Analysis Overview
SHA256
1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887
Threat Level: Likely malicious
The file RedBoot.exe was found to be: Likely malicious.
Malicious Activity Summary
Renames multiple (123) files with added filename extension
UPX packed file
Executes dropped EXE
Writes to the Master Boot Record (MBR)
AutoIT Executable
Unsigned PE
Modifies data under HKEY_USERS
Suspicious behavior: RenamesItself
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 14:11
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 14:11
Reported
2024-06-14 14:11
Platform
win10v2004-20240508-en
Max time kernel
4s
Max time network
6s
Command Line
Signatures
Renames multiple (123) files with added filename extension
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\32628318\protect.exe | N/A |
| N/A | N/A | C:\Users\Admin\32628318\assembler.exe | N/A |
| N/A | N/A | C:\Users\Admin\32628318\overwrite.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\32628318\overwrite.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RedBoot.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RedBoot.exe
"C:\Users\Admin\AppData\Local\Temp\RedBoot.exe"
C:\Users\Admin\32628318\protect.exe
"C:\Users\Admin\32628318\protect.exe"
C:\Users\Admin\32628318\assembler.exe
"C:\Users\Admin\32628318\assembler.exe" -f bin "C:\Users\Admin\32628318\boot.asm" -o "C:\Users\Admin\32628318\boot.bin"
C:\Users\Admin\32628318\overwrite.exe
"C:\Users\Admin\32628318\overwrite.exe" "C:\Users\Admin\32628318\boot.bin"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a2d055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/4276-0-0x00000000000C0000-0x000000000034E000-memory.dmp
C:\Users\Admin\32628318\protect.exe
| MD5 | fd414666a5b2122c3d9e3e380cf225ed |
| SHA1 | de139747b42a807efa8a2dcc1a8304f9a29b862d |
| SHA256 | e61a8382f7293e40cb993ddcbcaa53a4e5f07a3d6b6a1bfe5377a1a74a8dcac6 |
| SHA512 | 9ab2163d7deff29c202ed88dba36d5b28f6c67e647a0cadb3d03cc725796e19e5f298c04b1c8523d1d1ee4307e1a5d6f8156fa4021627d6ca1bbd0830695ae05 |
C:\Users\Admin\32628318\assembler.exe
| MD5 | 7e3cea1f686207563c8369f64ea28e5b |
| SHA1 | a1736fd61555841396b0406d5c9ca55c4b6cdf41 |
| SHA256 | 2a5305369edb9c2d7354b2f210e91129e4b8c546b0adf883951ea7bf7ee0f2b2 |
| SHA512 | 4629bc32094bdb030e6c9be247068e7295599203284cb95921c98fcbe3ac60286670be7e5ee9f0374a4017286c7af9db211bd831e3ea871d31a509d7bbc1d6a3 |
C:\Users\Admin\32628318\boot.asm
| MD5 | def1219cfb1c0a899e5c4ea32fe29f70 |
| SHA1 | 88aedde59832576480dfc7cd3ee6f54a132588a8 |
| SHA256 | 91e74c438099172b057bedf693d877bd08677d5f2173763986be4974c0970581 |
| SHA512 | 1e735d588cb1bb42324eaff1b9190ec6a8254f419d1ba4a13d03716ff5c102a335532b573a5befb08da90586e5670617066564ef9872f8c415b9a480836df423 |
memory/1876-32-0x0000000000400000-0x000000000049B000-memory.dmp
C:\Users\Admin\32628318\overwrite.exe
| MD5 | bc160318a6e8dadb664408fb539cd04b |
| SHA1 | 4b5eb324eebe3f84e623179a8e2c3743ccf32763 |
| SHA256 | f2bc5886b0f189976a367a69da8745bf66842f9bba89f8d208790db3dad0c7d2 |
| SHA512 | 51bc090f2821c57d94cfe4399b1f372a68d2811ea0b87d1ac1d6cf8ae39b167038ac21c471b168f1d19c6b213762024abb7e9e5ca311b246b46af0888289e46c |
memory/3168-37-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\32628318\boot.bin
| MD5 | 90053233e561c8bf7a7b14eda0fa0e84 |
| SHA1 | 16a7138387f7a3366b7da350c598f71de3e1cde2 |
| SHA256 | a760d8bc77ad8c0c839d4ef162ce44d5897af6fa84e0cc05ecc0747759ea76c2 |
| SHA512 | 63fda509cd02fd9d1374435f95515bc74f1ca8a9650b87d2299f8eee3a1c5a41b1cb8a4e1360c75f876f1dae193fdf4a96eba244683308f34d64d7ce37af2bb4 |
memory/4276-162-0x00000000000C0000-0x000000000034E000-memory.dmp