db90264acfb6058bb4066a0faeafaf292b4bc7fdbc952500621a6b058a03d478

Resubmissions

05/10/2023, 12:57

231005-p65tdsda65 5

05/10/2023, 12:50

231005-p21zmsbb6y 7

Analysis

max time kernel
56s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2023, 12:57

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

187flame.jpg
Size

120KB
MD5

7177ec3221bf3fff41dbbda2fbb0208f
SHA1

f17740158904c9a6aa141d142ab8fe776941b275
SHA256

db90264acfb6058bb4066a0faeafaf292b4bc7fdbc952500621a6b058a03d478
SHA512

e788f52b9ce7df34f5bf3cfbe1dab00986fde6a504de6f46ea3734b9fba52efbea678ced4feb5a5fc2edd06b0dd7c5f6c0117874b2632474988faf5dc0466288
SSDEEP

1536:qPVEWLelxCdVcdEmgqqUsIp2y7JrYPR1CbTXUC+pDH5yzX/jDBKg4vHn2qzTNGfO:OdWW6CmD2KYTCbTkC+NkzPvBKrNx

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	bootim.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	bootim.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "24"	LogonUI.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3584	bootim.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSystemEnvironmentPrivilege	3584	bootim.exe
Token: SeTakeOwnershipPrivilege	3584	bootim.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1080	LogonUI.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\187flame.jpg
1⤵
PID:5036

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3957055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1080

C:\Windows\system32\bootim.exe
bootim.exe /startpage:1
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\Recovery\ReAgent.xml

Filesize
1KB

MD5
086274b1d586cec56fda56f80d17d217

SHA1
6b9bd0cdf05c6546fd7bfecd9981a2e7f1488066

SHA256
409bc0e56b5e99404d14432e1e4876505660e35eae8186d1769c4bae397fe17c

SHA512
49be605a2b378414ce0d0b2a1c10bd3fdba3897c40316720a81d25c19cfe5a14846f1e84ef77f877b6f7c716ef974a6808d57dd2d9544600d3b3ce9bbe3dbd45

Download Submit