa45c1283a28353501b2876c54752c60d
-
C:\Users\Admin\AppData\Local\Temp\767d5d80-8aab-4c3c-b5ab-b2f609ab34c1\AgileDotNetRT64.dllFilesize
3.1MB
MD54d8082b3de02f82db9a515e9dab5d2b6
SHA1057a20ade70244601d0fe50f7011c95bae335ea5
SHA256936b1537b6efcece032c05661238b06beefc61ff76e82b7c5d9fe558a9360a4c
SHA5127b9153e9948e0f911fcb0b145678a56cac4abd948fa99e07c331760f02dce096cf3be7d2d8493cf7a76460c7172e24eaa45c1283a28353501b2876c54752c60d
-
memory/5016-132-0x000001EE04990000-0x000001EE04EF6000-memory.dmpFilesize
5.4MB
-
memory/5016-136-0x00007FF8148F0000-0x00007FF8153B1000-memory.dmpFilesize
10.8MB
-
memory/5016-135-0x000001EE1F3D0000-0x000001EE1FC3C000-memory.dmpFilesize
8.4MB
-
memory/5016-137-0x00007FF815640000-0x00007FF81578E000-memory.dmpFilesize
1.3MB
-
memory/5016-138-0x000001EE1F3D0000-0x000001EE1FC3C000-memory.dmpFilesize
8.4MB
-
memory/5016-139-0x00007FF832C10000-0x00007FF832E05000-memory.dmpFilesize
2.0MB
-
memory/5016-140-0x000001EE1F3D0000-0x000001EE1FC3C000-memory.dmpFilesize
8.4MB
-
memory/5016-141-0x00007FF832C10000-0x00007FF832E05000-memory.dmpFilesize
2.0MB
-
memory/5016-142-0x00007FF8148F0000-0x00007FF8153B1000-memory.dmpFilesize
10.8MB