Overview
overview
8Static
static
3MicrosoftW...ll.bat
windows7-x64
1MicrosoftW...ll.bat
windows10-2004-x64
1MicrosoftW...nc.vbs
windows7-x64
3MicrosoftW...nc.vbs
windows10-2004-x64
7MicrosoftW...un.vbs
windows7-x64
3MicrosoftW...un.vbs
windows10-2004-x64
7MicrosoftW...dy.exe
windows7-x64
8MicrosoftW...dy.exe
windows10-2004-x64
8MicrosoftW...or.exe
windows7-x64
3MicrosoftW...or.exe
windows10-2004-x64
7MicrosoftW...ch.exe
windows7-x64
1MicrosoftW...ch.exe
windows10-2004-x64
1MicrosoftW...er.exe
windows7-x64
3MicrosoftW...er.exe
windows10-2004-x64
7MicrosoftW...ew.exe
windows7-x64
8MicrosoftW...ew.exe
windows10-2004-x64
8MicrosoftW...le.exe
windows7-x64
3MicrosoftW...le.exe
windows10-2004-x64
7MicrosoftW...od.exe
windows7-x64
1MicrosoftW...od.exe
windows10-2004-x64
1MicrosoftW...er.bat
windows7-x64
MicrosoftW...er.bat
windows10-2004-x64
MicrosoftW...32.exe
windows7-x64
1MicrosoftW...32.exe
windows10-2004-x64
1MicrosoftW...2s.exe
windows7-x64
4MicrosoftW...2s.exe
windows10-2004-x64
7MicrosoftW...le.vbs
windows7-x64
3MicrosoftW...le.vbs
windows10-2004-x64
7MicrosoftW...ec.vbs
windows7-x64
1MicrosoftW...ec.vbs
windows10-2004-x64
1MicrosoftW...en.vbs
windows7-x64
3MicrosoftW...en.vbs
windows10-2004-x64
7Analysis
-
max time kernel
37s -
max time network
39s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-03-2024 23:24
Static task
static1
Behavioral task
behavioral1
Sample
MicrosoftWindowsServicesEtc/AppKill.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
MicrosoftWindowsServicesEtc/AppKill.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
MicrosoftWindowsServicesEtc/CallFunc.vbs
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
MicrosoftWindowsServicesEtc/CallFunc.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
MicrosoftWindowsServicesEtc/DgzRun.vbs
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
MicrosoftWindowsServicesEtc/DgzRun.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
MicrosoftWindowsServicesEtc/GetReady.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
MicrosoftWindowsServicesEtc/GetReady.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
MicrosoftWindowsServicesEtc/Major.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
MicrosoftWindowsServicesEtc/Major.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
MicrosoftWindowsServicesEtc/NotMuch.exe
Resource
win7-20240215-en
Behavioral task
behavioral12
Sample
MicrosoftWindowsServicesEtc/NotMuch.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
MicrosoftWindowsServicesEtc/RuntimeChecker.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
MicrosoftWindowsServicesEtc/RuntimeChecker.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
MicrosoftWindowsServicesEtc/WinScrew.exe
Resource
win7-20240215-en
Behavioral task
behavioral16
Sample
MicrosoftWindowsServicesEtc/WinScrew.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
MicrosoftWindowsServicesEtc/breakrule.exe
Resource
win7-20240220-en
Behavioral task
behavioral18
Sample
MicrosoftWindowsServicesEtc/breakrule.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
MicrosoftWindowsServicesEtc/bsod.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
MicrosoftWindowsServicesEtc/bsod.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
MicrosoftWindowsServicesEtc/checker.bat
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
MicrosoftWindowsServicesEtc/checker.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
MicrosoftWindowsServicesEtc/data/eula32.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
MicrosoftWindowsServicesEtc/data/eula32.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
MicrosoftWindowsServicesEtc/data/runner32s.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
MicrosoftWindowsServicesEtc/data/runner32s.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
MicrosoftWindowsServicesEtc/example.vbs
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
MicrosoftWindowsServicesEtc/example.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
MicrosoftWindowsServicesEtc/fexec.vbs
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
MicrosoftWindowsServicesEtc/fexec.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
MicrosoftWindowsServicesEtc/healgen.vbs
Resource
win7-20240220-en
Behavioral task
behavioral32
Sample
MicrosoftWindowsServicesEtc/healgen.vbs
Resource
win10v2004-20240226-en
Errors
General
-
Target
MicrosoftWindowsServicesEtc/checker.bat
-
Size
151B
-
MD5
f59801d5c49713770bdb2f14eff34e2f
-
SHA1
91090652460c3a197cfad74d2d3c16947d023d63
-
SHA256
3382484b5a6a04d05500e7622da37c1ffaef3a1343395942bc7802bf2a19b53f
-
SHA512
c1c3a78f86e7938afbe391f0e03065b04375207704e419fe77bf0810d1e740c3ef8926c878884ad81b429ec41e126813a68844f600e124f5fa8d28ef17b4b7bc
Malware Config
Signatures
-
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "109" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
shutdown.exedescription pid process Token: SeShutdownPrivilege 3512 shutdown.exe Token: SeRemoteShutdownPrivilege 3512 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 4232 LogonUI.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 392 wrote to memory of 4268 392 cmd.exe wscript.exe PID 392 wrote to memory of 4268 392 cmd.exe wscript.exe PID 392 wrote to memory of 3512 392 cmd.exe shutdown.exe PID 392 wrote to memory of 3512 392 cmd.exe shutdown.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\checker.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\system32\wscript.exewscript.exe callfunc.vbs2⤵PID:4268
-
-
C:\Windows\system32\shutdown.exeshutdown -r -t 002⤵
- Suspicious use of AdjustPrivilegeToken
PID:3512
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39fa855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4232