6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

Reason

Machine shutdown

General

Target

target.ps1
Size

1B
MD5

c4ca4238a0b923820dcc509a6f75849b
SHA1

356a192b7913b04c54574d18c28d46e6395428ab
SHA256

6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512

4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	bootim.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	bootim.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "182"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1584	powershell.exe
1584	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeTakeOwnershipPrivilege	236	bootim.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5236	LogonUI.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 4728	1752	firefox.exe	93
PID 1752 wrote to memory of 4728	1752	firefox.exe	93
PID 1752 wrote to memory of 4728	1752	firefox.exe	93
PID 1752 wrote to memory of 4728	1752	firefox.exe	93
PID 1752 wrote to memory of 4728	1752	firefox.exe	93
PID 1752 wrote to memory of 4728	1752	firefox.exe	93
PID 1752 wrote to memory of 4728	1752	firefox.exe	93
PID 1752 wrote to memory of 4728	1752	firefox.exe	93
PID 1752 wrote to memory of 4728	1752	firefox.exe	93
PID 1752 wrote to memory of 4728	1752	firefox.exe	93
PID 1752 wrote to memory of 4728	1752	firefox.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\target.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:1712

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4172

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:1880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:2260

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  PID:4728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.0.1195581143\1796424805" -parentBuildID 20221007134813 -prefsHandle 1672 -prefMapHandle 1504 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a78aaa3a-b6d6-415c-9469-42222907febb} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 1764 2b713ba2058 gpu
    3⤵
    PID:4700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.1.959048897\790229686" -parentBuildID 20221007134813 -prefsHandle 2112 -prefMapHandle 2100 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8674a3d-cd2f-4fdc-8d58-cec9b8c48699} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 2140 2b712af2c58 socket
    3⤵
    PID:4936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.2.1228699702\158590880" -childID 1 -isForBrowser -prefsHandle 3132 -prefMapHandle 3160 -prefsLen 20886 -prefMapSize 233444 -jsInitHandle 1176 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ab009b8-ad83-4fde-a078-3f72681b978a} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 2684 2b7184f9b58 tab
    3⤵
    PID:4500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.3.634264575\1959049613" -childID 2 -isForBrowser -prefsHandle 3376 -prefMapHandle 3372 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1176 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e4212ab-ee01-4a18-9579-6b6cdd10d6f3} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 3384 2b718a56558 tab
    3⤵
    PID:3288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.4.1585204373\275528351" -childID 3 -isForBrowser -prefsHandle 4204 -prefMapHandle 4212 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1176 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7177e04e-3056-49b1-b1a8-ee974c5430f2} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 4280 2b719ff0758 tab
    3⤵
    PID:4344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.5.2040502169\1984366533" -childID 4 -isForBrowser -prefsHandle 4720 -prefMapHandle 4732 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1176 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff5f018a-56c1-462e-a0e9-412cfb337ebc} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 4280 2b718a56b58 tab
    3⤵
    PID:2604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.6.1945173135\573169325" -childID 5 -isForBrowser -prefsHandle 4896 -prefMapHandle 4900 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1176 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b7f84c8-69e1-4e7e-acef-0976bccd6d5e} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 4888 2b71a6f8f58 tab
    3⤵
    PID:4668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.7.1178760441\571876560" -childID 6 -isForBrowser -prefsHandle 5084 -prefMapHandle 5088 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1176 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da8372a3-e95a-45a9-a074-a52b92d75e6f} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 5076 2b71a6f9b58 tab
    3⤵
    PID:4972

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a28055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5236

C:\Windows\system32\bootim.exe
bootim.exe /startpage:1
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ybpn2nte.bfd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\Recovery\ReAgent.xml

Filesize
1KB

MD5
443c06577f0f3dd5e353ccaf9f5e07db

SHA1
a0c91edd35ea1074687751cddca73014afb2d82c

SHA256
aac0e7f4bb510bd854759ec8ed8d51098e1e9f4262765cf71e5f05f2f2194cc8

SHA512
b0405fabbf4ba020aa23b3f5dd021a92d4e9313d29ea249671a3935583fd9082c46119554d565fc5e402d5e4c9648c2996b2b2633aa3bc182bffc0d234dd7a1a

Download Submit
memory/1584-8-0x000001B130520000-0x000001B130542000-memory.dmp

Filesize
136KB

Download
memory/1584-9-0x00007FFE08C10000-0x00007FFE096D2000-memory.dmp

Filesize
10.8MB

Download
memory/1584-11-0x000001B1304E0000-0x000001B1304F0000-memory.dmp

Filesize
64KB

Download
memory/1584-10-0x000001B1304E0000-0x000001B1304F0000-memory.dmp

Filesize
64KB

Download
memory/1584-12-0x000001B1304E0000-0x000001B1304F0000-memory.dmp

Filesize
64KB

Download
memory/1584-15-0x00007FFE08C10000-0x00007FFE096D2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors