2626cd04569038478f4bc5d2669c5a1aece142d17a807fc5be8344f51c9a2000

Analysis

max time kernel
168s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2626cd04569038478f4bc5d2669c5a1aece142d17a807fc5be8344f51c9a2000.exe
Size

548KB
MD5

168b217c270dcb252bdc3d5ad075b7be
SHA1

b7e51f26d272a2c3b0c5eccbe8146b11f4def0bc
SHA256

2626cd04569038478f4bc5d2669c5a1aece142d17a807fc5be8344f51c9a2000
SHA512

2509af32202d95e79b724cea73fedb3942fe0690c90598e0d5f51c4cca71dd664b461b01df2abc6c14344b3c68cbb971c3742eccbb51f72d3cd1d098aab10130
SSDEEP

6144:K2681WUqicX91Ch5ygR0CiKGgITLkuxY1Sc8lMjN7C7Zc7zaFnjY:KlTicX9MkgR0CtG6ZBjNm14zai

Score

9^/10

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "169"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe

Runs net.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
1144	Process not Found
1736	Process not Found
976	Process not Found
3404	Process not Found
740	Process not Found
3440	Process not Found
3160	Process not Found
3460	Process not Found
2304	Process not Found
2708	Process not Found
3556	Process not Found
3988	Process not Found
4720	Process not Found
3572	Process not Found
3504	Process not Found
3552	Process not Found
3584	Process not Found
3956	Process not Found
3280	Process not Found
1052	Process not Found
3852	Process not Found
1556	Process not Found
5084	Process not Found
948	Process not Found
1968	Process not Found
2336	Process not Found
680	Process not Found
2588	Process not Found
1104	Process not Found
4896	Process not Found
4076	Process not Found
2208	Process not Found
4584	Process not Found
2600	Process not Found
3744	Process not Found
444	Process not Found
2316	Process not Found
3168	Process not Found
2988	Process not Found
2880	Process not Found
3968	Process not Found
4032	Process not Found
3964	Process not Found
4680	Process not Found
4164	Process not Found
1572	Process not Found
2192	Process not Found
3576	Process not Found
1596	Process not Found
4588	Process not Found
4712	Process not Found
4144	Process not Found
744	Process not Found
4436	Process not Found
3948	Process not Found
1068	Process not Found
2972	Process not Found
1240	Process not Found
2412	Process not Found
1672	Process not Found
4960	Process not Found
2508	Process not Found
1380	Process not Found
4360	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1944	2626cd04569038478f4bc5d2669c5a1aece142d17a807fc5be8344f51c9a2000.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1944	2626cd04569038478f4bc5d2669c5a1aece142d17a807fc5be8344f51c9a2000.exe
1944	2626cd04569038478f4bc5d2669c5a1aece142d17a807fc5be8344f51c9a2000.exe
4228	LogonUI.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 3064	1944	2626cd04569038478f4bc5d2669c5a1aece142d17a807fc5be8344f51c9a2000.exe	81
PID 1944 wrote to memory of 3064	1944	2626cd04569038478f4bc5d2669c5a1aece142d17a807fc5be8344f51c9a2000.exe	81
PID 1944 wrote to memory of 3064	1944	2626cd04569038478f4bc5d2669c5a1aece142d17a807fc5be8344f51c9a2000.exe	81
PID 3064 wrote to memory of 2972	3064	net.exe	83
PID 3064 wrote to memory of 2972	3064	net.exe	83
PID 3064 wrote to memory of 2972	3064	net.exe	83
PID 1944 wrote to memory of 2796	1944	2626cd04569038478f4bc5d2669c5a1aece142d17a807fc5be8344f51c9a2000.exe	86
PID 1944 wrote to memory of 2796	1944	2626cd04569038478f4bc5d2669c5a1aece142d17a807fc5be8344f51c9a2000.exe	86
PID 1944 wrote to memory of 2796	1944	2626cd04569038478f4bc5d2669c5a1aece142d17a807fc5be8344f51c9a2000.exe	86
PID 2796 wrote to memory of 3296	2796	net.exe	88
PID 2796 wrote to memory of 3296	2796	net.exe	88
PID 2796 wrote to memory of 3296	2796	net.exe	88
PID 1944 wrote to memory of 3176	1944	2626cd04569038478f4bc5d2669c5a1aece142d17a807fc5be8344f51c9a2000.exe	89
PID 1944 wrote to memory of 3176	1944	2626cd04569038478f4bc5d2669c5a1aece142d17a807fc5be8344f51c9a2000.exe	89
PID 1944 wrote to memory of 3176	1944	2626cd04569038478f4bc5d2669c5a1aece142d17a807fc5be8344f51c9a2000.exe	89
PID 3176 wrote to memory of 2104	3176	net.exe	91
PID 3176 wrote to memory of 2104	3176	net.exe	91
PID 3176 wrote to memory of 2104	3176	net.exe	91

C:\Users\Admin\AppData\Local\Temp\2626cd04569038478f4bc5d2669c5a1aece142d17a807fc5be8344f51c9a2000.exe
"C:\Users\Admin\AppData\Local\Temp\2626cd04569038478f4bc5d2669c5a1aece142d17a807fc5be8344f51c9a2000.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\SysWOW64\net.exe
  net user administrator 811630187
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user administrator 811630187
    3⤵
    PID:2972
- C:\Windows\SysWOW64\net.exe
  net user ÒªÃÜÂë¼Ó1308722504 811630187 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user ÒªÃÜÂë¼Ó1308722504 811630187 /add
    3⤵
    PID:3296
- C:\Windows\SysWOW64\net.exe
  net localgroup administrators ÒªÃÜÂë¼Ó1308722504 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 localgroup administrators ÒªÃÜÂë¼Ó1308722504 /add
    3⤵
    PID:2104

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39f3055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Defense Evasion

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads