Analysis
-
max time kernel
168s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 23:38
Static task
static1
Behavioral task
behavioral1
Sample
a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe
Resource
win10v2004-20221111-en
General
-
Target
a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe
-
Size
355KB
-
MD5
de6e3970ad991d0214e6dfa06439e31f
-
SHA1
b8792436f1541e76f4468769561b9a7bad03bd35
-
SHA256
a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258
-
SHA512
b3a2ec4d97a3b756fc6a6c949b100606bb9350a3fef3bd89896b88025989001185f721faa0f497144aa8132302486ae0166b2218f2ce1bf9a09ad89177853979
-
SSDEEP
6144:SEyr5y6XSQkxREpgdc9CfJ1pfQAEAzULiqvrAQbtWz4U0kDtFsp1fNv2RSRp0vU:Or5y6XzkxuHCfhPEAY93bmZ0kDtq3Nv3
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 3564 bcdedit.exe 1664 bcdedit.exe 1088 bcdedit.exe 3796 bcdedit.exe 4532 bcdedit.exe 3636 bcdedit.exe 3504 bcdedit.exe 4568 bcdedit.exe 1536 bcdedit.exe 1304 bcdedit.exe -
Drops file in Drivers directory 1 IoCs
Processes:
syshost.exedescription ioc process File created C:\Windows\system32\drivers\e5720b7.sys syshost.exe -
Executes dropped EXE 2 IoCs
Processes:
syshost.exesyshost.exepid process 2528 syshost.exe 216 syshost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshost32 = "C:\\Windows\\Installer\\{D36CA0BE-EC2C-4522-49A4-077627BEFD55}\\syshost.exe" a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe -
Drops file in Windows directory 3 IoCs
Processes:
a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exesyshost.exedescription ioc process File created C:\Windows\Installer\{D36CA0BE-EC2C-4522-49A4-077627BEFD55}\syshost.exe a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe File opened for modification C:\Windows\Installer\{D36CA0BE-EC2C-4522-49A4-077627BEFD55}\syshost.exe a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe File opened for modification C:\Windows\Installer\{D36CA0BE-EC2C-4522-49A4-077627BEFD55}\syshost.exe.tmp syshost.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2100 2528 WerFault.exe syshost.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "147" LogonUI.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 664 -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exepid process 3080 a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
syshost.exedescription pid process Token: SeShutdownPrivilege 216 syshost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 4756 LogonUI.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exesyshost.exedescription pid process target process PID 3080 wrote to memory of 216 3080 a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe syshost.exe PID 3080 wrote to memory of 216 3080 a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe syshost.exe PID 3080 wrote to memory of 216 3080 a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe syshost.exe PID 3080 wrote to memory of 5116 3080 a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe cmd.exe PID 3080 wrote to memory of 5116 3080 a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe cmd.exe PID 3080 wrote to memory of 5116 3080 a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe cmd.exe PID 216 wrote to memory of 3564 216 syshost.exe bcdedit.exe PID 216 wrote to memory of 3564 216 syshost.exe bcdedit.exe PID 216 wrote to memory of 1664 216 syshost.exe bcdedit.exe PID 216 wrote to memory of 1664 216 syshost.exe bcdedit.exe PID 216 wrote to memory of 1088 216 syshost.exe bcdedit.exe PID 216 wrote to memory of 1088 216 syshost.exe bcdedit.exe PID 216 wrote to memory of 3796 216 syshost.exe bcdedit.exe PID 216 wrote to memory of 3796 216 syshost.exe bcdedit.exe PID 216 wrote to memory of 4532 216 syshost.exe bcdedit.exe PID 216 wrote to memory of 4532 216 syshost.exe bcdedit.exe PID 216 wrote to memory of 3636 216 syshost.exe bcdedit.exe PID 216 wrote to memory of 3636 216 syshost.exe bcdedit.exe PID 216 wrote to memory of 3504 216 syshost.exe bcdedit.exe PID 216 wrote to memory of 3504 216 syshost.exe bcdedit.exe PID 216 wrote to memory of 1536 216 syshost.exe bcdedit.exe PID 216 wrote to memory of 1536 216 syshost.exe bcdedit.exe PID 216 wrote to memory of 4568 216 syshost.exe bcdedit.exe PID 216 wrote to memory of 4568 216 syshost.exe bcdedit.exe PID 216 wrote to memory of 1304 216 syshost.exe bcdedit.exe PID 216 wrote to memory of 1304 216 syshost.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe"C:\Users\Admin\AppData\Local\Temp\a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\{D36CA0BE-EC2C-4522-49A4-077627BEFD55}\syshost.exeC:\Windows\Installer\{D36CA0BE-EC2C-4522-49A4-077627BEFD55}\syshost.exe2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe -set TESTSIGNING ON3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\97abecaf.tmp"2⤵
-
C:\Windows\Installer\{D36CA0BE-EC2C-4522-49A4-077627BEFD55}\syshost.exe"C:\Windows\Installer\{D36CA0BE-EC2C-4522-49A4-077627BEFD55}\syshost.exe" /service1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 3722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2528 -ip 25281⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39e2855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\{D36CA0BE-EC2C-4522-49A4-077627BEFD55}\syshost.exeFilesize
355KB
MD5de6e3970ad991d0214e6dfa06439e31f
SHA1b8792436f1541e76f4468769561b9a7bad03bd35
SHA256a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258
SHA512b3a2ec4d97a3b756fc6a6c949b100606bb9350a3fef3bd89896b88025989001185f721faa0f497144aa8132302486ae0166b2218f2ce1bf9a09ad89177853979
-
C:\Windows\Installer\{D36CA0BE-EC2C-4522-49A4-077627BEFD55}\syshost.exeFilesize
355KB
MD5de6e3970ad991d0214e6dfa06439e31f
SHA1b8792436f1541e76f4468769561b9a7bad03bd35
SHA256a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258
SHA512b3a2ec4d97a3b756fc6a6c949b100606bb9350a3fef3bd89896b88025989001185f721faa0f497144aa8132302486ae0166b2218f2ce1bf9a09ad89177853979
-
C:\Windows\Installer\{D36CA0BE-EC2C-4522-49A4-077627BEFD55}\syshost.exeFilesize
355KB
MD5de6e3970ad991d0214e6dfa06439e31f
SHA1b8792436f1541e76f4468769561b9a7bad03bd35
SHA256a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258
SHA512b3a2ec4d97a3b756fc6a6c949b100606bb9350a3fef3bd89896b88025989001185f721faa0f497144aa8132302486ae0166b2218f2ce1bf9a09ad89177853979
-
memory/216-155-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/216-153-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/216-138-0x0000000000000000-mapping.dmp
-
memory/216-152-0x0000000001FF0000-0x00000000020F0000-memory.dmpFilesize
1024KB
-
memory/216-154-0x0000000000630000-0x0000000000636000-memory.dmpFilesize
24KB
-
memory/1088-144-0x0000000000000000-mapping.dmp
-
memory/1304-151-0x0000000000000000-mapping.dmp
-
memory/1536-149-0x0000000000000000-mapping.dmp
-
memory/1664-143-0x0000000000000000-mapping.dmp
-
memory/2528-137-0x0000000000CA0000-0x0000000000DA0000-memory.dmpFilesize
1024KB
-
memory/3080-134-0x0000000002230000-0x0000000002330000-memory.dmpFilesize
1024KB
-
memory/3080-136-0x00000000004D0000-0x00000000004D6000-memory.dmpFilesize
24KB
-
memory/3080-141-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3080-135-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/3504-148-0x0000000000000000-mapping.dmp
-
memory/3564-142-0x0000000000000000-mapping.dmp
-
memory/3636-147-0x0000000000000000-mapping.dmp
-
memory/3796-145-0x0000000000000000-mapping.dmp
-
memory/4532-146-0x0000000000000000-mapping.dmp
-
memory/4568-150-0x0000000000000000-mapping.dmp
-
memory/5116-140-0x0000000000000000-mapping.dmp