170215feaa262397dbf210a86235fe2df1497539e1645961d24efcc6fea110aa

Analysis

max time kernel
13s
max time network
25s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 19:41

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

steam.exe
Size

11KB
MD5

6a0c09c176405806a623c080866cf8fa
SHA1

32b9260716481763255b5b995cb2b1a991509db7
SHA256

170215feaa262397dbf210a86235fe2df1497539e1645961d24efcc6fea110aa
SHA512

a3b16f0d0c3a8be9df8803fc70550b233a701b48f763739c71c2f636520ea60babe2360eca8a042d5469a53a09930e6c5536ee98d6143a81829cd6d9a763a87e
SSDEEP

192:aLQbtN4sBtNdaLixVupSiP/VunlYJLLLTuTvLvLvLvLvLvLvLvLvLvgQGSs5cqGE:aLQz4QzdaLiu3hPLTuTvLvLvLvLvLvLB

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

steam.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation steam.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	steam.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "218"	LogonUI.exe

Runs net.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

shutdown.exe

description pid process

Token: SeShutdownPrivilege 4044 shutdown.exe
Token: SeRemoteShutdownPrivilege 4044 shutdown.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

2404 LogonUI.exe

description	pid	process
Token: SeShutdownPrivilege	4044	shutdown.exe
Token: SeRemoteShutdownPrivilege	4044	shutdown.exe

pid	process
2404	LogonUI.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

steam.execmd.exenet.exe

description	pid	process	target process
PID 3548 wrote to memory of 928	3548	steam.exe	cmd.exe
PID 3548 wrote to memory of 928	3548	steam.exe	cmd.exe
PID 928 wrote to memory of 4044	928	cmd.exe	shutdown.exe
PID 928 wrote to memory of 4044	928	cmd.exe	shutdown.exe
PID 928 wrote to memory of 1872	928	cmd.exe	net.exe
PID 928 wrote to memory of 1872	928	cmd.exe	net.exe
PID 1872 wrote to memory of 4068	1872	net.exe	net1.exe
PID 1872 wrote to memory of 4068	1872	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\steam.exe
"C:\Users\Admin\AppData\Local\Temp\steam.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\system32\shutdown.exe
shutdown -s -t 00 -c "hackedr"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\system32\net.exe
net user Admin *
3⤵
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user Admin *
4⤵
PID:4068

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3985855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2404

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cmd.bat
Filesize
1KB

MD5
b165c6d6172c0e46f12f6969fadd218b

SHA1
52d4b3d16c069e6324d407b72f5887a1153d1d8f

SHA256
c8cb4c998750bda9eefdd5fb90ae32ead18d3470ef0644c2617f5811bdca1e61

SHA512
cd36e9f3cacdf6593a761394d003f3a0987348c2749e080a3a5bfca58e6b3f3c8b18e5a0123515a830879cea9f37d653e322bdb70eb5b89ca49baa3ad88c5534

Download Submit
memory/3548-133-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

Filesize
40KB

Download