23ed6e23e05842129fbf173ee81c8eee98a0192fc8eef312dd1a0b05bcc62159

Analysis

max time kernel
115s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 08:11

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

DELDELDEL.bat
Size

1KB
MD5

1eb0b568ed636ab110f4593ee56c4095
SHA1

7a68987ddef833b90f261f9be396eb5f2ad33cb5
SHA256

23ed6e23e05842129fbf173ee81c8eee98a0192fc8eef312dd1a0b05bcc62159
SHA512

d88a86effed3d675479ea15bf83f028965aef4959e33e8e20496e6427fa136a0efae251680b3846bca7bdaece8f1952fcc154fd483be48219b18c5cc32ae9000

Score

8^/10

evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1376	timeout.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "117"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry key 1 TTPs 5 IoCs

Modify Registry

T1112

pid	Process
2644	reg.exe
2120	reg.exe
4936	reg.exe
4652	reg.exe
4888	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
224	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4392	shutdown.exe
Token: SeRemoteShutdownPrivilege	4392	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3416	LogonUI.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 4696	1160	cmd.exe	102
PID 1160 wrote to memory of 4696	1160	cmd.exe	102
PID 1160 wrote to memory of 224	1160	cmd.exe	103
PID 1160 wrote to memory of 224	1160	cmd.exe	103
PID 1160 wrote to memory of 4652	1160	cmd.exe	104
PID 1160 wrote to memory of 4652	1160	cmd.exe	104
PID 1160 wrote to memory of 4888	1160	cmd.exe	105
PID 1160 wrote to memory of 4888	1160	cmd.exe	105
PID 1160 wrote to memory of 2644	1160	cmd.exe	106
PID 1160 wrote to memory of 2644	1160	cmd.exe	106
PID 1160 wrote to memory of 2120	1160	cmd.exe	107
PID 1160 wrote to memory of 2120	1160	cmd.exe	107
PID 1160 wrote to memory of 4936	1160	cmd.exe	108
PID 1160 wrote to memory of 4936	1160	cmd.exe	108
PID 1160 wrote to memory of 1376	1160	cmd.exe	109
PID 1160 wrote to memory of 1376	1160	cmd.exe	109
PID 1160 wrote to memory of 4392	1160	cmd.exe	110
PID 1160 wrote to memory of 4392	1160	cmd.exe	110

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DELDELDEL.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\system32\choice.exe
  choice /c yn
  2⤵
  PID:4696
- C:\Windows\system32\PING.EXE
  ping localhost -n 3
  2⤵
  - Runs ping.exe
  PID:224
- C:\Windows\system32\reg.exe
  reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  2⤵
  - Modifies registry key
  PID:4652
- C:\Windows\system32\reg.exe
  REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4888
- C:\Windows\system32\reg.exe
  REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkStation /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2644
- C:\Windows\system32\reg.exe
  REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2120
- C:\Windows\system32\reg.exe
  REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1/f
  2⤵
  - Modifies registry key
  PID:4936
- C:\Windows\system32\timeout.exe
  timeout 8
  2⤵
  - Delays execution with timeout.exe
  PID:1376
- C:\Windows\system32\shutdown.exe
  shutdown -r -t 60
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4392

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa395a855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads