1b555820823612cdc01638e78f298d906aaa7226b51fb1d31bed494c46b383b2

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
29/02/2024, 03:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2974306ecd35625fa1178839af538a784f556cfd24ccf6f55da33a1b12ef3982.exe
Size

16.7MB
MD5

cb25d7a3e925218db1fe292b8a1005a3
SHA1

b16dadb69560787b68996db571e47cdc38d3d0c7
SHA256

2974306ecd35625fa1178839af538a784f556cfd24ccf6f55da33a1b12ef3982
SHA512

f120121342198a9edca351775e5f2aac5d3b4a933a2f334f046948c00a96f34ceae1a126701696972d7bdfb7a9b1530ef5e2a9c3212611ad6abeecee26243774
SSDEEP

393216:sCWRxKyZKx8iSfS+a0KhoRuSGlUfV1FC3IoC5ZPw7KaDj7zZVMVxKXag62:wxPy8t6T0W3YHw3LC5ZPwWaDj7NVhT

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
2932	2974306ecd35625fa1178839af538a784f556cfd24ccf6f55da33a1b12ef3982.exe
2932	2974306ecd35625fa1178839af538a784f556cfd24ccf6f55da33a1b12ef3982.exe
2932	2974306ecd35625fa1178839af538a784f556cfd24ccf6f55da33a1b12ef3982.exe
2932	2974306ecd35625fa1178839af538a784f556cfd24ccf6f55da33a1b12ef3982.exe
2932	2974306ecd35625fa1178839af538a784f556cfd24ccf6f55da33a1b12ef3982.exe

Enumerates system info in registry 2 TTPs 32 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2932	2974306ecd35625fa1178839af538a784f556cfd24ccf6f55da33a1b12ef3982.exe
Token: SeShutdownPrivilege	3012	LogonUI.exe
Token: SeShutdownPrivilege	3012	LogonUI.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 3012	2424	csrss.exe	32
PID 2424 wrote to memory of 3012	2424	csrss.exe	32
PID 2468 wrote to memory of 3012	2468	winlogon.exe	32
PID 2468 wrote to memory of 3012	2468	winlogon.exe	32
PID 2468 wrote to memory of 3012	2468	winlogon.exe	32
PID 2424 wrote to memory of 3012	2424	csrss.exe	32
PID 2424 wrote to memory of 3012	2424	csrss.exe	32
PID 2424 wrote to memory of 3012	2424	csrss.exe	32
PID 2424 wrote to memory of 3012	2424	csrss.exe	32
PID 2424 wrote to memory of 3012	2424	csrss.exe	32
PID 2424 wrote to memory of 3012	2424	csrss.exe	32
PID 2424 wrote to memory of 3012	2424	csrss.exe	32
PID 2424 wrote to memory of 3012	2424	csrss.exe	32

C:\Users\Admin\AppData\Local\Temp\2974306ecd35625fa1178839af538a784f556cfd24ccf6f55da33a1b12ef3982.exe
"C:\Users\Admin\AppData\Local\Temp\2974306ecd35625fa1178839af538a784f556cfd24ccf6f55da33a1b12ef3982.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2732

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\d4b4c636-3bf7-466b-8a64-a11aa0f44e84.FusionApp\PCShutdownOperations.mfx

Filesize
114KB

MD5
426ac6ce433939fb99a06c4924f374c9

SHA1
d35fdd69d7788dc4e75e615d0ca9ac011bce14f5

SHA256
7948de373521b28b905b0f543d8851272fa6259594aab4379abd5e330f0360ce

SHA512
6085240699168fea46df1210c85ac874a106fd1de0ecd2b1260a5ba05de6403d7bee48a75c2b6624f98afb55d5a392063cc73af8d2110d289ab9844942bbf7b2

Download Submit
\Users\Admin\AppData\Local\Temp\d4b4c636-3bf7-466b-8a64-a11aa0f44e84.FusionApp\mmf2d3d9.dll

Filesize
1.1MB

MD5
3ae47534f1224c4797176107a9a41683

SHA1
5c4af10c0afa5233a21a661d7ba9130c808a961d

SHA256
53edf5138930d52b473104ce0d085413248d15a4aa891ac02a718e89625de6ef

SHA512
6dc285765b4726708afaab793b7b384121476fa807114490824a5513c5c80b6278e376dae3b0d82a7360cd65cdbce8d3f60ed23271453a08e2a5af311715e8d3

Download Submit
\Users\Admin\AppData\Local\Temp\d4b4c636-3bf7-466b-8a64-a11aa0f44e84.FusionApp\mmfs2.dll

Filesize
506KB

MD5
efaebf8b1628c22289be3adbb83fe614

SHA1
efa4dd19ceda4e60069f0b7d8e0bbcd4f78438fb

SHA256
3d89c4fe6c2fa379b203286c9db649ab83f9934ac1be21302057a563a3707563

SHA512
6921ad80c36ce3a9fd774f6785c45d5c56f68fb29712cac6472c8878a685e641adbe2077d2b96b4d59aaa7b978b3e8357cffca1628583986474de67765e1e48e

Download Submit
\Users\Admin\AppData\Local\Temp\d4b4c636-3bf7-466b-8a64-a11aa0f44e84.FusionApp\oggflt.sft

Filesize
130KB

MD5
0c8c1ee3ba92189f4ce21d1b396a2765

SHA1
b7daa4a6e16416151dccbb0a89f304961b6cb627

SHA256
9e589f86317d840df9bb74f6ee20c24ca65afe58f4009740382f63a0f5531941

SHA512
0a4339092ac55bac3b1bdfaaa3401020f8f49918bd2fdb14524f3d558eb840b876aedfdeb54a1da163fa36393abf3fe8ab7e112a34ea9d891e82a22e96c85ddc

Download Submit
\Users\Admin\AppData\Local\Temp\d4b4c636-3bf7-466b-8a64-a11aa0f44e84.FusionApp\waveFlt.sft

Filesize
8KB

MD5
57ea61dd14314ef155e80c6a0be8a664

SHA1
963b0ef2fe976ff77044a821fe1e29be4a8cf8a7

SHA256
92a5053cf5973a6aa228c738d55387f12f1dfa8a837d7b938c60f05b6b56b3ad

SHA512
cc23cb30d76d22500c3ed7ce9ee0388588309d0779441b95559fce25a42f1eff52ca285c347655f8b33c15b75f9d2067738a151f81f605d3b563799a3a06c9a9

Download Submit
memory/2732-19-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/2932-15-0x0000000000450000-0x0000000000474000-memory.dmp

Filesize
144KB

Download
memory/3012-20-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/3012-21-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download