337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68

General

Target

337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
Size

728KB
MD5

914802026021e4833f94641a64387721
SHA1

b9decb867728e00703f3e1a5d5d04570d1005a02
SHA256

337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68
SHA512

43ef9a29453c4e47610a84c553dcbcb9974fe8e432a7e16794b5e5a8f907768dbc7070c062ed6a4b7665c18287d6b84811f306ad2da55df880a9e2a81c663f49
SSDEEP

12288:KRDUdycmIpgnSS3Afn1BIzKBpCPrUqPnvt8:KFUdPSSOAP1+zwQjHPnvt8

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "147"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe

description	pid	process
Token: SeShutdownPrivilege	216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
Token: SeShutdownPrivilege	216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
Token: SeShutdownPrivilege	216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
Token: SeShutdownPrivilege	216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
Token: SeShutdownPrivilege	216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
Token: SeShutdownPrivilege	216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
Token: SeShutdownPrivilege	216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
Token: SeShutdownPrivilege	216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
Token: SeShutdownPrivilege	216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
Token: SeShutdownPrivilege	216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
Token: SeShutdownPrivilege	216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
Token: SeShutdownPrivilege	216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
Token: SeShutdownPrivilege	216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
Token: SeShutdownPrivilege	216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
Token: SeShutdownPrivilege	216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
Token: SeShutdownPrivilege	216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
Token: SeShutdownPrivilege	216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
Token: SeShutdownPrivilege	216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
Token: SeShutdownPrivilege	216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
Token: SeShutdownPrivilege	216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
Token: SeShutdownPrivilege	216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe

pid	process
216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exeLogonUI.exe

pid	process
216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
2668	LogonUI.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exenet.exe

description	pid	process	target process
PID 216 wrote to memory of 3664	216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe	net.exe
PID 216 wrote to memory of 3664	216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe	net.exe
PID 216 wrote to memory of 3664	216	337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe	net.exe
PID 3664 wrote to memory of 4912	3664	net.exe	net1.exe
PID 3664 wrote to memory of 4912	3664	net.exe	net1.exe
PID 3664 wrote to memory of 4912	3664	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe
"C:\Users\Admin\AppData\Local\Temp\337f039ad3ea7142ca440927f085d8c005e8b2465a4cc26fa7a25ecb2a591a68.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SysWOW64\net.exe
net user Administrator xiaotaodiaoyv
2⤵
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Administrator xiaotaodiaoyv
3⤵
PID:4912

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39b3055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2668

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads