3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341

Reason

Machine shutdown

General

Target

3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
Size

2.4MB
MD5

3bb2b1c4254e25f4e1ef4aed9308b870
SHA1

493504127b9cf900b48a3291109a267033521b2a
SHA256

3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341
SHA512

73a4f5d7208860fc031bb674135c54b6f811d9e8b5dc608bbbcaddb448f037f49a47fb14ad7acd649b715bc7aadedcf4ba9765580d756f29a417b854678091ee
SSDEEP

49152:wTM4SOLo3LIX4SlVR9mPU+dOoNSkabUOjaehq4CbVc3nLvu78Rb/4Vg:wTM4SOLc24E8M+G/h+ecH5cXjuYRb/4

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe

description ioc process

File opened for modification \??\PhysicalDrive0 3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2612 3972 WerFault.exe LogonUI.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe

pid	pid_target	process	target process
2612	3972	WerFault.exe	LogonUI.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "241"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe

pid	process
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4736	WMIC.exe
Token: SeSecurityPrivilege	4736	WMIC.exe
Token: SeTakeOwnershipPrivilege	4736	WMIC.exe
Token: SeLoadDriverPrivilege	4736	WMIC.exe
Token: SeSystemProfilePrivilege	4736	WMIC.exe
Token: SeSystemtimePrivilege	4736	WMIC.exe
Token: SeProfSingleProcessPrivilege	4736	WMIC.exe
Token: SeIncBasePriorityPrivilege	4736	WMIC.exe
Token: SeCreatePagefilePrivilege	4736	WMIC.exe
Token: SeBackupPrivilege	4736	WMIC.exe
Token: SeRestorePrivilege	4736	WMIC.exe
Token: SeShutdownPrivilege	4736	WMIC.exe
Token: SeDebugPrivilege	4736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4736	WMIC.exe
Token: SeRemoteShutdownPrivilege	4736	WMIC.exe
Token: SeUndockPrivilege	4736	WMIC.exe
Token: SeManageVolumePrivilege	4736	WMIC.exe
Token: 33	4736	WMIC.exe
Token: 34	4736	WMIC.exe
Token: 35	4736	WMIC.exe
Token: 36	4736	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4736	WMIC.exe
Token: SeSecurityPrivilege	4736	WMIC.exe
Token: SeTakeOwnershipPrivilege	4736	WMIC.exe
Token: SeLoadDriverPrivilege	4736	WMIC.exe
Token: SeSystemProfilePrivilege	4736	WMIC.exe
Token: SeSystemtimePrivilege	4736	WMIC.exe
Token: SeProfSingleProcessPrivilege	4736	WMIC.exe
Token: SeIncBasePriorityPrivilege	4736	WMIC.exe
Token: SeCreatePagefilePrivilege	4736	WMIC.exe
Token: SeBackupPrivilege	4736	WMIC.exe
Token: SeRestorePrivilege	4736	WMIC.exe
Token: SeShutdownPrivilege	4736	WMIC.exe
Token: SeDebugPrivilege	4736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4736	WMIC.exe
Token: SeRemoteShutdownPrivilege	4736	WMIC.exe
Token: SeUndockPrivilege	4736	WMIC.exe
Token: SeManageVolumePrivilege	4736	WMIC.exe
Token: 33	4736	WMIC.exe
Token: 34	4736	WMIC.exe
Token: 35	4736	WMIC.exe
Token: 36	4736	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3432	WMIC.exe
Token: SeSecurityPrivilege	3432	WMIC.exe
Token: SeTakeOwnershipPrivilege	3432	WMIC.exe
Token: SeLoadDriverPrivilege	3432	WMIC.exe
Token: SeSystemProfilePrivilege	3432	WMIC.exe
Token: SeSystemtimePrivilege	3432	WMIC.exe
Token: SeProfSingleProcessPrivilege	3432	WMIC.exe
Token: SeIncBasePriorityPrivilege	3432	WMIC.exe
Token: SeCreatePagefilePrivilege	3432	WMIC.exe
Token: SeBackupPrivilege	3432	WMIC.exe
Token: SeRestorePrivilege	3432	WMIC.exe
Token: SeShutdownPrivilege	3432	WMIC.exe
Token: SeDebugPrivilege	3432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3432	WMIC.exe
Token: SeRemoteShutdownPrivilege	3432	WMIC.exe
Token: SeUndockPrivilege	3432	WMIC.exe
Token: SeManageVolumePrivilege	3432	WMIC.exe
Token: 33	3432	WMIC.exe
Token: 34	3432	WMIC.exe
Token: 35	3432	WMIC.exe
Token: 36	3432	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3432	WMIC.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exeLogonUI.exe

pid	process
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
3972	LogonUI.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.execmd.execmd.exe

description	pid	process	target process
PID 832 wrote to memory of 2676	832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe	cmd.exe
PID 832 wrote to memory of 2676	832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe	cmd.exe
PID 832 wrote to memory of 2676	832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe	cmd.exe
PID 2676 wrote to memory of 4736	2676	cmd.exe	WMIC.exe
PID 2676 wrote to memory of 4736	2676	cmd.exe	WMIC.exe
PID 2676 wrote to memory of 4736	2676	cmd.exe	WMIC.exe
PID 832 wrote to memory of 1532	832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe	cmd.exe
PID 832 wrote to memory of 1532	832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe	cmd.exe
PID 832 wrote to memory of 1532	832	3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe	cmd.exe
PID 1532 wrote to memory of 3432	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 3432	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 3432	1532	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
"C:\Users\Admin\AppData\Local\Temp\3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic path Win32_ComputerSystemProduct get uuid /value
2⤵
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path Win32_ComputerSystemProduct get uuid /value
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic path Win32_ComputerSystemProduct get uuid /value
2⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path Win32_ComputerSystemProduct get uuid /value
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39d9855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3972

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3972 -s 1500
2⤵
- Program crash
PID:2612

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 2404 -ip 2404
1⤵
PID:3960

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 3972 -ip 3972
1⤵
PID:3904

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 388 -ip 388
1⤵
PID:1216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/832-133-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/832-134-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/832-135-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/832-136-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads