836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 19:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe
Size

64KB
MD5

83e81ad36d22123133e5dbe8654c1cd9
SHA1

207508a48bf0e18311a798ba106574282c9eaa39
SHA256

836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e
SHA512

1ad0bb40c0b90796a99aa22333207038ce91b45d2fbd200a2c73091864c3c7f20db4252342477acf96ef05220c362e385c27b7657aa43cb482b713c175d10b65
SSDEEP

1536:w4xDXwnrh23xVpS04Ti7qXE3dHi7YVwbC:w6Lwrh23Dpt93dHiEVwO

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SVCHOST = "\\WINDOWS\\Media\\SVCHOST.EXE"	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe

Drops autorun.inf file 1 TTPs 16 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\c:\autorun.inf	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe
File opened for modification	\??\e:\autorun.inf	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe
File opened for modification	\??\g:\autorun.inf	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe
File created	\??\j:\autorun.inf	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe
File created	C:\autorun.inf	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe
File opened for modification	\??\i:\autorun.inf	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe
File opened for modification	\??\j:\autorun.inf	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe
File opened for modification	\??\d:\autorun.inf	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe
File created	\??\f:\autorun.inf	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe
File created	\??\g:\autorun.inf	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe
File created	\??\h:\autorun.inf	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe
File opened for modification	\??\h:\autorun.inf	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe
File created	\??\i:\autorun.inf	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe
File created	\??\d:\autorun.inf	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe
File created	\??\e:\autorun.inf	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe
File opened for modification	\??\f:\autorun.inf	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\WINDOWS\Media\SVCHOST.EXE	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "223"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
3552	Process not Found
4076	Process not Found
4420	Process not Found
3944	Process not Found
1432	Process not Found
5052	Process not Found
1244	Process not Found
2396	Process not Found
4184	Process not Found
2636	Process not Found
2332	Process not Found
4536	Process not Found
4660	Process not Found
2568	Process not Found
2616	Process not Found
484	Process not Found
2968	Process not Found
2820	Process not Found
4196	Process not Found
2896	Process not Found
1348	Process not Found
3160	Process not Found
5096	Process not Found
3920	Process not Found
388	Process not Found
1560	Process not Found
4756	Process not Found
3516	Process not Found
2344	Process not Found
2008	Process not Found
944	Process not Found
1932	Process not Found
4160	Process not Found
1048	Process not Found
2140	Process not Found
1860	Process not Found
3476	Process not Found
4768	Process not Found
4956	Process not Found
2620	Process not Found
3464	Process not Found
4452	Process not Found
5108	Process not Found
2852	Process not Found
3908	Process not Found
3916	Process not Found
4004	Process not Found
3912	Process not Found
3344	Process not Found
4012	Process not Found
4428	Process not Found
3380	Process not Found
1708	Process not Found
2352	Process not Found
4020	Process not Found
4032	Process not Found
2472	Process not Found
1308	Process not Found
4868	Process not Found
2404	Process not Found
464	Process not Found
4760	Process not Found
4260	Process not Found
1204	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4316	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe
4316	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4316	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe
684	LogonUI.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 3984	4316	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe	90
PID 4316 wrote to memory of 3984	4316	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe	90
PID 4316 wrote to memory of 3984	4316	836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe	90

C:\Users\Admin\AppData\Local\Temp\836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe
"C:\Users\Admin\AppData\Local\Temp\836c224d6b720e175554029d5465b13d207904b71974f9dcdfbe69f2e2de914e.exe"
1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del.bat
  2⤵
  PID:3984

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3986855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\del.bat

Filesize
114B

MD5
b5aefafd5ee80d824546c6ec94a1e131

SHA1
a2fca0ee5c68c4e17c60d9d0f6f7b053cf659982

SHA256
ef12d9b374ecda0a203cd447b410bc801d0b50a7c0a335706204054b2d385ba6

SHA512
d926bc9249099664e55936df6b9d410e7a15655db501ce4abc842f7863cf97702b2b131719b7d78164dfa0001711375526d55cf206cfbc8eed9963f36f830273

Download Submit
memory/4316-132-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4316-137-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads