12bea5e878327d4cc81db8421aebb1ca2eafad7cd88b695938d3aff425a4fb45

Reason

Machine shutdown

General

Target

1c4db9ab7ce0c5d5285f78e1007490bd.exe
Size

513KB
MD5

1c4db9ab7ce0c5d5285f78e1007490bd
SHA1

d44356deca09b698652f6285b31e0fb161cd225b
SHA256

12bea5e878327d4cc81db8421aebb1ca2eafad7cd88b695938d3aff425a4fb45
SHA512

1504e384408da7c630a1a66924607f426052db93b58b07d398d47b9b9b9040ad99be50bd6bef519f6d2c41c2d149d2ae5ee5ab095b6507e001a24b75d20ac800
SSDEEP

12288:8oTfYuqyRLu5aCWoevfZ1PUxHmA7PGbdOv4c54e08MGH2:hDYu3GeAxHmA7PGsvF54e08MGW

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	1c4db9ab7ce0c5d5285f78e1007490bd.exe

Executes dropped EXE 2 IoCs

pid	Process
3792	SetACL32.exe
3832	SetACL32.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3800	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3056	schtasks.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "235"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	3792	SetACL32.exe
Token: SeRestorePrivilege	3792	SetACL32.exe
Token: SeTakeOwnershipPrivilege	3792	SetACL32.exe
Token: SeBackupPrivilege	3832	SetACL32.exe
Token: SeRestorePrivilege	3832	SetACL32.exe
Token: SeTakeOwnershipPrivilege	3832	SetACL32.exe
Token: SeShutdownPrivilege	3068	shutdown.exe
Token: SeRemoteShutdownPrivilege	3068	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2564	LogonUI.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 4552	3492	1c4db9ab7ce0c5d5285f78e1007490bd.exe	95
PID 3492 wrote to memory of 4552	3492	1c4db9ab7ce0c5d5285f78e1007490bd.exe	95
PID 4552 wrote to memory of 2564	4552	cmd.exe	98
PID 4552 wrote to memory of 2564	4552	cmd.exe	98
PID 4552 wrote to memory of 3056	4552	cmd.exe	99
PID 4552 wrote to memory of 3056	4552	cmd.exe	99
PID 4552 wrote to memory of 3792	4552	cmd.exe	100
PID 4552 wrote to memory of 3792	4552	cmd.exe	100
PID 4552 wrote to memory of 3792	4552	cmd.exe	100
PID 4552 wrote to memory of 3832	4552	cmd.exe	101
PID 4552 wrote to memory of 3832	4552	cmd.exe	101
PID 4552 wrote to memory of 3832	4552	cmd.exe	101
PID 4552 wrote to memory of 1200	4552	cmd.exe	102
PID 4552 wrote to memory of 1200	4552	cmd.exe	102
PID 4552 wrote to memory of 4516	4552	cmd.exe	103
PID 4552 wrote to memory of 4516	4552	cmd.exe	103
PID 4552 wrote to memory of 3800	4552	cmd.exe	104
PID 4552 wrote to memory of 3800	4552	cmd.exe	104
PID 4552 wrote to memory of 3068	4552	cmd.exe	105
PID 4552 wrote to memory of 3068	4552	cmd.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1c4db9ab7ce0c5d5285f78e1007490bd.exe
"C:\Users\Admin\AppData\Local\Temp\1c4db9ab7ce0c5d5285f78e1007490bd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\33DC.tmp\3516.bat C:\Users\Admin\AppData\Local\Temp\1c4db9ab7ce0c5d5285f78e1007490bd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\system32\xcopy.exe
    xcopy "CylanceUninstall.bat" "C:\CyUn\CylanceUninstall.bat*"
    3⤵
    PID:2564
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc onlogon /f /TN CyUninstall /rl highest /TR C:\CyUn\CylanceUninstall.bat
    3⤵
    - Creates scheduled task(s)
    PID:3056
- - C:\Users\Admin\AppData\Local\Temp\33DC.tmp\SetACL32.exe
    SetACL32.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Cylance\Desktop" -ot reg -actn setowner -ownr "n:Administrators"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3792
- - C:\Users\Admin\AppData\Local\Temp\33DC.tmp\SetACL32.exe
    SetACL32.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Cylance\Desktop" -ot reg -actn ace -ace "n:Administrators;p:full"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3832
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Cylance\Desktop" /v "LastStateRestorePoint" /f
    3⤵
    PID:1200
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Cylance\Desktop" /v "SelfProtectionLevel" /t REG_DWORD /d "1" /f
    3⤵
    PID:4516
- - C:\Windows\system32\sc.exe
    SC Delete CylanceSvc
    3⤵
    - Launches sc.exe
    PID:3800
- - C:\Windows\system32\shutdown.exe
    Shutdown /r /t 60 /c "Cylance Uninstalling - Shutting down in 60 seconds"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3068

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3972055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\33DC.tmp\3516.bat

Filesize
1KB

MD5
b1c7a2c3bf4a48c7071281b91456717f

SHA1
d2e2db6c057a7b3afa46c30331c3a293dfe596a3

SHA256
80ec5266529bb02c3f8c2dfb26f004f6d7ef7d4a1f5836ff6f3dd2a35d6c7b6a

SHA512
4e90143162cfedcb4b72100d4de5d2b5c8c217123a160f80389f789b45cbe3cfb9cef110f7518bb06ed6704bd38086e2684d9b7900e7ed369dc98b8d09a41fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\33DC.tmp\CylanceUninstall.bat

Filesize
250B

MD5
84b7b7d7c64116d0d57de5592bd6bf02

SHA1
66c628d8e294164ea18753bb337566819e0dee82

SHA256
d104ecd4715c285dfa5560458ad06d38ef494ee698aadf5a0118d0662cad91e6

SHA512
caf73d43dc8c31b360a7d500fd7572335907bf8ca6a43646ba04000b550700ec0a76e19b7366b158b34071146659b98caf087e0ee95e9a5f16238ed02b968f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\33DC.tmp\SetACL32.exe

Filesize
443KB

MD5
451ae03d3c92777f09840ca56f08ab62

SHA1
328d049da1814cfe7d1c7783691304577854482f

SHA256
d5e779d151772504662e8226eb4107330ffa7a51209eee42b6d5883d99100ba9

SHA512
76772983a5c9c8c703b5e51f8ca9a0d5594121e42afa12adcd2b05753a1f96f97b274cda9b13251e0dca0d31ae6a719b2c509ac581bb34c930ccb00141eb9d42

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads