6e8a08d6caf0e0ad6a555da452f403b0bcf2e8fdf8f968130eda3686a4e1555f

Analysis

max time kernel
15s
max time network
20s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 14:22

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

TUP32980638916Y/ctfmon-dll-decoded.dll
Size

182KB
MD5

23b14120aecb4d67d836727c729340d9
SHA1

225be6cc75963513c72b394180a1bdb5418d9a06
SHA256

4af123558afa33de6944a4766fc63c6ed31b661cda5a1162f89e8f1edec0b0fa
SHA512

9be95e1e489e92967de883bbdf4512b2c9da556958f12d9c3c516bf6d5115c60a6d2a0549b9c0ca5b5c600ae213bd410e8273eecaea334025b591cc4779f96f6
SSDEEP

1536:leKfXcBeQXiQrJY+Brkk53AgZeOGTlbR30oNdJWc6FPfwnS3c1NwGqbQMgsjinUI:gKd8OMIOGMEnYs0iIVZuqDSo7Cp

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "30"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

dllhost.exe

pid process

4040 dllhost.exe
4040 dllhost.exe
4040 dllhost.exe
4040 dllhost.exe
4040 dllhost.exe
4040 dllhost.exe

pid	process
4040	dllhost.exe
4040	dllhost.exe
4040	dllhost.exe
4040	dllhost.exe
4040	dllhost.exe
4040	dllhost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

shutdown.exeshutdown.exeshutdown.exe

description	pid	process
Token: SeShutdownPrivilege	5960	shutdown.exe
Token: SeRemoteShutdownPrivilege	5960	shutdown.exe
Token: SeShutdownPrivilege	5976	shutdown.exe
Token: SeRemoteShutdownPrivilege	5976	shutdown.exe
Token: SeShutdownPrivilege	5968	shutdown.exe
Token: SeRemoteShutdownPrivilege	5968	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

5244 LogonUI.exe

pid	process
5244	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4652 wrote to memory of 2728	4652	rundll32.exe	rundll32.exe
PID 4652 wrote to memory of 2728	4652	rundll32.exe	rundll32.exe
PID 4652 wrote to memory of 2728	4652	rundll32.exe	rundll32.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe
PID 2728 wrote to memory of 4040	2728	rundll32.exe	dllhost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\TUP32980638916Y\ctfmon-dll-decoded.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\TUP32980638916Y\ctfmon-dll-decoded.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4040

C:\Windows\SysWOW64\cmd.exe
cmd /c shutdown -s -t 2 -f
4⤵
PID:5776

C:\Windows\SysWOW64\shutdown.exe
shutdown -s -t 2 -f
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5960

C:\Windows\SysWOW64\cmd.exe
cmd /c shutdown -s -t 2 -f
4⤵
PID:5792

C:\Windows\SysWOW64\shutdown.exe
shutdown -s -t 2 -f
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5976

C:\Windows\SysWOW64\cmd.exe
cmd /c shutdown -s -t 1 -f
4⤵
PID:5800

C:\Windows\SysWOW64\shutdown.exe
shutdown -s -t 1 -f
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5968

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3987855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4040-1-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/4040-2-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/4040-4-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/4040-1215-0x0000000010410000-0x000000001064C000-memory.dmp

Filesize
2.2MB

Download
memory/4040-1233-0x0000000010410000-0x000000001064C000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads