Malware Analysis Report

2024-09-11 03:31

Sample ID 240615-qe3ema1hnc
Target NoMoreDWM.exe
SHA256 48882905450b59a25ff457a05898a82cb59bd381d76f28e04e35ced4d7b2242c
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

48882905450b59a25ff457a05898a82cb59bd381d76f28e04e35ced4d7b2242c

Threat Level: Likely malicious

The file NoMoreDWM.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Checks computer location settings

Modifies file permissions

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 13:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 13:11

Reported

2024-06-15 13:11

Platform

win10v2004-20240508-en

Max time kernel

18s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NoMoreDWM.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NoMoreDWM.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat~ C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\NoMoreDWM.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NoMoreDWM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NoMoreDWM.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SYSTEM32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SYSTEM32\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3592 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\NoMoreDWM.exe C:\Windows\System32\cmd.exe
PID 3592 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\NoMoreDWM.exe C:\Windows\System32\cmd.exe
PID 4196 wrote to memory of 4448 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4196 wrote to memory of 4448 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4196 wrote to memory of 2160 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4196 wrote to memory of 2160 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4196 wrote to memory of 2908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4196 wrote to memory of 2908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4196 wrote to memory of 2080 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4196 wrote to memory of 2080 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4196 wrote to memory of 4864 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4196 wrote to memory of 4864 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4196 wrote to memory of 2044 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4196 wrote to memory of 2044 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4196 wrote to memory of 1948 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4196 wrote to memory of 1948 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4196 wrote to memory of 4064 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4196 wrote to memory of 4064 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4196 wrote to memory of 404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4196 wrote to memory of 404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4196 wrote to memory of 3788 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4196 wrote to memory of 3788 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4196 wrote to memory of 1780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4196 wrote to memory of 1780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4196 wrote to memory of 1152 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4196 wrote to memory of 1152 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4196 wrote to memory of 4808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4196 wrote to memory of 4808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4196 wrote to memory of 1444 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4196 wrote to memory of 1444 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4196 wrote to memory of 3720 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4196 wrote to memory of 3720 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 3592 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\NoMoreDWM.exe C:\Windows\SYSTEM32\shutdown.exe
PID 3592 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\NoMoreDWM.exe C:\Windows\SYSTEM32\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NoMoreDWM.exe

"C:\Users\Admin\AppData\Local\Temp\NoMoreDWM.exe"

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DisableDWM.bat"

C:\Windows\system32\takeown.exe

takeown /F C:\Windows\ImmersiveControlPanel /R /A

C:\Windows\system32\icacls.exe

icacls C:\Windows\ImmersiveControlPanel /grant Administrators:(F) /T

C:\Windows\system32\takeown.exe

takeown /F C:\Windows\System32\UIRibbon.dll /A

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\UIRibbon.dll /grant Administrators:(F)

C:\Windows\system32\takeown.exe

takeown /F C:\Windows\System32\UIRibbonRes.dll /A

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\UIRibbonRes.dll /grant Administrators:(F)

C:\Windows\system32\takeown.exe

takeown /F C:\Windows\System32\dwm.exe /A

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\dwm.exe /grant Administrators:(F)

C:\Windows\system32\takeown.exe

takeown /F C:\Windows\System32\UiRibbon.dll /A

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\UiRibbon.dll /grant Administrators:(F)

C:\Windows\system32\takeown.exe

takeown /F C:\Windows\System32\UiRibbonRes.dll /A

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\UiRibbonRes.dll /grant Administrators:(F)

C:\Windows\system32\takeown.exe

takeown /F C:\Windows\System32\windows.immersiveshell.serviceprovider.dll /A

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\windows.immersiveshell.serviceprovider.dll /grant Administrators:(F)

C:\Windows\system32\takeown.exe

takeown /F C:\Windows\SystemResources /R /A

C:\Windows\SYSTEM32\shutdown.exe

"shutdown" /r /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39e1855 /state1:0x41c64e6d

Network

Files

memory/3592-0-0x00007FFA541A5000-0x00007FFA541A6000-memory.dmp

memory/3592-1-0x00007FFA53EF0000-0x00007FFA54891000-memory.dmp

memory/3592-2-0x000000001B8C0000-0x000000001BDCE000-memory.dmp

memory/3592-3-0x000000001BDD0000-0x000000001BF06000-memory.dmp

memory/3592-4-0x000000001C2F0000-0x000000001C6C4000-memory.dmp

memory/3592-5-0x00007FFA53EF0000-0x00007FFA54891000-memory.dmp

memory/3492-6-0x0000000000DF0000-0x0000000000E10000-memory.dmp

memory/3492-7-0x00007FFA53EF0000-0x00007FFA54891000-memory.dmp

memory/3492-8-0x00007FFA53EF0000-0x00007FFA54891000-memory.dmp

memory/3492-9-0x00007FFA53EF0000-0x00007FFA54891000-memory.dmp

memory/3492-10-0x00007FFA53EF0000-0x00007FFA54891000-memory.dmp

memory/3592-11-0x000000001D080000-0x000000001D11C000-memory.dmp

memory/3592-12-0x00007FFA53EF0000-0x00007FFA54891000-memory.dmp

memory/3592-13-0x000000001C970000-0x000000001C9A4000-memory.dmp

memory/3592-14-0x00007FFA53EF0000-0x00007FFA54891000-memory.dmp

memory/3592-15-0x00007FFA53EF0000-0x00007FFA54891000-memory.dmp

memory/3592-16-0x00007FFA53EF0000-0x00007FFA54891000-memory.dmp

memory/3592-17-0x000000001F890000-0x000000001F8AC000-memory.dmp

memory/3592-18-0x00007FFA53EF0000-0x00007FFA54891000-memory.dmp

memory/3592-19-0x00007FFA541A5000-0x00007FFA541A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DisableDWM.bat

MD5 cb8cf1b7cce304ee8213696ed6d8caba
SHA1 f7b6c2739efb8afd05d51702cd3551c0f030cd74
SHA256 f67b38761eff4f387c366f45842e37e166b48017355510ed71fb180a4b3a840d
SHA512 1bdf9fdcf6ff6e7c50acb6d46c06da935d4e56d5f228423cb14de1bf38b84a97d210f8a5490243eb0c860b9c33266b65525c02effd9a98e83c50462c74b1e2e9

memory/3592-23-0x00007FFA53EF0000-0x00007FFA54891000-memory.dmp

memory/3492-24-0x00007FFA53EF0000-0x00007FFA54891000-memory.dmp

memory/3592-25-0x00007FFA53EF0000-0x00007FFA54891000-memory.dmp

memory/3492-28-0x00007FFA53EF0000-0x00007FFA54891000-memory.dmp