adb9115b0c3d71c2d3f2313e01a83ed7cc10878f79008791486c453806e19c15

Resubmissions

18/04/2024, 18:45

Analysis

max time kernel
58s
max time network
60s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 18:45

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-18T18:47:16Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_15-dirty.qcow2\"}"

Report Analysis Logs

General

Target

encrypt 1.0.1.exe
Size

5.2MB
MD5

2437f8fb399dc6b61a417a7fded575fc
SHA1

e08930ecd6b37d619b30aaf05f17d4e273dcf8da
SHA256

adb9115b0c3d71c2d3f2313e01a83ed7cc10878f79008791486c453806e19c15
SHA512

147c0c4743946849c484ee6fdd6317d9e765a2c383004998083371827e80c6dd3920bea5b18c47d9723c310bc2508dace8de2d9f50163f7b8d875d1afd81a98a
SSDEEP

98304:VsV8KwZhhSh2uW5MI06O7/Xuy/+7F+7cETUvx6kADkTs:VsVfwZhYEL2V6c/f/+ScEgJ6hDw

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3452	encrypt 1.0.1.exe
3452	encrypt 1.0.1.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "168"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3136	LogonUI.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 3452	4828	encrypt 1.0.1.exe	87
PID 4828 wrote to memory of 3452	4828	encrypt 1.0.1.exe	87
PID 3452 wrote to memory of 3324	3452	encrypt 1.0.1.exe	88
PID 3452 wrote to memory of 3324	3452	encrypt 1.0.1.exe	88
PID 3452 wrote to memory of 4720	3452	encrypt 1.0.1.exe	96
PID 3452 wrote to memory of 4720	3452	encrypt 1.0.1.exe	96
PID 3452 wrote to memory of 3180	3452	encrypt 1.0.1.exe	100
PID 3452 wrote to memory of 3180	3452	encrypt 1.0.1.exe	100

C:\Users\Admin\AppData\Local\Temp\encrypt 1.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\encrypt 1.0.1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Users\Admin\AppData\Local\Temp\encrypt 1.0.1.exe
  "C:\Users\Admin\AppData\Local\Temp\encrypt 1.0.1.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3180

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3958055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3136

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI48282\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48282\_bz2.pyd

Filesize
81KB

MD5
a4b636201605067b676cc43784ae5570

SHA1
e9f49d0fc75f25743d04ce23c496eb5f89e72a9a

SHA256
f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c

SHA512
02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48282\_decimal.pyd

Filesize
244KB

MD5
10f7b96c666f332ec512edade873eecb

SHA1
4f511c030d4517552979105a8bb8cccf3a56fcea

SHA256
6314c99a3efa15307e7bdbe18c0b49bc841c734f42923a0b44aab42ed7d4a62d

SHA512
cfe5538e3becbc3aa5540c627af7bf13ad8f5c160b581a304d1510e0cb2876d49801df76916dcda6b7e0654ce145bb66d6e31bd6174524ae681d5f2b49088419

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48282\_hashlib.pyd

Filesize
60KB

MD5
49ce7a28e1c0eb65a9a583a6ba44fa3b

SHA1
dcfbee380e7d6c88128a807f381a831b6a752f10

SHA256
1be5cfd06a782b2ae8e4629d9d035cbc487074e8f63b9773c85e317be29c0430

SHA512
cf1f96d6d61ecb2997bb541e9eda7082ef4a445d3dd411ce6fd71b0dfe672f4dfaddf36ae0fb7d5f6d1345fbd90c19961a8f35328332cdaa232f322c0bf9a1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48282\_lzma.pyd

Filesize
154KB

MD5
b5fbc034ad7c70a2ad1eb34d08b36cf8

SHA1
4efe3f21be36095673d949cceac928e11522b29c

SHA256
80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6

SHA512
e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48282\_socket.pyd

Filesize
75KB

MD5
e137df498c120d6ac64ea1281bcab600

SHA1
b515e09868e9023d43991a05c113b2b662183cfe

SHA256
8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a

SHA512
cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48282\base_library.zip

Filesize
859KB

MD5
3fa51488087c6577ba4d4accecda2bb6

SHA1
3584d301bcb007f6de830729b3cc994c048edd93

SHA256
8f614b9743bf81cba58bb2f50dcede4e0e9310727b114be36ef9022d587dc622

SHA512
bc1e42eabc128e304ccd5ec9413907b0760ebc96b6eb7b6d1f509433d1912b703136c42d4f8cac98bbba157c75f3a416f7b2ea241de17c08eafa2acb2a4e1669

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48282\libcrypto-1_1.dll

Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48282\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48282\select.pyd

Filesize
28KB

MD5
adc412384b7e1254d11e62e451def8e9

SHA1
04e6dff4a65234406b9bc9d9f2dcfe8e30481829

SHA256
68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1

SHA512
f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48282\unicodedata.pyd

Filesize
1.1MB

MD5
102bbbb1f33ce7c007aac08fe0a1a97e

SHA1
9a8601bea3e7d4c2fa6394611611cda4fc76e219

SHA256
2cf6c5dea30bb0584991b2065c052c22d258b6e15384447dcea193fdcac5f758

SHA512
a07731f314e73f7a9ea73576a89ccb8a0e55e53f9b5b82f53121b97b1814d905b17a2da9bd2eda9f9354fc3f15e3dea7a613d7c9bc98c36bba653743b24dfc32

Download Submit