cf29a82a5b1592480fef0ef8f5a3ccc49721cebd64bfc0932a2709eeecaffd13

Analysis

max time kernel
44s
max time network
39s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 07:32

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

9b1fbfd63513103ee14c85f72db99c96.exe
Size

685KB
MD5

9b1fbfd63513103ee14c85f72db99c96
SHA1

83df19cfd98ff18cde9a5335f00c96b87ba64284
SHA256

cf29a82a5b1592480fef0ef8f5a3ccc49721cebd64bfc0932a2709eeecaffd13
SHA512

06a70b75a69d8f38ebf87fadb377dab34c5306a87fa352eddd1c39528456f286f37189f4190a62f2d388b8de937414a217f17bd7168ee31f713d27f270c25123
SSDEEP

12288:3rJ7482eDChzUlPY7oMDmzZ0FDAhCF3Z4mxxqi4Fv81knkstG:7Jk82e+ax1MDs0FDAUQmXtRku

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3860	SERVER~1.EXE
1864	Hacker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9b1fbfd63513103ee14c85f72db99c96.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.exe	SERVER~1.EXE
File opened for modification	C:\Windows\Hacker.exe	SERVER~1.EXE
File created	C:\Windows\uninstal.bat	SERVER~1.EXE

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "85"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3860	SERVER~1.EXE
Token: SeDebugPrivilege	1864	Hacker.exe
Token: SeShutdownPrivilege	1084	9b1fbfd63513103ee14c85f72db99c96.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1864	Hacker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2604	LogonUI.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 3860	1084	9b1fbfd63513103ee14c85f72db99c96.exe	83
PID 1084 wrote to memory of 3860	1084	9b1fbfd63513103ee14c85f72db99c96.exe	83
PID 1084 wrote to memory of 3860	1084	9b1fbfd63513103ee14c85f72db99c96.exe	83
PID 3860 wrote to memory of 3692	3860	SERVER~1.EXE	85
PID 3860 wrote to memory of 3692	3860	SERVER~1.EXE	85
PID 3860 wrote to memory of 3692	3860	SERVER~1.EXE	85
PID 1864 wrote to memory of 4480	1864	Hacker.exe	86
PID 1864 wrote to memory of 4480	1864	Hacker.exe	86

C:\Users\Admin\AppData\Local\Temp\9b1fbfd63513103ee14c85f72db99c96.exe
"C:\Users\Admin\AppData\Local\Temp\9b1fbfd63513103ee14c85f72db99c96.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:3692

C:\Windows\Hacker.exe
C:\Windows\Hacker.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:4480

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3989855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE

Filesize
743KB

MD5
b2e9487a4c2f70600bb28e6dccd8ffeb

SHA1
1044b1d7151381f734e243b453742dba00f64f84

SHA256
f00029218cf5e01fd386fc84a854d39bd35068cffe0035104832836428f0a207

SHA512
d89b77770cab9cac697ca193aa42271c8d7cf7e09a1e3c6231db957d44d753b521b09a862294fee96ac0ea85c207d1a8a005317081c072df8332f22530245105

Download Submit
C:\Windows\uninstal.bat

Filesize
164B

MD5
924ea7ae6df752587469376459875c51

SHA1
ec5fa69c7e5dcaf5b57eefadc4f25a8e4ae073e1

SHA256
46c715ac82d5774479b760757498ddb0b9f75cebc116a3da81f9e438bc9bbb09

SHA512
ea7b176a411b82faf5fcd785c67180f88f9ff28f7e24c4f4b49f8e7cdc99fb60e38722b61547a4291bdd2c56b3729045c2e8d4afbecfe03612ab0dd8a7b6ae35

Download Submit
memory/1084-28-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-40-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-7-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1084-8-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/1084-6-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/1084-5-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/1084-4-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/1084-3-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/1084-2-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/1084-9-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1084-10-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/1084-11-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/1084-12-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/1084-13-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/1084-14-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-15-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-16-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-17-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-18-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-19-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-20-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-21-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-22-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-23-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-24-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-25-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-26-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-27-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-1-0x0000000000710000-0x0000000000764000-memory.dmp

Filesize
336KB

Download
memory/1084-0-0x0000000001000000-0x000000000110E000-memory.dmp

Filesize
1.1MB

Download
memory/1084-43-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-31-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-32-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-33-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-34-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-35-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-36-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-37-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-38-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-39-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-29-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-41-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-42-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-30-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-44-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-45-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1084-46-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1084-47-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1084-48-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1084-49-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1084-50-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1084-51-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1084-52-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1084-68-0x0000000001000000-0x000000000110E000-memory.dmp

Filesize
1.1MB

Download
memory/1084-69-0x0000000000710000-0x0000000000764000-memory.dmp

Filesize
336KB

Download
memory/1864-64-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1864-70-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/3860-58-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/3860-66-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads