Analysis
-
max time kernel
318s -
max time network
301s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10-08-2024 10:13
Static task
static1
Behavioral task
behavioral1
Sample
file.ps1
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
file.ps1
Resource
win10v2004-20240802-en
Errors
General
-
Target
file.ps1
-
Size
1B
-
MD5
7215ee9c7d9dc229d2921a40e899ec5f
-
SHA1
b858cb282617fb0956d960215c8e84d1ccf909c6
-
SHA256
36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068
-
SHA512
f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
bootim.exedescription ioc process File opened for modification C:\Windows\system32\Recovery\ReAgent.xml bootim.exe -
Drops file in Windows directory 4 IoCs
Processes:
bootim.exedescription ioc process File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml bootim.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml bootim.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log bootim.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log bootim.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4292 powershell.exe 4292 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
bootim.exepid process 4320 bootim.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exevssvc.exebootim.exedescription pid process Token: SeDebugPrivilege 4292 powershell.exe Token: SeBackupPrivilege 1684 vssvc.exe Token: SeRestorePrivilege 1684 vssvc.exe Token: SeAuditPrivilege 1684 vssvc.exe Token: SeSystemEnvironmentPrivilege 4320 bootim.exe Token: SeTakeOwnershipPrivilege 4320 bootim.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
SystemSettingsAdminFlows.exeLogonUI.exepid process 3640 SystemSettingsAdminFlows.exe 3664 LogonUI.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\BitLockerWizardElev.exe"C:\Windows\System32\BitLockerWizardElev.exe" C:\ T1⤵
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal1⤵
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal1⤵
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOnDeveloperFeatures DeveloperUnlock1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\FodHelper.exeC:\Windows\System32\FodHelper.exe -Embedding1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3936055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bootim.exebootim.exe /startpage:11⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2b4utqgd.umq.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\System32\Recovery\ReAgent.xmlFilesize
1KB
MD53e9e6664250d6b8b7e3a91f502536b04
SHA13dd49f7f3661f4cd4a5a92917685c224f886cbe3
SHA256dbe63a5ddb28ab6a191c83408063eef409b50da5b14bccc515f37d5d0f7877ba
SHA512293c345d4ccfad336a26020b66ba2653331d78489d94bb898c29fefb6c2653622fc6463a33c07e976f10e268cf4a638efa9941bb0784feeab4ad57bda57e3e88
-
memory/4292-0-0x00007FFBED9F3000-0x00007FFBED9F5000-memory.dmpFilesize
8KB
-
memory/4292-6-0x00000218CA910000-0x00000218CA932000-memory.dmpFilesize
136KB
-
memory/4292-11-0x00007FFBED9F0000-0x00007FFBEE4B1000-memory.dmpFilesize
10.8MB
-
memory/4292-12-0x00007FFBED9F0000-0x00007FFBEE4B1000-memory.dmpFilesize
10.8MB
-
memory/4292-15-0x00007FFBED9F0000-0x00007FFBEE4B1000-memory.dmpFilesize
10.8MB