3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848

Reason

Machine shutdown

General

Target

3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe
Size

99KB
MD5

3e431a34f2c09109e47958e6cee614d6
SHA1

f19747f34121b8225b0b508d0d3ba1781772d05a
SHA256

3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848
SHA512

8caf6e1e177db6a1554dae0ad09d44da45a168a2f2fe435f8ddff3c6633967b9a94cf7875dd3728b640851b15132f482b3a118b8db4769a5fb0834021ab8f85c
SSDEEP

3072:gMERCkEVeLZC7tXGZQvGozOVA0PAnrBztx7lDn0K:IEVOC75GyvDzOq8A9zP7pn0K

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "1"	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\rupjk\\rupjk.exe\" -shell"	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe System Incorporated = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe\\Reader_sl.exe"	svchost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe

description pid process

PID 4280 set thread context of 0 4280 3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3408 4848 WerFault.exe svchost.exe
4960 4848 WerFault.exe svchost.exe

description	pid	process
PID 4280 set thread context of 0	4280	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe

pid	pid_target	process	target process
3408	4848	WerFault.exe	svchost.exe
4960	4848	WerFault.exe	svchost.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "58"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

svchost.exewmprph.exe

pid	process
4848	svchost.exe
4848	svchost.exe
3732	wmprph.exe
3732	wmprph.exe
3732	wmprph.exe
3732	wmprph.exe
3732	wmprph.exe
3732	wmprph.exe
3732	wmprph.exe
3732	wmprph.exe
3732	wmprph.exe
3732	wmprph.exe
3732	wmprph.exe
3732	wmprph.exe
3732	wmprph.exe
3732	wmprph.exe
3732	wmprph.exe
3732	wmprph.exe
3732	wmprph.exe
3732	wmprph.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

svchost.exe

pid process

4848 svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe

description	pid	process
Token: SeShutdownPrivilege	4280	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe
Token: SeShutdownPrivilege	4280	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe
Token: SeDebugPrivilege	4280	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

1516 LogonUI.exe

pid	process
1516	LogonUI.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exesvchost.exe

description	pid	process	target process
PID 4280 wrote to memory of 4848	4280	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe	svchost.exe
PID 4280 wrote to memory of 4848	4280	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe	svchost.exe
PID 4280 wrote to memory of 4848	4280	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe	svchost.exe
PID 4280 wrote to memory of 4848	4280	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe	svchost.exe
PID 4280 wrote to memory of 240	4280	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe	calc.exe
PID 4280 wrote to memory of 240	4280	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe	calc.exe
PID 4280 wrote to memory of 240	4280	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe	calc.exe
PID 4280 wrote to memory of 240	4280	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe	calc.exe
PID 4280 wrote to memory of 240	4280	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe	calc.exe
PID 4848 wrote to memory of 3604	4848	svchost.exe	notepad.exe
PID 4848 wrote to memory of 3604	4848	svchost.exe	notepad.exe
PID 4848 wrote to memory of 3604	4848	svchost.exe	notepad.exe
PID 4848 wrote to memory of 3604	4848	svchost.exe	notepad.exe
PID 4280 wrote to memory of 3732	4280	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe	wmprph.exe
PID 4280 wrote to memory of 3732	4280	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe	wmprph.exe
PID 4280 wrote to memory of 3732	4280	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe	wmprph.exe
PID 4280 wrote to memory of 3732	4280	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe	wmprph.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "1"	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe

C:\Users\Admin\AppData\Local\Temp\3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe
"C:\Users\Admin\AppData\Local\Temp\3ace460dcf3cbaccc03e32cdd2c8d8f5307c4ab6c08196daf9dc1d816f89d848.exe"
1⤵
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4280

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\SysWOW64\notepad.exe"
3⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 708
3⤵
- Program crash
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 732
3⤵
- Program crash
PID:4960

C:\Windows\SysWOW64\calc.exe
"C:\Windows\SysWOW64\calc.exe"
2⤵
PID:240

C:\Program Files (x86)\Windows Media Player\wmprph.exe
"C:\Program Files (x86)\Windows Media Player\wmprph.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4848 -ip 4848
1⤵
PID:2000

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa399f855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4848 -ip 4848
1⤵
PID:3880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/0-145-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/240-137-0x0000000000000000-mapping.dmp

Download
memory/3604-142-0x0000000000600000-0x0000000000629000-memory.dmp

Filesize
164KB

Download
memory/3604-147-0x0000000000600000-0x0000000000629000-memory.dmp

Filesize
164KB

Download
memory/3604-144-0x0000000000600000-0x0000000000629000-memory.dmp

Filesize
164KB

Download
memory/3604-143-0x0000000000600000-0x0000000000629000-memory.dmp

Filesize
164KB

Download
memory/3604-140-0x0000000000000000-mapping.dmp

Download
memory/3604-141-0x0000000000600000-0x0000000000629000-memory.dmp

Filesize
164KB

Download
memory/3732-146-0x0000000000000000-mapping.dmp

Download
memory/3732-148-0x0000000000BA0000-0x0000000000BC9000-memory.dmp

Filesize
164KB

Download
memory/4280-138-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4280-132-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4280-133-0x00000000025C0000-0x00000000025D6000-memory.dmp

Filesize
88KB

Download
memory/4280-149-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4280-150-0x00000000025C0000-0x00000000025D6000-memory.dmp

Filesize
88KB

Download
memory/4848-139-0x00000000006C0000-0x00000000006E9000-memory.dmp

Filesize
164KB

Download
memory/4848-136-0x0000000000000000-mapping.dmp

Download
memory/4848-151-0x00000000006C0000-0x00000000006E9000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads