Analysis
-
max time kernel
10s -
max time network
24s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 12:30
Static task
static1
Behavioral task
behavioral1
Sample
f7dc6cfcc93ad200a615e4b0b1951e7ab159636eb48d8f19874dc1698e532812.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f7dc6cfcc93ad200a615e4b0b1951e7ab159636eb48d8f19874dc1698e532812.exe
Resource
win10v2004-20220812-en
Errors
General
-
Target
f7dc6cfcc93ad200a615e4b0b1951e7ab159636eb48d8f19874dc1698e532812.exe
-
Size
216KB
-
MD5
88f9c81bf69cde243fa55d8b77b07dd2
-
SHA1
eee450f5fec2242d0d1057bd8e4d1f7ab2f11a6a
-
SHA256
f7dc6cfcc93ad200a615e4b0b1951e7ab159636eb48d8f19874dc1698e532812
-
SHA512
eeb6461292438f6d2ed90713d282c1535bb7c13ff2d085861b34dd0e3d45fdc8e07f0676b3f52bd76eea8392027ee88412cf649735084a7115c6ae6156e426dc
-
SSDEEP
6144:L63B7PRp/6XP90OzsKP58jeLq4oYXskCTMC1j:WR7pU/mqBPOMzStJ
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 3528 bcdedit.exe 2248 bcdedit.exe 544 bcdedit.exe 456 bcdedit.exe 3124 bcdedit.exe 4264 bcdedit.exe 4712 bcdedit.exe 4640 bcdedit.exe 3820 bcdedit.exe 3948 bcdedit.exe -
Drops file in Drivers directory 1 IoCs
Processes:
syshost.exedescription ioc process File created C:\Windows\system32\drivers\e568ded.sys syshost.exe -
Executes dropped EXE 1 IoCs
Processes:
syshost.exepid process 2636 syshost.exe -
Drops file in Windows directory 3 IoCs
Processes:
f7dc6cfcc93ad200a615e4b0b1951e7ab159636eb48d8f19874dc1698e532812.exesyshost.exedescription ioc process File created C:\Windows\Installer\{511F7F16-8544-9F4D-52B7-3AAD2FFB057C}\syshost.exe f7dc6cfcc93ad200a615e4b0b1951e7ab159636eb48d8f19874dc1698e532812.exe File opened for modification C:\Windows\Installer\{511F7F16-8544-9F4D-52B7-3AAD2FFB057C}\syshost.exe f7dc6cfcc93ad200a615e4b0b1951e7ab159636eb48d8f19874dc1698e532812.exe File opened for modification C:\Windows\Installer\{511F7F16-8544-9F4D-52B7-3AAD2FFB057C}\syshost.exe.tmp syshost.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "169" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 648 -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
f7dc6cfcc93ad200a615e4b0b1951e7ab159636eb48d8f19874dc1698e532812.exepid process 1964 f7dc6cfcc93ad200a615e4b0b1951e7ab159636eb48d8f19874dc1698e532812.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
syshost.exedescription pid process Token: SeShutdownPrivilege 2636 syshost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 4664 LogonUI.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
f7dc6cfcc93ad200a615e4b0b1951e7ab159636eb48d8f19874dc1698e532812.exesyshost.exedescription pid process target process PID 1964 wrote to memory of 1304 1964 f7dc6cfcc93ad200a615e4b0b1951e7ab159636eb48d8f19874dc1698e532812.exe cmd.exe PID 1964 wrote to memory of 1304 1964 f7dc6cfcc93ad200a615e4b0b1951e7ab159636eb48d8f19874dc1698e532812.exe cmd.exe PID 1964 wrote to memory of 1304 1964 f7dc6cfcc93ad200a615e4b0b1951e7ab159636eb48d8f19874dc1698e532812.exe cmd.exe PID 2636 wrote to memory of 3528 2636 syshost.exe bcdedit.exe PID 2636 wrote to memory of 3528 2636 syshost.exe bcdedit.exe PID 2636 wrote to memory of 2248 2636 syshost.exe bcdedit.exe PID 2636 wrote to memory of 2248 2636 syshost.exe bcdedit.exe PID 2636 wrote to memory of 544 2636 syshost.exe bcdedit.exe PID 2636 wrote to memory of 544 2636 syshost.exe bcdedit.exe PID 2636 wrote to memory of 456 2636 syshost.exe bcdedit.exe PID 2636 wrote to memory of 456 2636 syshost.exe bcdedit.exe PID 2636 wrote to memory of 3124 2636 syshost.exe bcdedit.exe PID 2636 wrote to memory of 3124 2636 syshost.exe bcdedit.exe PID 2636 wrote to memory of 4264 2636 syshost.exe bcdedit.exe PID 2636 wrote to memory of 4264 2636 syshost.exe bcdedit.exe PID 2636 wrote to memory of 4712 2636 syshost.exe bcdedit.exe PID 2636 wrote to memory of 4712 2636 syshost.exe bcdedit.exe PID 2636 wrote to memory of 4640 2636 syshost.exe bcdedit.exe PID 2636 wrote to memory of 4640 2636 syshost.exe bcdedit.exe PID 2636 wrote to memory of 3820 2636 syshost.exe bcdedit.exe PID 2636 wrote to memory of 3820 2636 syshost.exe bcdedit.exe PID 2636 wrote to memory of 3948 2636 syshost.exe bcdedit.exe PID 2636 wrote to memory of 3948 2636 syshost.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7dc6cfcc93ad200a615e4b0b1951e7ab159636eb48d8f19874dc1698e532812.exe"C:\Users\Admin\AppData\Local\Temp\f7dc6cfcc93ad200a615e4b0b1951e7ab159636eb48d8f19874dc1698e532812.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\9682f859.tmp"2⤵
-
C:\Windows\Installer\{511F7F16-8544-9F4D-52B7-3AAD2FFB057C}\syshost.exe"C:\Windows\Installer\{511F7F16-8544-9F4D-52B7-3AAD2FFB057C}\syshost.exe" /service1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39f3055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\{511F7F16-8544-9F4D-52B7-3AAD2FFB057C}\syshost.exeFilesize
216KB
MD588f9c81bf69cde243fa55d8b77b07dd2
SHA1eee450f5fec2242d0d1057bd8e4d1f7ab2f11a6a
SHA256f7dc6cfcc93ad200a615e4b0b1951e7ab159636eb48d8f19874dc1698e532812
SHA512eeb6461292438f6d2ed90713d282c1535bb7c13ff2d085861b34dd0e3d45fdc8e07f0676b3f52bd76eea8392027ee88412cf649735084a7115c6ae6156e426dc
-
C:\Windows\Installer\{511F7F16-8544-9F4D-52B7-3AAD2FFB057C}\syshost.exeFilesize
216KB
MD588f9c81bf69cde243fa55d8b77b07dd2
SHA1eee450f5fec2242d0d1057bd8e4d1f7ab2f11a6a
SHA256f7dc6cfcc93ad200a615e4b0b1951e7ab159636eb48d8f19874dc1698e532812
SHA512eeb6461292438f6d2ed90713d282c1535bb7c13ff2d085861b34dd0e3d45fdc8e07f0676b3f52bd76eea8392027ee88412cf649735084a7115c6ae6156e426dc
-
memory/456-140-0x0000000000000000-mapping.dmp
-
memory/544-139-0x0000000000000000-mapping.dmp
-
memory/1304-134-0x0000000000000000-mapping.dmp
-
memory/1964-137-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1964-138-0x0000000002030000-0x0000000002036000-memory.dmpFilesize
24KB
-
memory/2248-136-0x0000000000000000-mapping.dmp
-
memory/2636-148-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2636-149-0x0000000000590000-0x0000000000596000-memory.dmpFilesize
24KB
-
memory/2636-147-0x0000000000CF0000-0x0000000000DF0000-memory.dmpFilesize
1024KB
-
memory/2636-150-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3124-141-0x0000000000000000-mapping.dmp
-
memory/3528-135-0x0000000000000000-mapping.dmp
-
memory/3820-145-0x0000000000000000-mapping.dmp
-
memory/3948-146-0x0000000000000000-mapping.dmp
-
memory/4264-142-0x0000000000000000-mapping.dmp
-
memory/4640-144-0x0000000000000000-mapping.dmp
-
memory/4712-143-0x0000000000000000-mapping.dmp