Malware Analysis Report

2024-09-23 12:04

Sample ID 240612-mdcwss1cma
Target PowerPoint.exe
SHA256 9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

Threat Level: Shows suspicious behavior

The file PowerPoint.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Unsigned PE

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 10:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 10:20

Reported

2024-06-12 10:21

Platform

win10-20240404-en

Max time kernel

2s

Max time network

3s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PowerPoint.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\PowerPoint.exe N/A
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PowerPoint.exe

"C:\Users\Admin\AppData\Local\Temp\PowerPoint.exe"

C:\Users\Admin\AppData\Local\Temp\sys3.exe

C:\Users\Admin\AppData\Local\Temp\\sys3.exe

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0 /state0:0xa3aed855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 udp

Files

memory/4892-0-0x000000002AA00000-0x000000002AA24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sys3.exe

MD5 70108103a53123201ceb2e921fcfe83c
SHA1 c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3
SHA256 9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
SHA512 996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

memory/4892-6-0x000000002AA00000-0x000000002AA24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\systm.txt

MD5 aa142cb69ceb2968adc611552d279441
SHA1 ce306e86d2a19a7b7a71cd64aefcee4df54d4e1f
SHA256 751ad9c6ef87948d1d4bb1e6ca4d8317dbbead9df007606686fa3ac28c20e5a9
SHA512 e12d96dc6ab640b3d5648566f10b0b71cc97a622290f621e76b7042f99767a7c38e9d1bf056cdf718a9fdc6c90ed2df297a660c8e4d03931022dfac0423066a8