Analysis
-
max time kernel
16s -
max time network
18s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2024, 01:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b62429ba7840c28866d0673689e663ff.dll
Resource
win7-20240221-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
b62429ba7840c28866d0673689e663ff.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
b62429ba7840c28866d0673689e663ff.dll
-
Size
64KB
-
MD5
b62429ba7840c28866d0673689e663ff
-
SHA1
a79fb109d4f6004306efae4c4b5c3aab077cb187
-
SHA256
c5e9216b24de59dbe54cf769319861c20c06375a0c92e35651a0ab53bf860dcf
-
SHA512
ddd876960022158dd380d2d1ea1076842aa1589bfa94ad9917c2713437ae4dba4cc5126e2be0708133b2961b2f66093857077df0c6b879e069b8c18e83f636d8
-
SSDEEP
768:MqiqbT1CyYDktlzeEFRi3DrALm3xTWZZhHwdHzgeVNLVVSOeEJ9y59o:Wyckl+IL8xTWZZhHw5pD8EJ09o
Score
1/10
Malware Config
Signatures
-
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "125" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 4320 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 64 LogonUI.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1708 wrote to memory of 4320 1708 rundll32.exe 87 PID 1708 wrote to memory of 4320 1708 rundll32.exe 87 PID 1708 wrote to memory of 4320 1708 rundll32.exe 87
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b62429ba7840c28866d0673689e663ff.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b62429ba7840c28866d0673689e663ff.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4320
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3945855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:64