Analysis
-
max time kernel
37s -
max time network
42s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2023 18:31
Behavioral task
behavioral1
Sample
1.bat
Resource
win10v2004-20231020-en
windows10-2004-x64
16 signatures
300 seconds
Behavioral task
behavioral2
Sample
2.bat
Resource
win10v2004-20231023-en
windows10-2004-x64
1 signatures
300 seconds
Behavioral task
behavioral3
Sample
3.bat
Resource
win10v2004-20231023-en
windows10-2004-x64
0 signatures
300 seconds
Behavioral task
behavioral4
Sample
exe/ntregopt.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
300 seconds
Behavioral task
behavioral5
Sample
exe/reshacker.exe
Resource
win10v2004-20231025-en
windows10-2004-x64
1 signatures
300 seconds
Behavioral task
behavioral6
Sample
exe/upx.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
1 signatures
300 seconds
Behavioral task
behavioral7
Sample
reg.bat
Resource
win10v2004-20231020-en
windows10-2004-x64
1 signatures
300 seconds
Errors
Reason
Machine shutdown
General
-
Target
exe/ntregopt.exe
-
Size
128KB
-
MD5
2165b82e4817a4752dfd3e71fe5953df
-
SHA1
c3ddfb9ba93194ed1c6743f61f63f1ef3753feff
-
SHA256
95652293f6016e8bb626e8143cc118b73c7790033522278831606c0b81760e49
-
SHA512
7db14d5143bcca9ff68a14c4e7aae8794981a198be1a29279fb2ff96f292f20e5eb0887b902eefc937c5bdc19f889847b393be6a43de8163521772c576f59683
-
SSDEEP
3072:QvnysXeJxVSOb5Lp0Jv3rPn/lgXKJ0whl7x4Fo4X:QvXp17P9gXKJxMRX
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral4/memory/4608-0-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral4/memory/4608-2-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral4/memory/4608-3-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral4/memory/4608-4-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral4/memory/4608-5-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral4/memory/4608-6-0x0000000000400000-0x0000000000458000-memory.dmp upx -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\SECURITY.tmp ntregopt.exe File created C:\Windows\SysWOW64\config\SAM.tmp ntregopt.exe File created C:\Windows\SysWOW64\config\SYSTEM.tmp ntregopt.exe File created C:\Windows\SysWOW64\config\SOFTWARE.tmp ntregopt.exe File created C:\Windows\SysWOW64\config\DEFAULT.tmp ntregopt.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\NetworkService\NTUSER.tmp ntregopt.exe File created C:\Windows\ServiceProfiles\LocalService\NTUSER.tmp ntregopt.exe -
Modifies data under HKEY_USERS 18 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "167" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT ntregopt.exe Key created \REGISTRY\USER\S-1-5-19 ntregopt.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\S-1-5-20 ntregopt.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeBackupPrivilege 4608 ntregopt.exe Token: SeBackupPrivilege 4608 ntregopt.exe Token: SeRestorePrivilege 4608 ntregopt.exe Token: SeBackupPrivilege 4608 ntregopt.exe Token: SeRestorePrivilege 4608 ntregopt.exe Token: SeBackupPrivilege 4608 ntregopt.exe Token: SeRestorePrivilege 4608 ntregopt.exe Token: SeBackupPrivilege 4608 ntregopt.exe Token: SeRestorePrivilege 4608 ntregopt.exe Token: SeBackupPrivilege 4608 ntregopt.exe Token: SeRestorePrivilege 4608 ntregopt.exe Token: SeBackupPrivilege 4608 ntregopt.exe Token: SeRestorePrivilege 4608 ntregopt.exe Token: SeBackupPrivilege 4608 ntregopt.exe Token: SeRestorePrivilege 4608 ntregopt.exe Token: SeBackupPrivilege 4608 ntregopt.exe Token: SeRestorePrivilege 4608 ntregopt.exe Token: SeBackupPrivilege 4608 ntregopt.exe Token: SeRestorePrivilege 4608 ntregopt.exe Token: SeShutdownPrivilege 4608 ntregopt.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2388 LogonUI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\exe\ntregopt.exe"C:\Users\Admin\AppData\Local\Temp\exe\ntregopt.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4608
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39ac055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2388