4b3c02fa1516c71b44708adee293fc0dff5a33fb989c1df8d26603ba3fcf0445

Analysis

max time kernel
72s
max time network
84s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 08:41

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

spoofer.bat
Size

26KB
MD5

71f3e121ed4c4edd93ed7e2eef18c60f
SHA1

c2c10acae7ffe7c0d5ded9fe7603b0804dd743db
SHA256

4b3c02fa1516c71b44708adee293fc0dff5a33fb989c1df8d26603ba3fcf0445
SHA512

b2cf5ed127a15851264e75791d8f44c2fad28a03fa85c628fda08634f6c05f165e145f3615f509e3f84a59c173a2fffdfd6790d57484fa5f73f3fad27a9e3d8c
SSDEEP

768:fBd3qX+ac4zOhpYBUtrwrhtAUIsTpt75qn:/4O

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2716	attrib.exe
1576	attrib.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greatgame	reg.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "235"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	calc.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1020	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3036	tskill.exe
3036	tskill.exe
4388	tskill.exe
4388	tskill.exe
2128	tskill.exe
2128	tskill.exe
5100	tskill.exe
5100	tskill.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5024	shutdown.exe
Token: SeRemoteShutdownPrivilege	5024	shutdown.exe
Token: SeSystemtimePrivilege	3948	cmd.exe
Token: SeSystemtimePrivilege	3948	cmd.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3268	OpenWith.exe
1404	OpenWith.exe
4036	OpenWith.exe
492	LogonUI.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 3892	3948	cmd.exe	87
PID 3948 wrote to memory of 3892	3948	cmd.exe	87
PID 3948 wrote to memory of 3620	3948	cmd.exe	88
PID 3948 wrote to memory of 3620	3948	cmd.exe	88
PID 3948 wrote to memory of 1196	3948	cmd.exe	90
PID 3948 wrote to memory of 1196	3948	cmd.exe	90
PID 3948 wrote to memory of 1852	3948	cmd.exe	93
PID 3948 wrote to memory of 1852	3948	cmd.exe	93
PID 3948 wrote to memory of 1020	3948	cmd.exe	95
PID 3948 wrote to memory of 1020	3948	cmd.exe	95
PID 3948 wrote to memory of 2716	3948	cmd.exe	97
PID 3948 wrote to memory of 2716	3948	cmd.exe	97
PID 3948 wrote to memory of 1576	3948	cmd.exe	98
PID 3948 wrote to memory of 1576	3948	cmd.exe	98
PID 3948 wrote to memory of 2152	3948	cmd.exe	99
PID 3948 wrote to memory of 2152	3948	cmd.exe	99
PID 3948 wrote to memory of 2496	3948	cmd.exe	100
PID 3948 wrote to memory of 2496	3948	cmd.exe	100
PID 3948 wrote to memory of 3036	3948	cmd.exe	101
PID 3948 wrote to memory of 3036	3948	cmd.exe	101
PID 3948 wrote to memory of 4388	3948	cmd.exe	102
PID 3948 wrote to memory of 4388	3948	cmd.exe	102
PID 3948 wrote to memory of 2128	3948	cmd.exe	103
PID 3948 wrote to memory of 2128	3948	cmd.exe	103
PID 3948 wrote to memory of 5100	3948	cmd.exe	104
PID 3948 wrote to memory of 5100	3948	cmd.exe	104
PID 3948 wrote to memory of 4092	3948	cmd.exe	105
PID 3948 wrote to memory of 4092	3948	cmd.exe	105
PID 3948 wrote to memory of 2196	3948	cmd.exe	110
PID 3948 wrote to memory of 2196	3948	cmd.exe	110
PID 3948 wrote to memory of 3404	3948	cmd.exe	108
PID 3948 wrote to memory of 3404	3948	cmd.exe	108
PID 3948 wrote to memory of 2508	3948	cmd.exe	111
PID 3948 wrote to memory of 2508	3948	cmd.exe	111
PID 3948 wrote to memory of 5072	3948	cmd.exe	112
PID 3948 wrote to memory of 5072	3948	cmd.exe	112
PID 3948 wrote to memory of 5024	3948	cmd.exe	125
PID 3948 wrote to memory of 5024	3948	cmd.exe	125
PID 3948 wrote to memory of 2520	3948	cmd.exe	127
PID 3948 wrote to memory of 2520	3948	cmd.exe	127
PID 3948 wrote to memory of 4384	3948	cmd.exe	128
PID 3948 wrote to memory of 4384	3948	cmd.exe	128

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2716	attrib.exe
1576	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\spoofer.bat"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3892
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3620
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1196
- C:\Windows\system32\calc.exe
  calc
  2⤵
  - Modifies registry class
  PID:1852
- C:\Windows\system32\reg.exe
  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Greatgame /t REG_SZ
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:1020
- C:\Windows\system32\attrib.exe
  Attrib +r +h Greatgame.bat
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2716
- C:\Windows\system32\attrib.exe
  Attrib +r +h
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:1576
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL.SwapMouseButton
  2⤵
  PID:2152
- C:\Windows\system32\calc.exe
  calc
  2⤵
  - Modifies registry class
  PID:2496
- C:\Windows\system32\tskill.exe
  tskill msnmsgr
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3036
- C:\Windows\system32\tskill.exe
  tskill LimeWire
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4388
- C:\Windows\system32\tskill.exe
  tskill iexplore
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2128
- C:\Windows\system32\tskill.exe
  tskill NMain
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5100
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4092
- C:\Windows\system32\calc.exe
  calc
  2⤵
  - Modifies registry class
  PID:3404
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2196
- C:\Windows\system32\msg.exe
  msg * R.I.P
  2⤵
  PID:2508
- C:\Windows\system32\msg.exe
  msg * R.I.P
  2⤵
  PID:5072
- C:\Windows\system32\shutdown.exe
  shutdown -r -t 10 -c "VIRUS DETECTED"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5024
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2520
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4384

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3268

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1404

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4036

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa396f855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads