ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee

Reason

Machine shutdown

General

Target

ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe
Size

929KB
MD5

0f43b40d5f15e33283c6f0dd2cc84e86
SHA1

6b7bb79bade4daff829704de0611b8763650e704
SHA256

ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee
SHA512

8d0ba92c65b18c55389adab9691ed65b74324194130fd638bf4391c09096c46b9c45e78133cbd38dd9041dd2c0cadc45ab3ebd5c0287c31063abe4f35b8b67aa
SSDEEP

12288:zya4OjigvrwsuIaEUMJaKqptyLuziCKvDNgQpwKTavW2gsBb46sefiikt+GKmLPW:2a7ZvkDZnJtmeiC6BuK+CsO6mL1KuCSC

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 8 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0009000000022e0f-133.dat	acprotect
behavioral2/files/0x0009000000022e0f-134.dat	acprotect
behavioral2/files/0x0009000000022e0f-136.dat	acprotect
behavioral2/files/0x0009000000022e0f-138.dat	acprotect
behavioral2/files/0x0009000000022e0f-137.dat	acprotect
behavioral2/files/0x0009000000022e0f-142.dat	acprotect
behavioral2/files/0x0009000000022e0f-143.dat	acprotect
behavioral2/files/0x0009000000022e0f-146.dat	acprotect

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3172-132-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral2/memory/3172-150-0x0000000000400000-0x00000000004CB000-memory.dmp	upx

Loads dropped DLL 7 IoCs

pid	Process
3172	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe
3172	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe
872	regsvr32.exe
872	regsvr32.exe
4892	regsvr32.exe
4892	regsvr32.exe
64	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "174"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Runs .reg file with regedit 1 IoCs

pid	Process
4868	regedit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3132	shutdown.exe
Token: SeRemoteShutdownPrivilege	3132	shutdown.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3172	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe
3172	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe
3172	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3172	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe
3172	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe
3172	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3172	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe
3204	LogonUI.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 872	3172	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	79
PID 3172 wrote to memory of 872	3172	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	79
PID 3172 wrote to memory of 872	3172	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	79
PID 3172 wrote to memory of 4868	3172	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	80
PID 3172 wrote to memory of 4868	3172	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	80
PID 3172 wrote to memory of 4868	3172	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	80
PID 3172 wrote to memory of 4892	3172	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	81
PID 3172 wrote to memory of 4892	3172	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	81
PID 3172 wrote to memory of 4892	3172	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	81
PID 3172 wrote to memory of 64	3172	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	82
PID 3172 wrote to memory of 64	3172	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	82
PID 3172 wrote to memory of 64	3172	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	82
PID 3172 wrote to memory of 3132	3172	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	83
PID 3172 wrote to memory of 3132	3172	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	83
PID 3172 wrote to memory of 3132	3172	ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe	83

C:\Users\Admin\AppData\Local\Temp\ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe
"C:\Users\Admin\AppData\Local\Temp\ff9fa217826907e15e8352afcd293b25887ca12e14baea814fa0ecf5da581aee.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s wuaueng.dll
  2⤵
  - Loads dropped DLL
  PID:872
- C:\Windows\SysWOW64\regedit.exe
  regedit /s c:\ie8\okok.reg
  2⤵
  - Runs .reg file with regedit
  PID:4868
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /u /s remotepg.dll
  2⤵
  - Loads dropped DLL
  PID:4892
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /u /s wuaueng.dll
  2⤵
  - Loads dropped DLL
  PID:64
- C:\Windows\SysWOW64\shutdown.exe
  shutdown.exe -c 祝贺您：IE8安装完毕！重启后生效. -r
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3132

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39da855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yki67F6.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yki67F6.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yki67F6.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yki67F6.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yki67F6.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yki67F6.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yki67F6.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yki67F6.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/64-148-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/872-139-0x0000000000D00000-0x0000000000D73000-memory.dmp

Filesize
460KB

Download
memory/3172-150-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/3172-132-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/3172-151-0x0000000000980000-0x00000000009F3000-memory.dmp

Filesize
460KB

Download
memory/3172-147-0x0000000000980000-0x00000000009F3000-memory.dmp

Filesize
460KB

Download
memory/4892-144-0x00000000008E0000-0x0000000000953000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

Errors