1256a30fff048dd5e18b0a85499e219e608414279c83d792a9129c4e67c325df

Analysis

max time kernel
6s
max time network
10s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
05/05/2024, 14:01

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

map.exe
Size

264KB
MD5

f03bfb7732b35dde3ec3d84b63fb4dd6
SHA1

aaea1ed894692e0927b353d412f9520f4151fe79
SHA256

1256a30fff048dd5e18b0a85499e219e608414279c83d792a9129c4e67c325df
SHA512

7f2ed3334bd83e09151424ff522229832b441a66008e84966dd37a6a260e0be7c491b1c689ceff5992a239f27ac3f5d89b646349540f097db007aa25fe192b1c
SSDEEP

6144:stBzkCA5ScTg8OxtnBp83+pQspEMU0kOu3S:cBzkf5PThOnnBm3YQsRU08

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv"	map.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "143"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4140	map.exe
4140	map.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
4140	map.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	760	shutdown.exe
Token: SeRemoteShutdownPrivilege	760	shutdown.exe
Token: SeLoadDriverPrivilege	4140	map.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4988	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 2576	4140	map.exe	81
PID 4140 wrote to memory of 2576	4140	map.exe	81
PID 2576 wrote to memory of 760	2576	cmd.exe	82
PID 2576 wrote to memory of 760	2576	cmd.exe	82

C:\Users\Admin\AppData\Local\Temp\map.exe
"C:\Users\Admin\AppData\Local\Temp\map.exe"
1⤵
- Sets service image path in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c shutdown /r /t 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\system32\shutdown.exe
    shutdown /r /t 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:760

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a10055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads