Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 02:10
Behavioral task
behavioral1
Sample
6434eaf1e3f70480bc40f1216bc4641f.exe
Resource
win7-20231215-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
6434eaf1e3f70480bc40f1216bc4641f.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
6434eaf1e3f70480bc40f1216bc4641f.exe
-
Size
38KB
-
MD5
6434eaf1e3f70480bc40f1216bc4641f
-
SHA1
bb7f3d02034b1267724983518cd831d2d4518c1a
-
SHA256
85231a8f5e9c681d7d5e6cdcc19da450eab541ba0c981f3d15322e8abfbb93e7
-
SHA512
ea6fdeeaac48418b3af99bde17ae77ac4b4e892a2665d997de4453b80df574bea3440d174b02c62c7c8e47c6bbfcdc39e2cd980b6134f1de81f204a690013496
-
SSDEEP
768:T7WXtbVrCBN29+eiYc3OZ6CV2ZVO8GEDcinf:T7WXtb1Cv+YYc3c65ZVOpUnf
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4856 .exe -
resource yara_rule behavioral2/memory/4220-0-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/files/0x0002000000022775-4.dat upx behavioral2/memory/4856-6-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/4220-8-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "235" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 920 Process not Found 2008 Process not Found 2172 Process not Found 4516 Process not Found 1832 Process not Found 4340 Process not Found 1708 Process not Found 3168 Process not Found 2928 Process not Found 3584 Process not Found 5092 Process not Found 848 Process not Found 3180 Process not Found 2036 Process not Found 2592 Process not Found 1580 Process not Found 4016 Process not Found 4008 Process not Found 4600 Process not Found 2292 Process not Found 3508 Process not Found 4492 Process not Found 4928 Process not Found 4140 Process not Found 4044 Process not Found 5068 Process not Found 2096 Process not Found 3900 Process not Found 348 Process not Found 4372 Process not Found 1968 Process not Found 2736 Process not Found 4504 Process not Found 4588 Process not Found 4868 Process not Found 2032 Process not Found 2728 Process not Found 4100 Process not Found 4216 Process not Found 464 Process not Found 3336 Process not Found 2280 Process not Found 2684 Process not Found 4824 Process not Found 1612 Process not Found 3312 Process not Found 4232 Process not Found 4196 Process not Found 3968 Process not Found 3940 Process not Found 4500 Process not Found 3628 Process not Found 3540 Process not Found 992 Process not Found 756 Process not Found 1264 Process not Found 5096 Process not Found 4732 Process not Found 1632 Process not Found 5060 Process not Found 2800 Process not Found 4040 Process not Found 1352 Process not Found 4720 Process not Found -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4220 6434eaf1e3f70480bc40f1216bc4641f.exe Token: SeShutdownPrivilege 4220 6434eaf1e3f70480bc40f1216bc4641f.exe Token: SeShutdownPrivilege 4220 6434eaf1e3f70480bc40f1216bc4641f.exe Token: SeDebugPrivilege 4220 6434eaf1e3f70480bc40f1216bc4641f.exe Token: SeDebugPrivilege 4856 .exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3044 LogonUI.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4220 wrote to memory of 4856 4220 6434eaf1e3f70480bc40f1216bc4641f.exe 91 PID 4220 wrote to memory of 4856 4220 6434eaf1e3f70480bc40f1216bc4641f.exe 91 PID 4220 wrote to memory of 4856 4220 6434eaf1e3f70480bc40f1216bc4641f.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\6434eaf1e3f70480bc40f1216bc4641f.exe"C:\Users\Admin\AppData\Local\Temp\6434eaf1e3f70480bc40f1216bc4641f.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Users\Admin\AppData\Local\Temp\.exeC:\Users\Admin\AppData\Local\Temp\.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa399f055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3044
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD5b84f4d30d66b22bbfe3c86ee3bfcda7b
SHA1dcc9edbe553b4c15e55df8a7ee7d4403e962d2ff
SHA256b3e108bd65af42b1ac999c34420e015c8521cc263b39b829982b21eefb816e2f
SHA51237016c1f9fe9e2409c9516ba86d843fb1980136e30091342094cbcb9f2acf3c8b8239ee5dd15b493f38d32f454b64920a852b852b964821f9e1e95c8dcbaaa69