e6094f81dcdfd9796dabc1798f2d2b68110bd4199e0abb0b5d3121a3f6b9a822 | Triage

Analysis

max time kernel
6s
max time network
11s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
21-05-2024 14:34

Sharing

Reason

Machine shutdown

Report Analysis Logs

General

Target

ransom.bat
Size

279B
MD5

bfc4aa4a19279663910dca40ea9fed21
SHA1

5816a4966330d61030c3def3dbf415168b95dac8
SHA256

e6094f81dcdfd9796dabc1798f2d2b68110bd4199e0abb0b5d3121a3f6b9a822
SHA512

61d92575c33613ab36663dc68e8b99e6ab2b77986f7c9aaf2358855cde6372174ee7d7d1675f65fb05953711f48dff1d2125962f4953b2468f7a2c2d8eedddbc

Score

1^/10

Malware Config

Signatures

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2460 timeout.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "191"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

shutdown.exe

description pid process

Token: SeShutdownPrivilege 2452 shutdown.exe
Token: SeRemoteShutdownPrivilege 2452 shutdown.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

3740 LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 4040 wrote to memory of 2460	4040	cmd.exe	timeout.exe
PID 4040 wrote to memory of 2460	4040	cmd.exe	timeout.exe
PID 4040 wrote to memory of 2452	4040	cmd.exe	shutdown.exe
PID 4040 wrote to memory of 2452	4040	cmd.exe	shutdown.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ransom.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
2⤵
- Delays execution with timeout.exe
PID:2460

C:\Windows\system32\shutdown.exe
shutdown /r /t 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3963855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...