f28a51b11bd5a184a2415a5243ee65b31a19109e61acc50a14c174a613fe4938

Analysis

max time kernel
10s
max time network
10s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 22:41

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Malware-master/crashespc.bat
Size

278B
MD5

8e2220e4552a3ed322c0b542e8641ad7
SHA1

2d0c40f092d0264b864876c82fce71df4a9cdf1e
SHA256

d0675ccdf06d1360fd6193bd583e2b6e06888e882e1f9b21430b5328f7c7a4f6
SHA512

2a9e9f35b55a41bb65e914d43fdfb1576d46098abc9b1c35e29f03b1a4d3df89212c1181322e8422f0ad1055483ec4204e25728641012f8a52d30ea9c77cdc05

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "156"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4684	shutdown.exe
Token: SeRemoteShutdownPrivilege	4684	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2084	LogonUI.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 3788	2128	cmd.exe	86
PID 2128 wrote to memory of 3788	2128	cmd.exe	86
PID 2128 wrote to memory of 2716	2128	cmd.exe	87
PID 2128 wrote to memory of 2716	2128	cmd.exe	87
PID 2128 wrote to memory of 3232	2128	cmd.exe	88
PID 2128 wrote to memory of 3232	2128	cmd.exe	88
PID 2128 wrote to memory of 1936	2128	cmd.exe	89
PID 2128 wrote to memory of 1936	2128	cmd.exe	89
PID 2128 wrote to memory of 1628	2128	cmd.exe	90
PID 2128 wrote to memory of 1628	2128	cmd.exe	90
PID 2128 wrote to memory of 4684	2128	cmd.exe	91
PID 2128 wrote to memory of 4684	2128	cmd.exe	91

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3788	attrib.exe
2716	attrib.exe
3232	attrib.exe
1936	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Malware-master\crashespc.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\system32\attrib.exe
  attrib -r -s -h c:autoexec.bat
  2⤵
  - Views/modifies file attributes
  PID:3788
- C:\Windows\system32\attrib.exe
  attrib -r -s -h c:boot.ini
  2⤵
  - Views/modifies file attributes
  PID:2716
- C:\Windows\system32\attrib.exe
  attrib -r -s -h c:ntldr
  2⤵
  - Views/modifies file attributes
  PID:3232
- C:\Windows\system32\attrib.exe
  attrib -r -s -h c:windowswin.ini
  2⤵
  - Views/modifies file attributes
  PID:1936
- C:\Windows\system32\msg.exe
  msg * YOU GOT OWNED!!!
  2⤵
  PID:1628
- C:\Windows\system32\shutdown.exe
  shutdown -s -t 7 -c "A VIRUS IS TAKING OVER c:Drive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4684

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa398f855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads