c5d542010124f44d87f7a43d827a81501e797ed86b77e0e57565fe1e55ddd482

Analysis

max time kernel
85s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 06:24

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

c5d542010124f44d87f7a43d827a81501e797ed86b77e0e57565fe1e55ddd482.exe
Size

96KB
MD5

04fa822abc8f704562ea27831d4e7a3f
SHA1

2f596558755098e4610a6cd7e0f7d366a3272a7a
SHA256

c5d542010124f44d87f7a43d827a81501e797ed86b77e0e57565fe1e55ddd482
SHA512

ea61d26aa0d314cd695bb6c648a7c68609aad8278a6010ad8a6789ae9321ab7310fd863ddd0bda181b2040c5584ccfba202883a1c9a8e9f7c05a53b2a59df6a4
SSDEEP

1536:J1tQMAZtMu1QZ6werwhrsDjRN1RF5CcHvC5udKETfhesoWG/NajoO5iBgmQB:J1tQM4tMwQZC0hrWN1w2bdKOe9/Mjopi

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cyuabec.dll	c5d542010124f44d87f7a43d827a81501e797ed86b77e0e57565fe1e55ddd482.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "240"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4592	c5d542010124f44d87f7a43d827a81501e797ed86b77e0e57565fe1e55ddd482.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3428	LogonUI.exe

C:\Users\Admin\AppData\Local\Temp\c5d542010124f44d87f7a43d827a81501e797ed86b77e0e57565fe1e55ddd482.exe
"C:\Users\Admin\AppData\Local\Temp\c5d542010124f44d87f7a43d827a81501e797ed86b77e0e57565fe1e55ddd482.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ed855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4592-132-0x0000000001000000-0x0000000001019000-memory.dmp

Filesize
100KB

Download
memory/4592-133-0x0000000001000000-0x0000000001019000-memory.dmp

Filesize
100KB

Download