34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7

Reason

Machine shutdown

General

Target

34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe
Size

61KB
MD5

806a39814a00be8d47d945c10884df0c
SHA1

1573da7e9e237afc2b5f67b5e4cc8b6796dd4fd7
SHA256

34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7
SHA512

9329d38299f30ab3afc7295f9e95bb9f85d3a6122c3d8c4619cd3f3f64094a2615118a95b6907deeeecaf87c250230b0766e3396474c093a4137c151e7ac87dc
SSDEEP

768:XJrkANtWy6T13GXcda9ZQLkr8fRjj42c6TmYAFaK6x7Ix2uAfLiox613KXJT1Bmj:Fj0ZWOsskrH2GFaK6BiAfLiwXJfF8Ey

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1136	x2z8.exe
5024	x2z8.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe
File opened for modification	\??\PHYSICALDRIVE0	x2z8.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2264 set thread context of 1668	2264	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe	82
PID 1136 set thread context of 5024	1136	x2z8.exe	84

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "169"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5024	x2z8.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2264	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe
1136	x2z8.exe
3680	LogonUI.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 1668	2264	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe	82
PID 2264 wrote to memory of 1668	2264	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe	82
PID 2264 wrote to memory of 1668	2264	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe	82
PID 2264 wrote to memory of 1668	2264	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe	82
PID 2264 wrote to memory of 1668	2264	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe	82
PID 2264 wrote to memory of 1668	2264	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe	82
PID 2264 wrote to memory of 1668	2264	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe	82
PID 1668 wrote to memory of 1136	1668	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe	83
PID 1668 wrote to memory of 1136	1668	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe	83
PID 1668 wrote to memory of 1136	1668	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe	83
PID 1136 wrote to memory of 5024	1136	x2z8.exe	84
PID 1136 wrote to memory of 5024	1136	x2z8.exe	84
PID 1136 wrote to memory of 5024	1136	x2z8.exe	84
PID 1136 wrote to memory of 5024	1136	x2z8.exe	84
PID 1136 wrote to memory of 5024	1136	x2z8.exe	84
PID 1136 wrote to memory of 5024	1136	x2z8.exe	84
PID 1136 wrote to memory of 5024	1136	x2z8.exe	84

C:\Users\Admin\AppData\Local\Temp\34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe
"C:\Users\Admin\AppData\Local\Temp\34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Local\Temp\34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\x2z8.exe
    C:\Users\Admin\AppData\Local\Temp\\x2z8.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Users\Admin\AppData\Local\Temp\x2z8.exe
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      Suspicious use of AdjustPrivilegeToken
      PID:5024

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39f2855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fpath.txt

Filesize
102B

MD5
a4395beb57a41073c8f6e3c4876e41f8

SHA1
1661f22d2c967402c9fb7fc4c318a6ea164452d7

SHA256
dcd004e5e59e94e9e34a7814c9eda856f971faad2d30da1d1f9af1afc23ff193

SHA512
a89c71b1db57e72189e6e021c22620e9af8bcb83a18cf4e378cafedd4807933a49d05cf0e8c797d5ff3a6a868e79cb9f203ca77b412b55b0466ceccf6f30ec90

Download Submit
C:\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
61KB

MD5
806a39814a00be8d47d945c10884df0c

SHA1
1573da7e9e237afc2b5f67b5e4cc8b6796dd4fd7

SHA256
34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7

SHA512
9329d38299f30ab3afc7295f9e95bb9f85d3a6122c3d8c4619cd3f3f64094a2615118a95b6907deeeecaf87c250230b0766e3396474c093a4137c151e7ac87dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
61KB

MD5
806a39814a00be8d47d945c10884df0c

SHA1
1573da7e9e237afc2b5f67b5e4cc8b6796dd4fd7

SHA256
34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7

SHA512
9329d38299f30ab3afc7295f9e95bb9f85d3a6122c3d8c4619cd3f3f64094a2615118a95b6907deeeecaf87c250230b0766e3396474c093a4137c151e7ac87dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
61KB

MD5
806a39814a00be8d47d945c10884df0c

SHA1
1573da7e9e237afc2b5f67b5e4cc8b6796dd4fd7

SHA256
34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7

SHA512
9329d38299f30ab3afc7295f9e95bb9f85d3a6122c3d8c4619cd3f3f64094a2615118a95b6907deeeecaf87c250230b0766e3396474c093a4137c151e7ac87dc

Download Submit
memory/1668-135-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/1668-137-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/1668-140-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/5024-150-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

Errors