d9033b9ce6e72e3a46754c626358c008225855ba0b7805092af342eaf02d6e43

Resubmissions

24-10-2024 14:15

241024-rkkmfavbjq 10

18-03-2024 15:46

240318-s74jhacc94 10

18-03-2024 15:46

240318-s7l98ach3w 10

Analysis

max time kernel
75s
max time network
32s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
18-03-2024 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2664-0-0x0000000001070000-0x0000000001E58000-memory.exe
Size

13.9MB
MD5

a799b2c3efdf9d684740448650217463
SHA1

18f92a74382bde73f7d06ac7245663823253b7d7
SHA256

d9033b9ce6e72e3a46754c626358c008225855ba0b7805092af342eaf02d6e43
SHA512

f0b55daaa47c2051012cb00c0964a0356c372159e72325e058e603758c7d2d6e19c9c9e4fc67f89eb29b9ddd78c5a14aa036233e97d66f6b490a2128cf7d0740
SSDEEP

196608:ngrlG8syCHeuRCBJ54kJnXlES7XSqmIpRH90fjxyCKYCthjUMGV7EGEjXig:gxG805o4WnL7u2+BEjBi

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1072	4624	WerFault.exe	80

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "180"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2500	taskmgr.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
1072	Process not Found
4976	Process not Found
3252	Process not Found
1088	Process not Found
1584	Process not Found
2400	Process not Found
4296	Process not Found
4076	Process not Found
444	Process not Found
2612	Process not Found
2080	Process not Found
2864	Process not Found
2064	Process not Found
3488	Process not Found
1940	Process not Found
1152	Process not Found
3720	Process not Found
2112	Process not Found
1932	Process not Found
584	Process not Found
504	Process not Found
492	Process not Found
4880	Process not Found
4892	Process not Found
3216	Process not Found
4988	Process not Found
2044	Process not Found
1412	Process not Found
2404	Process not Found
1876	Process not Found
2408	Process not Found
2584	Process not Found
1968	Process not Found
2552	Process not Found
2120	Process not Found
4804	Process not Found
3104	Process not Found
2132	Process not Found
1048	Process not Found
4868	Process not Found
3280	Process not Found
2744	Process not Found
2960	Process not Found
2752	Process not Found
4400	Process not Found
2716	Process not Found
3088	Process not Found
1132	Process not Found
1252	Process not Found
1264	Process not Found
1296	Process not Found
1364	Process not Found
1520	Process not Found
1356	Process not Found
3632	Process not Found
1312	Process not Found
5108	Process not Found
4712	Process not Found
4904	Process not Found
3820	Process not Found
1936	Process not Found
2968	Process not Found
3068	Process not Found
4016	Process not Found

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	taskmgr.exe
Token: SeSystemProfilePrivilege	2500	taskmgr.exe
Token: SeCreateGlobalPrivilege	2500	taskmgr.exe
Token: SeCreateGlobalPrivilege	4176	dwm.exe
Token: SeChangeNotifyPrivilege	4176	dwm.exe
Token: 33	4176	dwm.exe
Token: SeIncBasePriorityPrivilege	4176	dwm.exe
Token: SeCreateGlobalPrivilege	4388	dwm.exe
Token: SeChangeNotifyPrivilege	4388	dwm.exe
Token: 33	4388	dwm.exe
Token: SeIncBasePriorityPrivilege	4388	dwm.exe
Token: SeCreateGlobalPrivilege	4820	dwm.exe
Token: SeChangeNotifyPrivilege	4820	dwm.exe
Token: 33	4820	dwm.exe
Token: SeIncBasePriorityPrivilege	4820	dwm.exe
Token: SeCreateGlobalPrivilege	4716	dwm.exe
Token: SeChangeNotifyPrivilege	4716	dwm.exe
Token: 33	4716	dwm.exe
Token: SeIncBasePriorityPrivilege	4716	dwm.exe
Token: SeCreateGlobalPrivilege	4616	dwm.exe
Token: SeChangeNotifyPrivilege	4616	dwm.exe
Token: 33	4616	dwm.exe
Token: SeIncBasePriorityPrivilege	4616	dwm.exe
Token: SeCreateGlobalPrivilege	2688	dwm.exe
Token: SeChangeNotifyPrivilege	2688	dwm.exe
Token: 33	2688	dwm.exe
Token: SeIncBasePriorityPrivilege	2688	dwm.exe
Token: SeCreateGlobalPrivilege	228	dwm.exe
Token: SeChangeNotifyPrivilege	228	dwm.exe
Token: 33	228	dwm.exe
Token: SeIncBasePriorityPrivilege	228	dwm.exe
Token: SeCreateGlobalPrivilege	2100	dwm.exe
Token: SeChangeNotifyPrivilege	2100	dwm.exe
Token: 33	2100	dwm.exe
Token: SeIncBasePriorityPrivilege	2100	dwm.exe
Token: 33	3856	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3856	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe

Suspicious use of SendNotifyMessage 37 IoCs

pid	Process
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe
2500	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3860	LogonUI.exe

C:\Users\Admin\AppData\Local\Temp\2664-0-0x0000000001070000-0x0000000001E58000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\2664-0-0x0000000001070000-0x0000000001E58000-memory.exe"
1⤵
PID:4624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 8
  2⤵
  - Program crash
  PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4624 -ip 4624
1⤵
PID:4616

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2500

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x0000000000000494
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39dd055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3860

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2500-0-0x00000247E4200000-0x00000247E4201000-memory.dmp

Filesize
4KB

Download
memory/2500-1-0x00000247E4200000-0x00000247E4201000-memory.dmp

Filesize
4KB

Download
memory/2500-2-0x00000247E4200000-0x00000247E4201000-memory.dmp

Filesize
4KB

Download
memory/2500-7-0x00000247E4200000-0x00000247E4201000-memory.dmp

Filesize
4KB

Download
memory/2500-6-0x00000247E4200000-0x00000247E4201000-memory.dmp

Filesize
4KB

Download
memory/2500-8-0x00000247E4200000-0x00000247E4201000-memory.dmp

Filesize
4KB

Download
memory/2500-9-0x00000247E4200000-0x00000247E4201000-memory.dmp

Filesize
4KB

Download
memory/2500-10-0x00000247E4200000-0x00000247E4201000-memory.dmp

Filesize
4KB

Download
memory/2500-11-0x00000247E4200000-0x00000247E4201000-memory.dmp

Filesize
4KB

Download
memory/2500-12-0x00000247E4200000-0x00000247E4201000-memory.dmp

Filesize
4KB

Download