1b555820823612cdc01638e78f298d906aaa7226b51fb1d31bed494c46b383b2

Analysis

max time kernel
155s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/02/2024, 03:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2974306ecd35625fa1178839af538a784f556cfd24ccf6f55da33a1b12ef3982.exe
Size

16.7MB
MD5

cb25d7a3e925218db1fe292b8a1005a3
SHA1

b16dadb69560787b68996db571e47cdc38d3d0c7
SHA256

2974306ecd35625fa1178839af538a784f556cfd24ccf6f55da33a1b12ef3982
SHA512

f120121342198a9edca351775e5f2aac5d3b4a933a2f334f046948c00a96f34ceae1a126701696972d7bdfb7a9b1530ef5e2a9c3212611ad6abeecee26243774
SSDEEP

393216:sCWRxKyZKx8iSfS+a0KhoRuSGlUfV1FC3IoC5ZPw7KaDj7zZVMVxKXag62:wxPy8t6T0W3YHw3LC5ZPwWaDj7NVhT

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
4976	2974306ecd35625fa1178839af538a784f556cfd24ccf6f55da33a1b12ef3982.exe
4976	2974306ecd35625fa1178839af538a784f556cfd24ccf6f55da33a1b12ef3982.exe
4976	2974306ecd35625fa1178839af538a784f556cfd24ccf6f55da33a1b12ef3982.exe
4976	2974306ecd35625fa1178839af538a784f556cfd24ccf6f55da33a1b12ef3982.exe
4976	2974306ecd35625fa1178839af538a784f556cfd24ccf6f55da33a1b12ef3982.exe
4976	2974306ecd35625fa1178839af538a784f556cfd24ccf6f55da33a1b12ef3982.exe
4976	2974306ecd35625fa1178839af538a784f556cfd24ccf6f55da33a1b12ef3982.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "109"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
1048	Process not Found
1092	Process not Found
916	Process not Found
3488	Process not Found
4072	Process not Found
1680	Process not Found
2988	Process not Found
1588	Process not Found
3176	Process not Found
4668	Process not Found
400	Process not Found
740	Process not Found
3116	Process not Found
1476	Process not Found
1764	Process not Found
3220	Process not Found
836	Process not Found
3732	Process not Found
3172	Process not Found
3236	Process not Found
2120	Process not Found
4448	Process not Found
1076	Process not Found
3592	Process not Found
3992	Process not Found
3396	Process not Found
552	Process not Found
2812	Process not Found
1436	Process not Found
4476	Process not Found
4128	Process not Found
2660	Process not Found
4436	Process not Found
2296	Process not Found
2908	Process not Found
4212	Process not Found
2428	Process not Found
1900	Process not Found
2696	Process not Found
4900	Process not Found
2628	Process not Found
468	Process not Found
2300	Process not Found
4328	Process not Found
4360	Process not Found
4372	Process not Found
1888	Process not Found
4168	Process not Found
776	Process not Found
60	Process not Found
220	Process not Found
1272	Process not Found
3240	Process not Found
1948	Process not Found
100	Process not Found
812	Process not Found
2904	Process not Found
1456	Process not Found
4552	Process not Found
1616	Process not Found
2600	Process not Found
2080	Process not Found
3524	Process not Found
1716	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2760	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2760	AUDIODG.EXE
Token: SeShutdownPrivilege	4976	2974306ecd35625fa1178839af538a784f556cfd24ccf6f55da33a1b12ef3982.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2136	LogonUI.exe

C:\Users\Admin\AppData\Local\Temp\2974306ecd35625fa1178839af538a784f556cfd24ccf6f55da33a1b12ef3982.exe
"C:\Users\Admin\AppData\Local\Temp\2974306ecd35625fa1178839af538a784f556cfd24ccf6f55da33a1b12ef3982.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x418 0x3d0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa398f055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2136

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d4b4c636-3bf7-466b-8a64-a11aa0f44e84.FusionApp\PCShutdownOperations.mfx

Filesize
114KB

MD5
426ac6ce433939fb99a06c4924f374c9

SHA1
d35fdd69d7788dc4e75e615d0ca9ac011bce14f5

SHA256
7948de373521b28b905b0f543d8851272fa6259594aab4379abd5e330f0360ce

SHA512
6085240699168fea46df1210c85ac874a106fd1de0ecd2b1260a5ba05de6403d7bee48a75c2b6624f98afb55d5a392063cc73af8d2110d289ab9844942bbf7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4b4c636-3bf7-466b-8a64-a11aa0f44e84.FusionApp\mmf2d3d9.dll

Filesize
1.1MB

MD5
3ae47534f1224c4797176107a9a41683

SHA1
5c4af10c0afa5233a21a661d7ba9130c808a961d

SHA256
53edf5138930d52b473104ce0d085413248d15a4aa891ac02a718e89625de6ef

SHA512
6dc285765b4726708afaab793b7b384121476fa807114490824a5513c5c80b6278e376dae3b0d82a7360cd65cdbce8d3f60ed23271453a08e2a5af311715e8d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4b4c636-3bf7-466b-8a64-a11aa0f44e84.FusionApp\mmfs2.dll

Filesize
506KB

MD5
efaebf8b1628c22289be3adbb83fe614

SHA1
efa4dd19ceda4e60069f0b7d8e0bbcd4f78438fb

SHA256
3d89c4fe6c2fa379b203286c9db649ab83f9934ac1be21302057a563a3707563

SHA512
6921ad80c36ce3a9fd774f6785c45d5c56f68fb29712cac6472c8878a685e641adbe2077d2b96b4d59aaa7b978b3e8357cffca1628583986474de67765e1e48e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4b4c636-3bf7-466b-8a64-a11aa0f44e84.FusionApp\oggflt.sft

Filesize
130KB

MD5
0c8c1ee3ba92189f4ce21d1b396a2765

SHA1
b7daa4a6e16416151dccbb0a89f304961b6cb627

SHA256
9e589f86317d840df9bb74f6ee20c24ca65afe58f4009740382f63a0f5531941

SHA512
0a4339092ac55bac3b1bdfaaa3401020f8f49918bd2fdb14524f3d558eb840b876aedfdeb54a1da163fa36393abf3fe8ab7e112a34ea9d891e82a22e96c85ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4b4c636-3bf7-466b-8a64-a11aa0f44e84.FusionApp\waveFlt.sft

Filesize
8KB

MD5
57ea61dd14314ef155e80c6a0be8a664

SHA1
963b0ef2fe976ff77044a821fe1e29be4a8cf8a7

SHA256
92a5053cf5973a6aa228c738d55387f12f1dfa8a837d7b938c60f05b6b56b3ad

SHA512
cc23cb30d76d22500c3ed7ce9ee0388588309d0779441b95559fce25a42f1eff52ca285c347655f8b33c15b75f9d2067738a151f81f605d3b563799a3a06c9a9

Download Submit
memory/4976-17-0x0000000003A70000-0x0000000003A94000-memory.dmp

Filesize
144KB

Download