d24cf7597088b7974834b5ee0c94d1892959f1506ef38da2c4676fe28c3ec957

Analysis

max time kernel
17s
max time network
25s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 19:35

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Ojo Piojo.bat
Size

994B
MD5

1f82a6ad300902380ac567703669ec18
SHA1

aefd4dc1c8c255be6b2f1e55223ff74440cc735b
SHA256

d24cf7597088b7974834b5ee0c94d1892959f1506ef38da2c4676fe28c3ec957
SHA512

0be56cce6c4a08985462f5c9c328357795d9cabd4896f61e381ad4583b384d7276a242ed6da7a028485630418a76308e9cb9153021a681a188fd29fdf1f80cd6

Score

1^/10

Malware Config

Signatures

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
852	timeout.exe
4120	timeout.exe
2740	timeout.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "150"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1692	shutdown.exe
Token: SeRemoteShutdownPrivilege	1692	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3944	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 436	2608	cmd.exe	84
PID 2608 wrote to memory of 436	2608	cmd.exe	84
PID 2608 wrote to memory of 1936	2608	cmd.exe	85
PID 2608 wrote to memory of 1936	2608	cmd.exe	85
PID 2608 wrote to memory of 4164	2608	cmd.exe	86
PID 2608 wrote to memory of 4164	2608	cmd.exe	86
PID 2608 wrote to memory of 4388	2608	cmd.exe	87
PID 2608 wrote to memory of 4388	2608	cmd.exe	87
PID 2608 wrote to memory of 1748	2608	cmd.exe	88
PID 2608 wrote to memory of 1748	2608	cmd.exe	88
PID 2608 wrote to memory of 884	2608	cmd.exe	89
PID 2608 wrote to memory of 884	2608	cmd.exe	89
PID 2608 wrote to memory of 4044	2608	cmd.exe	90
PID 2608 wrote to memory of 4044	2608	cmd.exe	90
PID 2608 wrote to memory of 5112	2608	cmd.exe	91
PID 2608 wrote to memory of 5112	2608	cmd.exe	91
PID 2608 wrote to memory of 1020	2608	cmd.exe	92
PID 2608 wrote to memory of 1020	2608	cmd.exe	92
PID 2608 wrote to memory of 3368	2608	cmd.exe	93
PID 2608 wrote to memory of 3368	2608	cmd.exe	93
PID 2608 wrote to memory of 4872	2608	cmd.exe	94
PID 2608 wrote to memory of 4872	2608	cmd.exe	94
PID 2608 wrote to memory of 3028	2608	cmd.exe	95
PID 2608 wrote to memory of 3028	2608	cmd.exe	95
PID 2608 wrote to memory of 3440	2608	cmd.exe	96
PID 2608 wrote to memory of 3440	2608	cmd.exe	96
PID 2608 wrote to memory of 1404	2608	cmd.exe	97
PID 2608 wrote to memory of 1404	2608	cmd.exe	97
PID 2608 wrote to memory of 3332	2608	cmd.exe	98
PID 2608 wrote to memory of 3332	2608	cmd.exe	98
PID 2608 wrote to memory of 3704	2608	cmd.exe	99
PID 2608 wrote to memory of 3704	2608	cmd.exe	99
PID 2608 wrote to memory of 4972	2608	cmd.exe	100
PID 2608 wrote to memory of 4972	2608	cmd.exe	100
PID 2608 wrote to memory of 3768	2608	cmd.exe	101
PID 2608 wrote to memory of 3768	2608	cmd.exe	101
PID 2608 wrote to memory of 3732	2608	cmd.exe	102
PID 2608 wrote to memory of 3732	2608	cmd.exe	102
PID 2608 wrote to memory of 3996	2608	cmd.exe	103
PID 2608 wrote to memory of 3996	2608	cmd.exe	103
PID 2608 wrote to memory of 3580	2608	cmd.exe	104
PID 2608 wrote to memory of 3580	2608	cmd.exe	104
PID 2608 wrote to memory of 3176	2608	cmd.exe	105
PID 2608 wrote to memory of 3176	2608	cmd.exe	105
PID 2608 wrote to memory of 3008	2608	cmd.exe	106
PID 2608 wrote to memory of 3008	2608	cmd.exe	106
PID 2608 wrote to memory of 2632	2608	cmd.exe	107
PID 2608 wrote to memory of 2632	2608	cmd.exe	107
PID 2608 wrote to memory of 4688	2608	cmd.exe	108
PID 2608 wrote to memory of 4688	2608	cmd.exe	108
PID 2608 wrote to memory of 3528	2608	cmd.exe	109
PID 2608 wrote to memory of 3528	2608	cmd.exe	109
PID 2608 wrote to memory of 4560	2608	cmd.exe	110
PID 2608 wrote to memory of 4560	2608	cmd.exe	110
PID 2608 wrote to memory of 732	2608	cmd.exe	111
PID 2608 wrote to memory of 732	2608	cmd.exe	111
PID 2608 wrote to memory of 2900	2608	cmd.exe	112
PID 2608 wrote to memory of 2900	2608	cmd.exe	112
PID 2608 wrote to memory of 3840	2608	cmd.exe	113
PID 2608 wrote to memory of 3840	2608	cmd.exe	113
PID 2608 wrote to memory of 3624	2608	cmd.exe	114
PID 2608 wrote to memory of 3624	2608	cmd.exe	114
PID 2608 wrote to memory of 3708	2608	cmd.exe	115
PID 2608 wrote to memory of 3708	2608	cmd.exe	115

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Ojo Piojo.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:436
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:1936
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:4164
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:4388
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:1748
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:884
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:4044
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:5112
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:1020
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:3368
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:4872
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:3028
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:3440
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:1404
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:3332
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:3704
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:4972
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:3768
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:3732
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:3996
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:3580
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:3176
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:3008
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:2632
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:4688
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:3528
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:4560
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:732
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:2900
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:3840
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:3624
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:3708
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:740
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:4060
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:2360
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:4048
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:2364
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:1692
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:4652
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:1556
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:2764
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:4408
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:4856
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:2748
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:3304
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:4544
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:3252
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:1424
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:3004
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:4352
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:3692
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:3280
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:4808
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:1856
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:5040
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:4152
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:3596
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:4524
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:1260
- C:\Windows\system32\cmd.exe
  cmd /c exit
  2⤵
  PID:3980
- C:\Windows\system32\timeout.exe
  timeout /t 3
  2⤵
  - Delays execution with timeout.exe
  PID:852
- C:\Windows\system32\timeout.exe
  timeout /t 10
  2⤵
  - Delays execution with timeout.exe
  PID:4120
- C:\Windows\system32\timeout.exe
  timeout /t 2
  2⤵
  - Delays execution with timeout.exe
  PID:2740
- C:\Windows\system32\shutdown.exe
  shutdown /r /t 0 /f
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1692

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3959055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\╪º╪«╪¬╪▒┘é5.txt

Filesize
176B

MD5
51b95f8ca116f938e3c6f96b78e6f29a

SHA1
36a6af85631eda17788628a40c18b6fe3e02677d

SHA256
b46e0b74befdedc9b46da9fb35ef49f42f3c7dc6732c8a58d38619e415b44cc0

SHA512
4f2a5137467f7bfb3e7af8a20560bd758d32ee8cc4c955471610c3c073101cdaa373f334863bf04b90a6662b08b2ca0c97795b943c28c4944256efaab171531c

Download Submit