Analysis
-
max time kernel
28s -
max time network
23s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 13:00
Static task
static1
Behavioral task
behavioral1
Sample
36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exe
Resource
win10v2004-20240426-en
Errors
General
-
Target
36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exe
-
Size
4.6MB
-
MD5
3163018748a2654f8a4f163ddef28a70
-
SHA1
578ff40fcf01877dd1f481f556d1c97b5e50c191
-
SHA256
36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a
-
SHA512
db6bcff1a28560d696cff104bdf87787e4673f22489257ff77f8ab14a71d3aeb568b0c1a8df32b8e1cb17d05e6fa339a7261761c8dde0845f697023eef76b07d
-
SSDEEP
98304:/kUz/fTQSl103cP+7AVqETc5X0XxzXsVrFrJ24fiE:lzvl10PA4MM0Xxzw2Op
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exedescription ioc process File opened for modification \??\PhysicalDrive0 36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS 36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct 36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "154" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 3756 36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exe Token: SeIncreaseQuotaPrivilege 2372 WMIC.exe Token: SeSecurityPrivilege 2372 WMIC.exe Token: SeTakeOwnershipPrivilege 2372 WMIC.exe Token: SeLoadDriverPrivilege 2372 WMIC.exe Token: SeSystemProfilePrivilege 2372 WMIC.exe Token: SeSystemtimePrivilege 2372 WMIC.exe Token: SeProfSingleProcessPrivilege 2372 WMIC.exe Token: SeIncBasePriorityPrivilege 2372 WMIC.exe Token: SeCreatePagefilePrivilege 2372 WMIC.exe Token: SeBackupPrivilege 2372 WMIC.exe Token: SeRestorePrivilege 2372 WMIC.exe Token: SeShutdownPrivilege 2372 WMIC.exe Token: SeDebugPrivilege 2372 WMIC.exe Token: SeSystemEnvironmentPrivilege 2372 WMIC.exe Token: SeRemoteShutdownPrivilege 2372 WMIC.exe Token: SeUndockPrivilege 2372 WMIC.exe Token: SeManageVolumePrivilege 2372 WMIC.exe Token: 33 2372 WMIC.exe Token: 34 2372 WMIC.exe Token: 35 2372 WMIC.exe Token: 36 2372 WMIC.exe Token: SeIncreaseQuotaPrivilege 2372 WMIC.exe Token: SeSecurityPrivilege 2372 WMIC.exe Token: SeTakeOwnershipPrivilege 2372 WMIC.exe Token: SeLoadDriverPrivilege 2372 WMIC.exe Token: SeSystemProfilePrivilege 2372 WMIC.exe Token: SeSystemtimePrivilege 2372 WMIC.exe Token: SeProfSingleProcessPrivilege 2372 WMIC.exe Token: SeIncBasePriorityPrivilege 2372 WMIC.exe Token: SeCreatePagefilePrivilege 2372 WMIC.exe Token: SeBackupPrivilege 2372 WMIC.exe Token: SeRestorePrivilege 2372 WMIC.exe Token: SeShutdownPrivilege 2372 WMIC.exe Token: SeDebugPrivilege 2372 WMIC.exe Token: SeSystemEnvironmentPrivilege 2372 WMIC.exe Token: SeRemoteShutdownPrivilege 2372 WMIC.exe Token: SeUndockPrivilege 2372 WMIC.exe Token: SeManageVolumePrivilege 2372 WMIC.exe Token: 33 2372 WMIC.exe Token: 34 2372 WMIC.exe Token: 35 2372 WMIC.exe Token: 36 2372 WMIC.exe Token: SeIncreaseQuotaPrivilege 3752 WMIC.exe Token: SeSecurityPrivilege 3752 WMIC.exe Token: SeTakeOwnershipPrivilege 3752 WMIC.exe Token: SeLoadDriverPrivilege 3752 WMIC.exe Token: SeSystemProfilePrivilege 3752 WMIC.exe Token: SeSystemtimePrivilege 3752 WMIC.exe Token: SeProfSingleProcessPrivilege 3752 WMIC.exe Token: SeIncBasePriorityPrivilege 3752 WMIC.exe Token: SeCreatePagefilePrivilege 3752 WMIC.exe Token: SeBackupPrivilege 3752 WMIC.exe Token: SeRestorePrivilege 3752 WMIC.exe Token: SeShutdownPrivilege 3752 WMIC.exe Token: SeDebugPrivilege 3752 WMIC.exe Token: SeSystemEnvironmentPrivilege 3752 WMIC.exe Token: SeRemoteShutdownPrivilege 3752 WMIC.exe Token: SeUndockPrivilege 3752 WMIC.exe Token: SeManageVolumePrivilege 3752 WMIC.exe Token: 33 3752 WMIC.exe Token: 34 3752 WMIC.exe Token: 35 3752 WMIC.exe Token: 36 3752 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exepid process 3756 36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exeLogonUI.exepid process 3756 36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exe 3756 36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exe 3696 LogonUI.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.execmd.execmd.exedescription pid process target process PID 3756 wrote to memory of 836 3756 36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exe cmd.exe PID 3756 wrote to memory of 836 3756 36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exe cmd.exe PID 3756 wrote to memory of 836 3756 36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exe cmd.exe PID 836 wrote to memory of 2372 836 cmd.exe WMIC.exe PID 836 wrote to memory of 2372 836 cmd.exe WMIC.exe PID 836 wrote to memory of 2372 836 cmd.exe WMIC.exe PID 3756 wrote to memory of 4748 3756 36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exe cmd.exe PID 3756 wrote to memory of 4748 3756 36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exe cmd.exe PID 3756 wrote to memory of 4748 3756 36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exe cmd.exe PID 4748 wrote to memory of 3752 4748 cmd.exe WMIC.exe PID 4748 wrote to memory of 3752 4748 cmd.exe WMIC.exe PID 4748 wrote to memory of 3752 4748 cmd.exe WMIC.exe PID 3756 wrote to memory of 3484 3756 36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exe cmd.exe PID 3756 wrote to memory of 3484 3756 36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exe cmd.exe PID 3756 wrote to memory of 3484 3756 36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exe"C:\Users\Admin\AppData\Local\Temp\36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic path Win32_ComputerSystemProduct get uuid /value2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path Win32_ComputerSystemProduct get uuid /value3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic path Win32_ComputerSystemProduct get uuid /value2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path Win32_ComputerSystemProduct get uuid /value3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic path Win32_ComputerSystemProduct get uuid /value2⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3959055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx