9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722

Reason

Machine shutdown

General

Target

9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe
Size

744KB
MD5

bcbd139349f71c511ce0760279b1a094
SHA1

cb0ce2640bd02cadbaf8970e496fabb133eb325c
SHA256

9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722
SHA512

9b4c9a31387cbd802cd4de6e1e23e8f937f66284ed5dcc515999ac2e1d28b51692a63d26cc2628964b6414a2187afb7a67fd7380c028777e3b3b142b10923832
SSDEEP

12288:xYJx0jKaBhqIflDmOSXDl1IfZXxqzWBL:xYJxqK0hdFjSTbIf1xqzW

Score

8^/10

bootkit evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Loads dropped DLL 1 IoCs

pid	Process
4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe

Kills process with taskkill 7 IoCs

evasion

pid	Process
3724	taskkill.exe
3492	taskkill.exe
1352	taskkill.exe
4632	taskkill.exe
3692	taskkill.exe
3608	taskkill.exe
1528	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "37"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "jpegfile"	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.inf\ = "jpegfile"	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "jpegfile"	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "jpegfile"	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe
4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe
4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe
3488	LogonUI.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 1352	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe	89
PID 4176 wrote to memory of 1352	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe	89
PID 4176 wrote to memory of 1352	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe	89
PID 4176 wrote to memory of 3692	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe	91
PID 4176 wrote to memory of 3692	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe	91
PID 4176 wrote to memory of 3692	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe	91
PID 4176 wrote to memory of 4632	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe	90
PID 4176 wrote to memory of 4632	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe	90
PID 4176 wrote to memory of 4632	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe	90
PID 4176 wrote to memory of 3608	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe	92
PID 4176 wrote to memory of 3608	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe	92
PID 4176 wrote to memory of 3608	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe	92
PID 4176 wrote to memory of 3492	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe	95
PID 4176 wrote to memory of 3492	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe	95
PID 4176 wrote to memory of 3492	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe	95
PID 4176 wrote to memory of 3724	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe	94
PID 4176 wrote to memory of 3724	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe	94
PID 4176 wrote to memory of 3724	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe	94
PID 4176 wrote to memory of 1528	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe	93
PID 4176 wrote to memory of 1528	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe	93
PID 4176 wrote to memory of 1528	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe	93
PID 4176 wrote to memory of 4524	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe	96
PID 4176 wrote to memory of 4524	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe	96
PID 4176 wrote to memory of 4524	4176	9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe	96

C:\Users\Admin\AppData\Local\Temp\9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe
"C:\Users\Admin\AppData\Local\Temp\9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im kavsvc.exe
  2⤵
  - Kills process with taskkill
  PID:1352
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Rav.exe
  2⤵
  - Kills process with taskkill
  PID:4632
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im KVXP.kxp
  2⤵
  - Kills process with taskkill
  PID:3692
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Ravmon.exe
  2⤵
  - Kills process with taskkill
  PID:3608
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im 360tray.exe
  2⤵
  - Kills process with taskkill
  PID:1528
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im VsTskMgr.exe
  2⤵
  - Kills process with taskkill
  PID:3724
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Mcshield.exe
  2⤵
  - Kills process with taskkill
  PID:3492
- C:\Windows\SysWOW64\shutdown.exe
  shutdown -s -f
  2⤵
  PID:4524

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3980855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Anti.dll

Filesize
8KB

MD5
c3b7e89f0988eaaf4ff13a9efa34b4ac

SHA1
d72a764135883636329b60d704b0355843a7dd48

SHA256
ed4ffb194370b886c22f97bf53250475632933526c62ef35f1b5cd8b538901f3

SHA512
dc4b0e7981bc1d3f2107b46ffbeaf60297f54601234fdd1662de55e2043d791c7ab1b3b2748177d52ebfe799ff9317b1ebc3b017fab4dd6b3b912c696148a185

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anti.dll

Filesize
8KB

MD5
c3b7e89f0988eaaf4ff13a9efa34b4ac

SHA1
d72a764135883636329b60d704b0355843a7dd48

SHA256
ed4ffb194370b886c22f97bf53250475632933526c62ef35f1b5cd8b538901f3

SHA512
dc4b0e7981bc1d3f2107b46ffbeaf60297f54601234fdd1662de55e2043d791c7ab1b3b2748177d52ebfe799ff9317b1ebc3b017fab4dd6b3b912c696148a185

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads