Analysis
-
max time kernel
1200s -
max time network
868s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
23-07-2024 15:24
Static task
static1
Behavioral task
behavioral1
Sample
açma.bat
Resource
win10-20240404-en
windows10-1703-x64
5 signatures
300 seconds
General
-
Target
açma.bat
-
Size
22B
-
MD5
fe25e897555a8f479f62cc53a0f5e139
-
SHA1
dadf5f188b9684d6e0e6c8d60ea7607c9d68feb6
-
SHA256
1108991c6dfbed560df07b5ec0f4b43a2dfe9a0aecdbb3a24bce98a3c601dd33
-
SHA512
e950a308d2aae2c2254aedd40beb8e3ce98be3facf2ae075d11b91c1789e34fb99f5e499b843da2dc3ecc45cc9a92fb0e9db6de570784bcc2022cc308b4b442e
Score
1/10
Malware Config
Signatures
-
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe -
Runs net.exe
-
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 1128 Process not Found 976 Process not Found 364 Process not Found 2256 Process not Found 1672 Process not Found 4328 Process not Found 2172 Process not Found 2028 Process not Found 1760 Process not Found 1872 Process not Found 3712 Process not Found 1068 Process not Found 1652 Process not Found 5060 Process not Found 3744 Process not Found 4908 Process not Found 1368 Process not Found 5116 Process not Found 2184 Process not Found 4564 Process not Found 3848 Process not Found 2216 Process not Found 2624 Process not Found 5080 Process not Found 4988 Process not Found 1348 Process not Found 2004 Process not Found 1016 Process not Found 1836 Process not Found 5096 Process not Found 3396 Process not Found 1636 Process not Found 4860 Process not Found 5068 Process not Found 4536 Process not Found 1464 Process not Found 1840 Process not Found 3364 Process not Found 648 Process not Found 4752 Process not Found 3300 Process not Found 4368 Process not Found 3516 Process not Found 2360 Process not Found 4828 Process not Found 352 Process not Found 2300 Process not Found 4208 Process not Found 4252 Process not Found 1756 Process not Found 3716 Process not Found 3368 Process not Found 1504 Process not Found 4832 Process not Found 4684 Process not Found 4928 Process not Found 3896 Process not Found 1612 Process not Found 1824 Process not Found 512 Process not Found 4248 Process not Found 4704 Process not Found 4264 Process not Found 5100 Process not Found -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4620 LogonUI.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1452 wrote to memory of 2248 1452 cmd.exe 73 PID 1452 wrote to memory of 2248 1452 cmd.exe 73 PID 2248 wrote to memory of 3736 2248 net.exe 74 PID 2248 wrote to memory of 3736 2248 net.exe 74
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\açma.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\system32\net.exenet user Admin tr2⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user Admin tr3⤵PID:3736
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3aef855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4620