4f871cd375a63580c46709257802d2f4aa9c56ed15c4355de07d02184161eab3

Reason

Machine shutdown

General

Target

1ff4c22f01305c802cbba02f6c4e7426.exe
Size

711KB
MD5

1ff4c22f01305c802cbba02f6c4e7426
SHA1

a32a472dc5959a757ab2bce081b0a0ff3ab43549
SHA256

4f871cd375a63580c46709257802d2f4aa9c56ed15c4355de07d02184161eab3
SHA512

fbb1d1b259a75603eac3fdba39629c7b06bfdb4b0b058788a4e964a7f81e316720c7f6dff988b04d873bc89d151e8d4362d05c196c820a4b74ca7d5f539af780
SSDEEP

12288:tJa103rcuTLjDVPwo4jVY0dxwEy3JlN4pn4SLlxmtdlvATSOtxFOP3DwQ696:qBuTZVYVrPy3JlKndLlELlv0SkITt

Score

7^/10

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000023233-4.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
3680	devremov.exe
1080	devremov.exe

Loads dropped DLL 5 IoCs

pid	Process
780	1ff4c22f01305c802cbba02f6c4e7426.exe
780	1ff4c22f01305c802cbba02f6c4e7426.exe
780	1ff4c22f01305c802cbba02f6c4e7426.exe
780	1ff4c22f01305c802cbba02f6c4e7426.exe
780	1ff4c22f01305c802cbba02f6c4e7426.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devremov.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devremov.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	devremov.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	devremov.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devremov.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devremov.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	devremov.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	devremov.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "104"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	780	1ff4c22f01305c802cbba02f6c4e7426.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
780	1ff4c22f01305c802cbba02f6c4e7426.exe
2348	LogonUI.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 3680	780	1ff4c22f01305c802cbba02f6c4e7426.exe	96
PID 780 wrote to memory of 3680	780	1ff4c22f01305c802cbba02f6c4e7426.exe	96
PID 780 wrote to memory of 3680	780	1ff4c22f01305c802cbba02f6c4e7426.exe	96
PID 780 wrote to memory of 1080	780	1ff4c22f01305c802cbba02f6c4e7426.exe	99
PID 780 wrote to memory of 1080	780	1ff4c22f01305c802cbba02f6c4e7426.exe	99
PID 780 wrote to memory of 1080	780	1ff4c22f01305c802cbba02f6c4e7426.exe	99

C:\Users\Admin\AppData\Local\Temp\1ff4c22f01305c802cbba02f6c4e7426.exe
"C:\Users\Admin\AppData\Local\Temp\1ff4c22f01305c802cbba02f6c4e7426.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Temp\devremov.exe
  "devremov.exe" "ACPI\DADY0002\3&11583659&0"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:3680
- C:\Users\Admin\AppData\Local\Temp\devremov.exe
  "devremov.exe" "ACPI\PNP0A06\PCI_HOTPLUG_RESOURCES"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:1080

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3967855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEVREMOV.EXE

Filesize
60KB

MD5
a1f002797ce17be9e02b9b389f4de0b6

SHA1
66dc4acea894bf68b55dbf7d0b46e74b4618b25a

SHA256
709fe744dd7aa50cdd2b535d168b3cd4fa8177686c9c80d38a4481f3b8bbb96e

SHA512
21906c3412fe80207b7b20e0742b797fe2be49a1917865909f0389e1fdfa61013275bef493929525eeda1c7588dfe0c9a8fff8f9ccf5161556800de59893d370

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRLang.ini

Filesize
3KB

MD5
bbb69b03ef833c3e18eeb744eadb7067

SHA1
c0cdc4994b3686e78dea04ff03791f9f49c5846f

SHA256
63c68311edc92f8a4ac2b52d1edecbb0f63a2123741069d9a17046adb803d543

SHA512
5c3712bab8a09cc042bc63c4f0edc4ec58e4ef3d90e780f5976de8d73245584a47dc0816b907803e55e69b62396c18a59d1976d5ef3a25c5bea82f70b79c3f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WBDDA34I.DLL

Filesize
291KB

MD5
72af0116f9f0f6e812fd8779a224c7ec

SHA1
363daae5efce952b7843f8a7fc5e22bd6e42bf6f

SHA256
6c323238f926dfc1a5e246fdfb1e3b0fb2cb08c52faa7860009a2b6c310a347c

SHA512
808e4e381d85a0e1115b2c6c84e73005afdfef6657287e9d4e41bcbf029509f05ecaa104b53f2050235771bfe9ae3f3914145d5f500db7ad56cf6b5dfda493ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\WBDDA34I.DLL

Filesize
286KB

MD5
24e8c798aa40a388f41eb7d68ff85da9

SHA1
47beab62c53c7ec33a1de4a06bef660e5447ee49

SHA256
cc2f33b05e8ad7df857870b4cc24b05b1f37dba7ea4ca247608d3bd80059191f

SHA512
75b0548b03884659e2bc0c854fbb312bd682a9c5b6579ccf3044678d6bca4967cd9d98fc75df286ce194e3d1c6c4e6b65dadccefc4677d8cb9c0bdd15796d356

Download Submit
C:\Users\Admin\AppData\Local\Temp\WBDDA34I.DLL

Filesize
277KB

MD5
462e72a1677a076a92852daae4ab7578

SHA1
566da0eb01bdf72917e519476727f6dbb0ee19c8

SHA256
86fce62511e50d312373ce909af2bd002d7e7611922a3b2a4db33c4e97c045d8

SHA512
9793ccd91aac5c45d9ed0db9b60ecbc7bbe02517ebc602d796b7bf20042e5ab72e0e9039dadb930a930bb13e0cd7e6704abd3f49897bffc34c2e86bd92208d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\WBODA34I.DLL

Filesize
45KB

MD5
faf7ce34b4db29b26c9a15235778bfd3

SHA1
c028a16bebe8e2b616bc0c37300bd56a04bbdc5a

SHA256
ea2424564634f22a28ab3fbf3057fac4b2804d93c9f7f6c2451c4db3df9f4f23

SHA512
4d14868a18e50bc20766e298fc530254d713d8ec157c02d47da5ce6e25032d26d919de97224afb1203c96748c410d8cfc186b80caed1d6a8240f7d0fc424d132

Download Submit
C:\Users\Admin\AppData\Local\Temp\gni8443.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rni84B2.tmp

Filesize
194KB

MD5
02b06c69c2767213d1df6aa56a097803

SHA1
f14fd7ef4059347235c8113480e6c46ee768ed65

SHA256
8f7ac0be40ed9b333c7b3c33521d623e1a61391bd207aa4baac0a83841f4ba07

SHA512
54014033f1108598d80e042363927d70c5e532f2cd559a43a9ad40e2213a3f38ee150696746ff654c01c438f26a17dbe610d1ab9e6d3026d841f72102181b0f5

Download Submit
memory/780-21-0x000000001C000000-0x000000001C0B8000-memory.dmp

Filesize
736KB

Download
memory/780-47-0x000000001B000000-0x000000001B019000-memory.dmp

Filesize
100KB

Download
memory/780-24-0x000000001C000000-0x000000001C0B8000-memory.dmp

Filesize
736KB

Download
memory/780-23-0x000000001C000000-0x000000001C0B8000-memory.dmp

Filesize
736KB

Download
memory/780-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/780-22-0x000000001C000000-0x000000001C0B8000-memory.dmp

Filesize
736KB

Download
memory/780-25-0x000000001C000000-0x000000001C0B8000-memory.dmp

Filesize
736KB

Download
memory/780-36-0x000000001C000000-0x000000001C0B8000-memory.dmp

Filesize
736KB

Download
memory/780-45-0x000000001B000000-0x000000001B019000-memory.dmp

Filesize
100KB

Download
memory/780-7-0x00000000021C0000-0x0000000002233000-memory.dmp

Filesize
460KB

Download
memory/780-60-0x00000000021C0000-0x0000000002233000-memory.dmp

Filesize
460KB

Download
memory/780-8-0x00000000021C0000-0x0000000002233000-memory.dmp

Filesize
460KB

Download
memory/780-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/780-74-0x00000000021C0000-0x0000000002233000-memory.dmp

Filesize
460KB

Download
memory/780-75-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/780-76-0x000000001C000000-0x000000001C0B8000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing

Errors