d64d2d1467d96dcf23e0a22f0e45961d9bbd556120befb30d3fcf5f292cab257

Resubmissions

23/09/2023, 13:05

230923-qbkemsfe8v 3

23/09/2023, 13:04

230923-qa2brsfe71 1

Analysis

max time kernel
17s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
23/09/2023, 13:04

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

WCI.bat
Size

3KB
MD5

243a8a10e72cda51f3460c4b2c3470c2
SHA1

8d8bb75420b71db0b2611c0d9769543efae6ce5d
SHA256

d64d2d1467d96dcf23e0a22f0e45961d9bbd556120befb30d3fcf5f292cab257
SHA512

fbfa1347b821f6c6064b5ddd7395ed59d0428d29e9efaf5413c7b2b9c13e2da82119ed3725611c402e09dc17b85a9d8271f76f894ce0ea2f95d911e213505c77

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "117"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3236	LogonUI.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 4768	1480	cmd.exe	86
PID 1480 wrote to memory of 4768	1480	cmd.exe	86
PID 1480 wrote to memory of 1932	1480	cmd.exe	87
PID 1480 wrote to memory of 1932	1480	cmd.exe	87
PID 1480 wrote to memory of 1756	1480	cmd.exe	88
PID 1480 wrote to memory of 1756	1480	cmd.exe	88
PID 1480 wrote to memory of 928	1480	cmd.exe	89
PID 1480 wrote to memory of 928	1480	cmd.exe	89
PID 1480 wrote to memory of 4600	1480	cmd.exe	90
PID 1480 wrote to memory of 4600	1480	cmd.exe	90
PID 1480 wrote to memory of 3708	1480	cmd.exe	92
PID 1480 wrote to memory of 3708	1480	cmd.exe	92
PID 1480 wrote to memory of 4420	1480	cmd.exe	91
PID 1480 wrote to memory of 4420	1480	cmd.exe	91
PID 1480 wrote to memory of 564	1480	cmd.exe	94
PID 1480 wrote to memory of 564	1480	cmd.exe	94
PID 1480 wrote to memory of 3452	1480	cmd.exe	93
PID 1480 wrote to memory of 3452	1480	cmd.exe	93
PID 1480 wrote to memory of 2284	1480	cmd.exe	95
PID 1480 wrote to memory of 2284	1480	cmd.exe	95
PID 1480 wrote to memory of 4316	1480	cmd.exe	96
PID 1480 wrote to memory of 4316	1480	cmd.exe	96
PID 1480 wrote to memory of 3928	1480	cmd.exe	97
PID 1480 wrote to memory of 3928	1480	cmd.exe	97
PID 1480 wrote to memory of 2560	1480	cmd.exe	98
PID 1480 wrote to memory of 2560	1480	cmd.exe	98
PID 1480 wrote to memory of 3388	1480	cmd.exe	100
PID 1480 wrote to memory of 3388	1480	cmd.exe	100
PID 1480 wrote to memory of 4612	1480	cmd.exe	99
PID 1480 wrote to memory of 4612	1480	cmd.exe	99
PID 1480 wrote to memory of 5020	1480	cmd.exe	101
PID 1480 wrote to memory of 5020	1480	cmd.exe	101
PID 1480 wrote to memory of 4956	1480	cmd.exe	102
PID 1480 wrote to memory of 4956	1480	cmd.exe	102

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\WCI.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4768
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1932
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1756
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:928
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4600
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4420
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3708
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3452
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:564
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2284
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4316
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3928
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2560
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4612
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3388
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5020
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4956

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ec855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3236

Windows 7 deprecation

Loading Replay Monitor...

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads