Analysis
-
max time kernel
137s -
max time network
139s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
08/05/2024, 19:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
47ff78372aeb7ca7e16561fce7b86705bbf8f794e68ef32adc5437e40da30a6c.exe
Resource
win10-20240404-en
windows10-1703-x64
12 signatures
300 seconds
Errors
Reason
Machine shutdown
General
-
Target
47ff78372aeb7ca7e16561fce7b86705bbf8f794e68ef32adc5437e40da30a6c.exe
-
Size
932KB
-
MD5
06a85389dd3f92a42ae852614b36ee95
-
SHA1
177df421df6eaf77ce2d6363006bc3e05bf56d5f
-
SHA256
47ff78372aeb7ca7e16561fce7b86705bbf8f794e68ef32adc5437e40da30a6c
-
SHA512
da0fe0b5cdcc850947704b7b374eaf410ce6c65b806b258a3e66a8e3fff4fa1e8dcae18dc6ac5fae8fd545afac213c352b6dcef3b6f9ce48b993f5204ccd953e
-
SSDEEP
12288:MOQNMIt3+hioijxOcaGW/v7EaEfvnJUC2+6zI4cHkYaG6U5SqFS4609bCFrZd:LWMIMhiop+4w/fvT2dMINbU5zFQmUz
Score
6/10
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 47ff78372aeb7ca7e16561fce7b86705bbf8f794e68ef32adc5437e40da30a6c.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe File created C:\Windows\rescache\_merged\421858948\2704036608.pri LogonUI.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2940 5068 WerFault.exe 73 4148 5068 WerFault.exe 73 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 61 IoCs
pid Process 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2164 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2164 taskmgr.exe Token: SeSystemProfilePrivilege 2164 taskmgr.exe Token: SeCreateGlobalPrivilege 2164 taskmgr.exe Token: 33 2164 taskmgr.exe Token: SeIncBasePriorityPrivilege 2164 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe 2164 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1912 LogonUI.exe 1912 LogonUI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\47ff78372aeb7ca7e16561fce7b86705bbf8f794e68ef32adc5437e40da30a6c.exe"C:\Users\Admin\AppData\Local\Temp\47ff78372aeb7ca7e16561fce7b86705bbf8f794e68ef32adc5437e40da30a6c.exe"1⤵
- Writes to the Master Boot Record (MBR)
PID:5068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 7402⤵
- Program crash
PID:2940
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 8122⤵
- Program crash
PID:4148
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3492
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2164
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3a9a855 /state1:0x41c64e6d1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1912