5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d

Reason

Machine shutdown

General

Target

5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
Size

712KB
MD5

1395bd7b00ccb67c9efb90b673c8ef71
SHA1

633b6900f79e1c57e1095e72088f6fe45d8df6a6
SHA256

5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d
SHA512

4805c5068fff8bc556f7850d8fb40f18f2aab02c146544bb0471320a33731f1c3c590b63cb0fb6685806e199c8c12336a9be07eda5443a1808fbeafbca6212cc
SSDEEP

6144:xLLk69/CyxsWTEWs1dPwFrwKzYOX83AES9526mznYLpJfDP8WXP/LDqy5QaHHy:x/EyymEWs1pRPVgFmzoRDPkYy

Score

8^/10

evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\I:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\J:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\N:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\O:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\V:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\Y:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\A:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\G:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\H:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\L:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\M:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\Q:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\W:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\F:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\K:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\P:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\R:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\T:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\E:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\S:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\U:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\X:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\Z:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "223"	LogonUI.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Policies\System	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Software	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5036	shutdown.exe
Token: SeRemoteShutdownPrivilege	5036	shutdown.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2328	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
2328	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
1372	LogonUI.exe
1372	LogonUI.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2444	2328	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	80
PID 2328 wrote to memory of 2444	2328	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	80
PID 2328 wrote to memory of 2444	2328	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	80
PID 2328 wrote to memory of 692	2328	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	81
PID 2328 wrote to memory of 692	2328	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	81
PID 2328 wrote to memory of 692	2328	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	81
PID 2328 wrote to memory of 3280	2328	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	83
PID 2328 wrote to memory of 3280	2328	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	83
PID 2328 wrote to memory of 3280	2328	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	83
PID 2328 wrote to memory of 4760	2328	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	85
PID 2328 wrote to memory of 4760	2328	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	85
PID 2328 wrote to memory of 4760	2328	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	85
PID 2328 wrote to memory of 5036	2328	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	88
PID 2328 wrote to memory of 5036	2328	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	88
PID 2328 wrote to memory of 5036	2328	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	88
PID 2328 wrote to memory of 5056	2328	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	91
PID 2328 wrote to memory of 5056	2328	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	91
PID 2328 wrote to memory of 5056	2328	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	91
PID 5056 wrote to memory of 3996	5056	cmd.exe	93
PID 5056 wrote to memory of 3996	5056	cmd.exe	93
PID 5056 wrote to memory of 3996	5056	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
"C:\Users\Admin\AppData\Local\Temp\5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe"
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\1dll.bat
  2⤵
  PID:2444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\1exe.bat
  2⤵
  PID:692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\2dll.bat
  2⤵
  PID:3280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\2exe.bat
  2⤵
  PID:4760
- C:\Windows\SysWOW64\shutdown.exe
  shutdown -s -t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\slear.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown -s -t 0
    3⤵
    PID:3996

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ee055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\1dll.bat

Filesize
24B

MD5
e5fad0eebdbdb290ba8e7e45b783eb80

SHA1
d0134651bc51f9b818508dbdb21690800c5ed127

SHA256
15c12f019428c39e6a96d46fb531b763d0dea5151e23376a6aabe2e05180aa83

SHA512
e61a0756f71654febc40f181a01df302eb0c1328f87e5ae8138b7f9a7414027ad9b913d9d5381a8497f25439fa8fed5b80dbacc3c4b760e8c40f256872857469

Download Submit
\??\c:\1exe.bat

Filesize
24B

MD5
160dd1581a3262e00b5d069afa1ae5c8

SHA1
d33671ab873dc34186a1ddc7b4aea3c7cf20489b

SHA256
79427c9185f986215682123d50dab3ed30442078f30dfeaa369a048fe11f5544

SHA512
999a8d45cd04d1a6622a0c0a1e6fadda43258e5cb01f6730f7f57a1ad38fbc3b0609965419e181cbf48765c804342298e534805e5b6f3f8b38744debc7333ed0

Download Submit
\??\c:\2dll.bat

Filesize
24B

MD5
6a1d86cd3e6e4ae9e7825c57e9af2ef7

SHA1
fdf3b6bbc7ef88d22e990a395665059bea146f19

SHA256
38038479a9b0bce22eb8d4c16698e399476695f05d486ce25d9359dca4f85473

SHA512
9a719fdddb595baccabcef46767786957518685bd65aa8e4bee2a5204d454af4b97d744b800c047b187f516cc20ac4babcf7c29e3e0ab30cfd087abe658714db

Download Submit
\??\c:\2exe.bat

Filesize
24B

MD5
2e42bfbb9fb87f82e354dddf976f2173

SHA1
a7367507e6c4eba22c1146b9252ada5655cbd3b1

SHA256
2f6bedcdb6bf0767f7181dd620a9e696c7f74679d1666afebe414178190a2ab5

SHA512
1dc7cf0590661e408afefed0aa3eb5c700afaf9f8c9c008897592759d38ad35e9cfb433311bb841fc83c2ca0b60d767b859145f8d01d3b73c80614a0cd5d2dff

Download Submit
\??\c:\slear.bat

Filesize
48B

MD5
263e023a4fc06130c3d2ec3f841c7484

SHA1
99977df65ba7c9d3623b6126562e931ced7746e0

SHA256
b97c6221c776add6af65837f627778f853e9adc0d06c00fba0e1a9772a72c68a

SHA512
c26b8f34f4bccc589f9843488fa8f25b8e1701d2bb0535632ec795b90fcef90e73e41ebae0f6680704ba1ab2ab0fbf7b7c10b4775778093d772114ede9b22246

Download Submit

Analysis

Sharing

Errors