Analysis Overview
SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
Threat Level: Shows suspicious behavior
The file Ransomware PowerPoint.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Deletes itself
Executes dropped EXE
Writes to the Master Boot Record (MBR)
Unsigned PE
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-12 11:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 11:30
Reported
2024-06-12 11:30
Platform
win7-20240508-en
Max time kernel
3s
Max time network
3s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sys3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sys3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ransomware PowerPoint.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ransomware PowerPoint.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\Ransomware PowerPoint.exe | N/A |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\sys3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\sys3.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2368 wrote to memory of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\Ransomware PowerPoint.exe | C:\Users\Admin\AppData\Local\Temp\sys3.exe |
| PID 2368 wrote to memory of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\Ransomware PowerPoint.exe | C:\Users\Admin\AppData\Local\Temp\sys3.exe |
| PID 2368 wrote to memory of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\Ransomware PowerPoint.exe | C:\Users\Admin\AppData\Local\Temp\sys3.exe |
| PID 2368 wrote to memory of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\Ransomware PowerPoint.exe | C:\Users\Admin\AppData\Local\Temp\sys3.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Ransomware PowerPoint.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware PowerPoint.exe"
C:\Users\Admin\AppData\Local\Temp\sys3.exe
C:\Users\Admin\AppData\Local\Temp\\sys3.exe
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
Files
memory/2368-0-0x000000002AA00000-0x000000002AA24000-memory.dmp
\Users\Admin\AppData\Local\Temp\sys3.exe
| MD5 | 70108103a53123201ceb2e921fcfe83c |
| SHA1 | c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3 |
| SHA256 | 9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d |
| SHA512 | 996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b |
memory/2368-9-0x000000002AA00000-0x000000002AA24000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\systm.txt
| MD5 | 214748056d47a2418b469bf7520556f2 |
| SHA1 | 93c561cac44213ad6de3ccf0e6b6dcb0a39cb09e |
| SHA256 | 5ecbf39656b95ffa447f42cace84eb2c01fd5af713c9fd0e33e78b9d138ef42f |
| SHA512 | 55fb4805bcbed7fcd437a4bfb1de6a1b233cc2294a5082a8e1f782673f62061c9714547cd2853f5c6cb77882f7e560bcfc1db7eb0526f6eb967565c979f78017 |
memory/2696-12-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/2476-13-0x0000000002AA0000-0x0000000002AA1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 11:30
Reported
2024-06-12 11:31
Platform
win10v2004-20240611-en
Max time kernel
2s
Max time network
7s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sys3.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\Ransomware PowerPoint.exe | N/A |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\sys3.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "197" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\sys3.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3528 wrote to memory of 3564 | N/A | C:\Users\Admin\AppData\Local\Temp\Ransomware PowerPoint.exe | C:\Users\Admin\AppData\Local\Temp\sys3.exe |
| PID 3528 wrote to memory of 3564 | N/A | C:\Users\Admin\AppData\Local\Temp\Ransomware PowerPoint.exe | C:\Users\Admin\AppData\Local\Temp\sys3.exe |
| PID 3528 wrote to memory of 3564 | N/A | C:\Users\Admin\AppData\Local\Temp\Ransomware PowerPoint.exe | C:\Users\Admin\AppData\Local\Temp\sys3.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Ransomware PowerPoint.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware PowerPoint.exe"
C:\Users\Admin\AppData\Local\Temp\sys3.exe
C:\Users\Admin\AppData\Local\Temp\\sys3.exe
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3994855 /state1:0x41c64e6d
Network
Files
memory/3528-0-0x000000002AA00000-0x000000002AA24000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sys3.exe
| MD5 | 70108103a53123201ceb2e921fcfe83c |
| SHA1 | c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3 |
| SHA256 | 9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d |
| SHA512 | 996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b |
C:\Users\Admin\AppData\Local\Temp\systm.txt
| MD5 | 214748056d47a2418b469bf7520556f2 |
| SHA1 | 93c561cac44213ad6de3ccf0e6b6dcb0a39cb09e |
| SHA256 | 5ecbf39656b95ffa447f42cace84eb2c01fd5af713c9fd0e33e78b9d138ef42f |
| SHA512 | 55fb4805bcbed7fcd437a4bfb1de6a1b233cc2294a5082a8e1f782673f62061c9714547cd2853f5c6cb77882f7e560bcfc1db7eb0526f6eb967565c979f78017 |