dc723bceb6f383f32cfdb374a454a9ce006398748f96346430587868a43ac28f

Reason

Machine shutdown

General

Target

lul.exe
Size

168KB
MD5

0ea845b5913d50f462d1d771cc473d18
SHA1

ac838713ec6a73a63567eaa81fdc4d1b74c91f35
SHA256

dc723bceb6f383f32cfdb374a454a9ce006398748f96346430587868a43ac28f
SHA512

8a18d6d7dd5e805cb40ea296be7b13b5de8621753f004d155015e119a3d4830b8d03837558dcc5fb539b01bdf5a429a126594d8268b87253d186a38aaf3dca76
SSDEEP

3072:BMobR7ezAjLOZvmX1h5KtiC+ESAShLbsISLei3Fh0:2eR7eammMth+ZLL4Z

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\s.bat"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3592352177-2971570228-3741369827-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3592352177-2971570228-3741369827-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\s.bat"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	lul.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	lul.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\s.bat	cmd.exe
File opened for modification	C:\Windows\s.bat	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4664	ipconfig.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3592352177-2971570228-3741369827-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2232	reg.exe
4036	reg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4932	shutdown.exe
Token: SeRemoteShutdownPrivilege	4932	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2860	LogonUI.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 3784	3216	lul.exe	66
PID 3216 wrote to memory of 3784	3216	lul.exe	66
PID 3784 wrote to memory of 4932	3784	cmd.exe	68
PID 3784 wrote to memory of 4932	3784	cmd.exe	68
PID 3784 wrote to memory of 4436	3784	cmd.exe	70
PID 3784 wrote to memory of 4436	3784	cmd.exe	70
PID 3784 wrote to memory of 4140	3784	cmd.exe	71
PID 3784 wrote to memory of 4140	3784	cmd.exe	71
PID 3784 wrote to memory of 4160	3784	cmd.exe	72
PID 3784 wrote to memory of 4160	3784	cmd.exe	72
PID 3784 wrote to memory of 2232	3784	cmd.exe	73
PID 3784 wrote to memory of 2232	3784	cmd.exe	73
PID 3784 wrote to memory of 4036	3784	cmd.exe	74
PID 3784 wrote to memory of 4036	3784	cmd.exe	74
PID 3784 wrote to memory of 4664	3784	cmd.exe	75
PID 3784 wrote to memory of 4664	3784	cmd.exe	75

C:\Users\Admin\AppData\Local\Temp\lul.exe
"C:\Users\Admin\AppData\Local\Temp\lul.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c s.bat
  2⤵
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Windows\system32\shutdown.exe
    shutdown -s -t 68 -c ":D"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4932
- - C:\Windows\system32\winver.exe
    winver.exe
    3⤵
    PID:4436
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msg.vbs"
    3⤵
    PID:4140
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:4160
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\s.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2232
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\s.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:4036
- - C:\Windows\system32\ipconfig.exe
    Ipconfig / release
    3⤵
    - Gathers network information
    PID:4664

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3acf055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msg.vbs

Filesize
24B

MD5
74d9c5d0cff2544b485c33a94ca0c57d

SHA1
a2432860b321ff8a0c145ac98a814c3bfb49a284

SHA256
602b849d9f0d45cd95a24ecd92057b119340798844485ee444dce96dd3b3398e

SHA512
73a38fdeb96c643501709b8a91b1fcab62e1b817cfed4a9e3fbe1990be2383003051ed52bee0da5a6cd0f9f02d03416c9cb060f97629d90513c12a70fdb9c1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s.bat

Filesize
9KB

MD5
04cb1ca14b01520e75569255a90495bf

SHA1
e509df382c8d906a0d3b03abfc17ad97ae8c01a8

SHA256
1f8d5657af51e4bf5eb54f4c1f2478b83c80d338e7d6d7759483925108ab67d2

SHA512
9d9b36054c6f0bf963acf7bedfad1396d9f7c4fb52011cf4b199bf56bf1a4fbeab705b1382401b616cebd8bd53b2a548c132ad86f0396d06dcaebc95093eedcf

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads