93d3013f0a9155d6618915dd3e4dd68c2d180d6ea2baa77eb96965006e676a8f

Reason

Machine shutdown

General

Target

VMware Workstation Pro Full 2023 v23.0.01 + Patch.exe
Size

594.9MB
MD5

7e680bb7565e19a287163ff51d3ebf7c
SHA1

3780d44b47a530f7ac07873b3b7cf3ae72511d01
SHA256

93d3013f0a9155d6618915dd3e4dd68c2d180d6ea2baa77eb96965006e676a8f
SHA512

fc2eab22f8573c0c385aab8673f4eb22d802b5568eceed2f3df1d23e3332c5e80ce5f3d7bcc6276448e8967b97bc90f134d75e7e2900289c9235808ee54b0eee
SSDEEP

12582912:fnXZ/3yW7J9gw0021l1VPRnzTYQEELLNKKvEHQZZQCVZZm6jP3S5pWWQN5gn+WVM:Q

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1168	VMware Workstation Pro Full 2023 v23.0.01 + Patch.tmp
4364	setup.exe

Loads dropped DLL 11 IoCs

pid	Process
4364	setup.exe
4364	setup.exe
4364	setup.exe
4364	setup.exe
4364	setup.exe
4364	setup.exe
4364	setup.exe
4364	setup.exe
4364	setup.exe
4364	setup.exe
4364	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\VMware Workstation Pro Full 2023 v23.0.01 + Patch\is-43Q15.tmp	VMware Workstation Pro Full 2023 v23.0.01 + Patch.tmp
File opened for modification	C:\Program Files (x86)\VMware Workstation Pro Full 2023 v23.0.01 + Patch\unins000.dat	VMware Workstation Pro Full 2023 v23.0.01 + Patch.tmp
File created	C:\Program Files (x86)\VMware Workstation Pro Full 2023 v23.0.01 + Patch\unins000.dat	VMware Workstation Pro Full 2023 v23.0.01 + Patch.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "217"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1168	VMware Workstation Pro Full 2023 v23.0.01 + Patch.tmp
1168	VMware Workstation Pro Full 2023 v23.0.01 + Patch.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4804	VMware Workstation Pro Full 2023 v23.0.01 + Patch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1168	VMware Workstation Pro Full 2023 v23.0.01 + Patch.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4664	LogonUI.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 1168	4804	VMware Workstation Pro Full 2023 v23.0.01 + Patch.exe	95
PID 4804 wrote to memory of 1168	4804	VMware Workstation Pro Full 2023 v23.0.01 + Patch.exe	95
PID 4804 wrote to memory of 1168	4804	VMware Workstation Pro Full 2023 v23.0.01 + Patch.exe	95
PID 1168 wrote to memory of 4364	1168	VMware Workstation Pro Full 2023 v23.0.01 + Patch.tmp	96
PID 1168 wrote to memory of 4364	1168	VMware Workstation Pro Full 2023 v23.0.01 + Patch.tmp	96
PID 1168 wrote to memory of 4364	1168	VMware Workstation Pro Full 2023 v23.0.01 + Patch.tmp	96

C:\Users\Admin\AppData\Local\Temp\VMware Workstation Pro Full 2023 v23.0.01 + Patch.exe
"C:\Users\Admin\AppData\Local\Temp\VMware Workstation Pro Full 2023 v23.0.01 + Patch.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Local\Temp\is-O49EI.tmp\VMware Workstation Pro Full 2023 v23.0.01 + Patch.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-O49EI.tmp\VMware Workstation Pro Full 2023 v23.0.01 + Patch.tmp" /SL5="$120050,623000314,832512,C:\Users\Admin\AppData\Local\Temp\VMware Workstation Pro Full 2023 v23.0.01 + Patch.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Users\Admin\AppData\Local\Temp\is-DI3DJ.tmp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-DI3DJ.tmp\setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4364

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3945055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J3U83TL1\dub[1].php

Filesize
2B

MD5
444bcb3a3fcf8389296c49467f27e1d6

SHA1
7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

SHA256
2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

SHA512
9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DI3DJ.tmp\setup.exe

Filesize
67KB

MD5
d829bfdd69fc78518971441e0439633e

SHA1
d51c746a27c8f7805dd4d44234f357d20835dcd2

SHA256
f8274df6a00340107d586f7be21c4aa7c9684adfb4eab89ec06ab6b774f43087

SHA512
c40b06a0da60f7c4cee8a3360850e1773e1182b9dee481fb660219c2d403459b457d30b3665bf66530d414c830d9bdf149dc4c57c7bd82b337a498edce5d1c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O49EI.tmp\VMware Workstation Pro Full 2023 v23.0.01 + Patch.tmp

Filesize
3.1MB

MD5
91936b89c960ba396f63854dc0d72fe9

SHA1
07dd963c77e275c338986363131fb64fa6caa8e8

SHA256
e3f317709cf3c5cdee48763b493fa59881cfdd07fd22985c07910592d2c3e57c

SHA512
9203515d65a7197d6296794a6a2ea045d08a1b17a5d2a297f150e89f93524e9f7e23e64ae57709622285b9c8e4105de4b8ec1679c5f4a5c442efc0464f1ed623

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk922F.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
memory/1168-6-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/1168-71-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1168-108-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4804-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4804-2-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4804-19-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4804-109-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download

Resubmissions

Analysis

Sharing

Errors