3e5dffe1c911e1acb54e5fad7d59902a8d6914fdcd2f84a420483475f4461af5

Analysis

max time kernel
141s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2023, 09:46

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

RestartCode.bat
Size

699B
MD5

534f7b98acf5cee14535898066e47f67
SHA1

e59674b6339f439a3fcf5b4a889c186a520aaed4
SHA256

3e5dffe1c911e1acb54e5fad7d59902a8d6914fdcd2f84a420483475f4461af5
SHA512

eed3ddc8c7776d3d620894b6af2cdcac755d2dd689d7ffd74bcc8cd7703398b2677634be002ed78969c711f6e5ee698a9e089ca9bf74fe0b908d12889c877a66

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "247"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1844	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4580	SlideToShutDown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2960	LogonUI.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RestartCode.bat"
1⤵
- Suspicious behavior: RenamesItself
PID:1844

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3212

C:\Windows\System32\SlideToShutDown.exe
"C:\Windows\System32\SlideToShutDown.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39fa855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BlockDeny.m4a

Filesize
1.4MB

MD5
34e7e24f9b9123a7fd4318c6f7002f7c

SHA1
a991a19570e4e8d2bccf403db1f9c45e78c8ae86

SHA256
ee0f0e8f5ac64326763324e9afe307ea65930b462f14c8ffbcb06436976c08e2

SHA512
cfe6f3c38f8342d35f8b289ea05a6c5f4be9efba944ab3eabbb9564125f2a1ae21247a4654763c3c223eb2ac9d772a7e0cf2bde8269bb8163f81c2c17252e61e

Download Submit
C:\Users\Admin\AppData\Roaming\ConnectConvertTo.mp4v

Filesize
618KB

MD5
185901744df5dae886ae3b249dd6c0cc

SHA1
bed3168b524e14b40c40d8ebfb1e8d120b26a5eb

SHA256
cca5ab97c3dcb75c1461f65b3c9c6bc7c7e22d67b04de48b2e0d48b8a1490c74

SHA512
a7a94d945958a73a1c299dfc740f95f2dc157c5962a51161b8416a2f539841d9e489c18eb316c26788ea124c8142c6cc1d541288c09b5640924180fb8a356625

Download Submit
C:\Users\Admin\AppData\Roaming\ConvertUninstall.wmv

Filesize
1.3MB

MD5
ca8e3a31c16c38394712c8366accdfec

SHA1
2fe931b4733d074d22924e5e5e125536c79b6dc5

SHA256
6ef3551aaa211adfe52b0a739aa82295c854dbc8e8e67ab7e401d2de7f5177ef

SHA512
b96521b3476e15f76601cac029779fcc250dcaad05d03c850c193e1102e0e923adad4aaf64c0949e5ba0ba3ce799a030496ec39f24c132bbe6b3d75a4945975e

Download Submit
C:\Users\Admin\AppData\Roaming\DisableSearch.iso

Filesize
2.1MB

MD5
fb011bf99f388acc5cff1de1d561bccf

SHA1
e04fa0e8390f8e35af90997d4e930c598e615744

SHA256
91fdf859c6c9f0d5466ab4db535a7c2604487eb6a4155aff230713c886aecfe5

SHA512
5915840cf3fa90469d00e7a9aa9dcecf10855b6e5d455b9032e55398c33925296eb9ac186da6b5b0dca4f1df42f2bdee7c0c0b5ac71ee883b9b41b9017d3b177

Download Submit
C:\Users\Admin\AppData\Roaming\DisconnectMerge.ps1

Filesize
1.1MB

MD5
571f40e0fa4b51d437f7ba50e76a79a6

SHA1
9de74e9d62c1ac190ee055d604ba09a1bcbb6460

SHA256
53d85881b67ef5e79c20ca79d90a11a5a47c82285b0457ed068debaf506b1d08

SHA512
aa71a7801c6035e9cc4cf5c09d9bb9dc4ef228cc3d461dca0e33acdb27a2704beb9ba18ee2a1464beeefed3b22d0e40cbaa189286372b9f5c18997a41953cf34

Download Submit
C:\Users\Admin\AppData\Roaming\DismountApprove.aif

Filesize
983KB

MD5
7a15d99ec4c7fbebd0a7192357fce7b0

SHA1
4bdc7b52aab62a783287bf148897cc4f91bb8bb1

SHA256
19772340d93c37bf9c0ab16100af075ccff0563f4a7d93d8834005d07f2cbf6e

SHA512
fd4a2d45bc6b20d1f7f70cf7040e9e012bf30d685980bbcdaec598ca0be580e37f5522fa7f7b9f48487abe1005b46637aebf4d272d07185a24eac10ff076c79f

Download Submit
C:\Users\Admin\AppData\Roaming\EnterComplete.vsx

Filesize
1.5MB

MD5
9262bccc66d81e55d20f368c5aea79ef

SHA1
c363a1e217af97c3c5fe94ccd743b08566fc108a

SHA256
d8ada0afbddb09df1b74a8ed8008cfcec582f08e6fe88e1f961e55c100863e82

SHA512
e62bb9b2e98f156a30ea8145e35f9e1afee59443d719e79682e70655670f34e578a0a9a34df95458d6cf5cb907bda02de4f8309cff269dfbcc9a996ee541a8e8

Download Submit
C:\Users\Admin\AppData\Roaming\ExportCompress.mp2

Filesize
691KB

MD5
009967d5648b9fa2f30b7271a8d7e80d

SHA1
4bc32b2b1f68826109b3fe82f58433de445eae24

SHA256
10a71fbd0ca67c4c824c4f2cd4f0039f6d23c590490f3bbf95e749a396dd6b71

SHA512
8a0da7b9f1d1e79d94e9da51dbb7c70a8c69ffb8ec72a6422d99a98838c7254fda671325d90b2278fc70f9ab47df2a0633a5dc49feba385f93be6f5b98da5d62

Download Submit
C:\Users\Admin\AppData\Roaming\JoinClear.xps

Filesize
764KB

MD5
c35223822d71b99d4d3d3c7c015f43ef

SHA1
33d10c3e605d4dbe0581f158c6835b7c7873f48c

SHA256
2e625598bfe9a5e95e99c8dfc06770dd3c10992cfc4b354f5472d3568f435191

SHA512
82126f3db6535d39360c396b9baf43f28bb4846eec4804048fe9ffb3716acc33e9cfe3a4ee755add1c356388f4b6bb00888ae2ce36ac5cd1ed96aa0d11ed40ac

Download Submit
C:\Users\Admin\AppData\Roaming\RemoveMount.sql

Filesize
1.0MB

MD5
12c0f20be82a69b2032d87f83e81db75

SHA1
1bff1c7db6e938266d1ac4ca2b03c35d3adee490

SHA256
27d38fb92b7b870d8448e3f95536713a8351cd600c22378aa6d5c6da48c9e0b3

SHA512
7d7a049fadf0402fd1916f2be92f48ba40efdd7817fc307a41ae3e09c20227ba11f69fede891a0c64801df1966c355728f5438f3792a95f3e13bb77216d0bd72

Download Submit
C:\Users\Admin\AppData\Roaming\RenameGet.mpg

Filesize
837KB

MD5
dac0ce20f3ec4db3858a0893cbcd95e0

SHA1
d36f7c998767dc0a02886f6e122ff978c38c8960

SHA256
4c3d8ab21eea28128b4b4d6f0591d2ca742facd70d767f38133adf070aa84298

SHA512
a86b8decb8f9d8a81cb990e33b532d3bfcbf01b1d72c015b160dc6811f47d640401348ce2646a8349564b3cea7399b5b4d349c6a547a31689255eafc035b4c11

Download Submit
C:\Users\Admin\AppData\Roaming\RestartUpdate.wmf

Filesize
546KB

MD5
07a30035e219c2fa209db29b50bf43f7

SHA1
ac27b03037f2521a55503d47df6a5dfb4554ce06

SHA256
a3edec7bc31e8aa28ff56bb3d825e77a3be68b3cc995257c8d135ef068a96764

SHA512
670af2d639386b9c0897fb5a2610e1d9c8ee255b58c1aa1429c0d14f7c6531c208bb252653ff5af883477f0133f0f6af18b399b3dddb92295d21f64977afd01e

Download Submit
C:\Users\Admin\AppData\Roaming\SkipClear.js

Filesize
1.2MB

MD5
63432708e188b8a7ac0cfa5789a94375

SHA1
7bbe6eef2268663cc4dcfd6334eead2deda6d25e

SHA256
308ee4313b8241b6e3e9622e9b8b35a5f35939ded262b959a4d8f81ee262b155

SHA512
74ad4faf678535906465849aee896d1045b13acc1b01ec8dd8885e6918f0657d2fb0a7f5fb9c404dbd8cbbeb6deaa348d2fcd26648885954ca014e21ae421a9a

Download Submit
C:\Users\Admin\AppData\Roaming\SubmitDismount.xml

Filesize
910KB

MD5
6fe80c42c84d53b515f1ece25e80cfe1

SHA1
65268ffb62ef5474b87755ede1e886d452484724

SHA256
96bf2239a742a3e2e37bece2f43dd2805b299c42b2dde7af984e50b5a88c2bff

SHA512
2bd97ebb31efb98ecceca1cf7e7a893311b4131173ec59dbd29165e9be16bbc91e85acb48d21d61b1332e98bd7d0dcb6d43e991c83113ddda9c467ac92a9a7fa

Download Submit
C:\Users\Admin\AppData\Roaming\WriteMount.crw

Filesize
1.2MB

MD5
bbb918e7b290d3f3db4b04378907f04c

SHA1
672a1975c8184dcc410be8e7d05092a07290669d

SHA256
0b646a6c83c61a1123ea14a9a431568fbf147ba4496c22a26cdd2dea332edb79

SHA512
df35d7fccc79b53f953beccd8e3dd3a71d5aa7099a53e35f76fa8fead5cbf81ef0a71015ed1abd048a797edc47745672e621b7bbf58ddfac735e16dfe456b3a8

Download Submit