Analysis
-
max time kernel
9s -
max time network
13s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 13:20
Static task
static1
Behavioral task
behavioral1
Sample
67b78d68337844c4ce0c585851b633e2.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
67b78d68337844c4ce0c585851b633e2.exe
Resource
win10v2004-20231222-en
Errors
General
-
Target
67b78d68337844c4ce0c585851b633e2.exe
-
Size
39KB
-
MD5
67b78d68337844c4ce0c585851b633e2
-
SHA1
e356526d53a8f1bef9587544c46af4035d31d7f8
-
SHA256
d1bf365dc4132fb562fb99e01e3613ed2a3548d5af74a810debacb7da8bf4e28
-
SHA512
0b4ce217d00d6f1f76700a15aeae9cbf91a88f3e4ec96806e4f45b04480f19b734151fd74934921d8cf08ea702b49c4f88682df446d8330c6486e9169e8ec0be
-
SSDEEP
384:bZk4nwCxOnBpWP0Gre5dHMvjNk4UIgeOdCAH2N7gt/V5bd2ChRl9mmu1ZPeic:bZhwCepW1re5arXAHr/Lbd2Pmbi
Malware Config
Signatures
-
Disables RegEdit via registry modification 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2984 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
826ED114329F6C4F5F40.exepid process 1420 826ED114329F6C4F5F40.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000da362e54a03ebf190000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000da362e540000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900da362e54000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dda362e54000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000da362e5400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "248" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exevssvc.exeshutdown.exedescription pid process Token: SeSystemProfilePrivilege 2984 svchost.exe Token: SeBackupPrivilege 1892 vssvc.exe Token: SeRestorePrivilege 1892 vssvc.exe Token: SeAuditPrivilege 1892 vssvc.exe Token: SeShutdownPrivilege 2652 shutdown.exe Token: SeRemoteShutdownPrivilege 2652 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 4576 LogonUI.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
67b78d68337844c4ce0c585851b633e2.exesvchost.exe826ED114329F6C4F5F40.exedescription pid process target process PID 456 wrote to memory of 2984 456 67b78d68337844c4ce0c585851b633e2.exe svchost.exe PID 456 wrote to memory of 2984 456 67b78d68337844c4ce0c585851b633e2.exe svchost.exe PID 456 wrote to memory of 2984 456 67b78d68337844c4ce0c585851b633e2.exe svchost.exe PID 456 wrote to memory of 2984 456 67b78d68337844c4ce0c585851b633e2.exe svchost.exe PID 2984 wrote to memory of 1424 2984 svchost.exe reg.exe PID 2984 wrote to memory of 1424 2984 svchost.exe reg.exe PID 2984 wrote to memory of 1424 2984 svchost.exe reg.exe PID 2984 wrote to memory of 2652 2984 svchost.exe shutdown.exe PID 2984 wrote to memory of 2652 2984 svchost.exe shutdown.exe PID 2984 wrote to memory of 2652 2984 svchost.exe shutdown.exe PID 2984 wrote to memory of 1420 2984 svchost.exe 826ED114329F6C4F5F40.exe PID 2984 wrote to memory of 1420 2984 svchost.exe 826ED114329F6C4F5F40.exe PID 2984 wrote to memory of 1420 2984 svchost.exe 826ED114329F6C4F5F40.exe PID 1420 wrote to memory of 4772 1420 826ED114329F6C4F5F40.exe svchost.exe PID 1420 wrote to memory of 4772 1420 826ED114329F6C4F5F40.exe svchost.exe PID 1420 wrote to memory of 4772 1420 826ED114329F6C4F5F40.exe svchost.exe PID 1420 wrote to memory of 4772 1420 826ED114329F6C4F5F40.exe svchost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\67b78d68337844c4ce0c585851b633e2.exe"C:\Users\Admin\AppData\Local\Temp\67b78d68337844c4ce0c585851b633e2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Disables RegEdit via registry modification
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"3⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\826ED114329F6C4F5F40.exeC:\Users\Admin\AppData\Local\Temp\826ED114329F6C4F5F40.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:4772
-
C:\Windows\SysWOW64\shutdown.exeshutdown.exe -r -f -t 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵PID:2132
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3952855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4576
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\826ED114329F6C4F5F40.exeFilesize
39KB
MD567b78d68337844c4ce0c585851b633e2
SHA1e356526d53a8f1bef9587544c46af4035d31d7f8
SHA256d1bf365dc4132fb562fb99e01e3613ed2a3548d5af74a810debacb7da8bf4e28
SHA5120b4ce217d00d6f1f76700a15aeae9cbf91a88f3e4ec96806e4f45b04480f19b734151fd74934921d8cf08ea702b49c4f88682df446d8330c6486e9169e8ec0be
-
memory/456-1-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/456-0-0x00000000004F0000-0x00000000004F6000-memory.dmpFilesize
24KB
-
memory/1420-10-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2984-2-0x000000007F590000-0x000000007F59E000-memory.dmpFilesize
56KB
-
memory/2984-12-0x000000007F590000-0x000000007F59E000-memory.dmpFilesize
56KB
-
memory/4772-9-0x000000007FF80000-0x000000007FF8E000-memory.dmpFilesize
56KB
-
memory/4772-15-0x000000007FF80000-0x000000007FF8E000-memory.dmpFilesize
56KB
-
memory/4772-17-0x000000007FF80000-0x000000007FF8E000-memory.dmpFilesize
56KB