171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029

General

Target

171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
Size

16KB
MD5

43a782844721f02d589ad04b3cd39520
SHA1

0fd24c743c7d8a6a6bbcd881b67d2c42c6f1b76b
SHA256

171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029
SHA512

c9bf4a3854f38bf5af17439727d572c78c7e196c53ff51280f71a6c76f4ccefe4951b62562ab78a42fe4ccc71fbbef81125fe90d529030befd48ac995d0c89e2
SSDEEP

384:/0bKAy5N0ZmXIV0lZw2kINGvn3OAHuxW3BuWAN:uO3emjLZAhOk4

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

Processes:

171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ieUnatt.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\msinfo32.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\PING.EXE	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\CertEnrollCtrl.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\dcomcnfg.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\dllhst3g.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\fc.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\extrac32.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\srdelayed.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\net.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\regini.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\rrinstaller.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\autoconv.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\isoburn.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\msiexec.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\charmap.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\upnpcont.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\WSManHTTPConfig.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\typeperf.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\user.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\netsh.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\openfiles.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\runas.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\runonce.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\wiaacmgr.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\getmac.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\hdwwiz.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\LaunchTM.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\powercfg.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\certreq.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\provlaunch.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\quickassist.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\tar.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\appidtel.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\relog.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\RdpSaUacHelper.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\RpcPing.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\sdbinst.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\ARP.EXE	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\DevicePairingWizard.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\fsutil.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\Register-CimProvider.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_ssp.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\secinit.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\systeminfo.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\fltMC.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\Fondue.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\fsquirt.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\ipconfig.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\OposHost.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\PickerHost.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\ddodiag.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\dialer.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\mmc.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\odbcad32.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\fontview.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\recover.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\xcopy.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\RunLegacyCPLElevated.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\whoami.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\PATHPING.EXE	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\SysWOW64\unlodctr.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe

Drops file in Windows directory 8 IoCs

Processes:

171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe

description	ioc	process
File opened for modification	C:\Windows\write.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\bfsvc.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\explorer.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\HelpPane.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\hh.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\notepad.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\splwow64.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
File opened for modification	C:\Windows\winhlp32.exe	171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "147"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
1020
3688
4992
4116
4120
4472
928
4812
2560
4708
1256
4704
4560
3800
2272
2224
4252
980
2264
1360
924
3516
4304
5020
2280
3408
920
2236
1372
972
4076
496
2832
5028
3060
2388
2912
628
2120
2396
1840
800
1744
1176
1276
4972
3696
1308
652
1340
4684
2748
2392
2904
3120
532
1252
1820
1244
4872
4920
4928
3368
4900

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

1516 LogonUI.exe

pid	process
1516	LogonUI.exe

C:\Users\Admin\AppData\Local\Temp\171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe
"C:\Users\Admin\AppData\Local\Temp\171d8ce2768d0bb748c49cf33a4a950d4e6111b28852640fb3d47cbe72244029.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1544

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39d8855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1544-132-0x0000000001000000-0x0000000001007B00-memory.dmp

Filesize
30KB

Download
memory/1544-133-0x0000000001000000-0x0000000001007B00-memory.dmp

Filesize
30KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads