Analysis
-
max time kernel
28s -
max time network
30s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 15:28
Behavioral task
behavioral1
Sample
mara-fix_1.5/Eset Fix.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
mara-fix_1.5/Eset Fix.exe
Resource
win10v2004-20240802-en
Errors
General
-
Target
mara-fix_1.5/Eset Fix.exe
-
Size
711KB
-
MD5
5f45b1b2eee537288ab579ba2119a00e
-
SHA1
b383a82af3b16b0a6259283a6d8dcba373412863
-
SHA256
8e83308224a56c555b856e82d8e8296966f6339fa89877adf817b13f1ce9f53f
-
SHA512
4b16bbc9831a6fbfdf6176bbf3f648e51aae82b597d1d5b7242d36789034f71067e87eadaf2a835320dfc4d18772d28ba47d784bc04282d137703bf08bd95068
-
SSDEEP
12288:TnNhuBoY8SorxgmA+nlvVlkbw5F53Vo7lKZMItwdgcCYILEpshKVlZvFp8pzmSK1:TPatCg7EPibwHjo7lKq63cCEpshK9pas
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\.EsetTrialReset\ImagePath = "C:\\Windows\\reset.exe /s" Eset Fix.exe -
resource yara_rule behavioral2/memory/4200-0-0x0000000000400000-0x00000000004CE000-memory.dmp upx behavioral2/files/0x0008000000023514-16.dat upx behavioral2/memory/4200-17-0x0000000000400000-0x00000000004CE000-memory.dmp upx behavioral2/memory/4200-18-0x0000000000400000-0x00000000004CE000-memory.dmp upx behavioral2/memory/4200-20-0x0000000000400000-0x00000000004CE000-memory.dmp upx -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4200-17-0x0000000000400000-0x00000000004CE000-memory.dmp autoit_exe behavioral2/memory/4200-18-0x0000000000400000-0x00000000004CE000-memory.dmp autoit_exe behavioral2/memory/4200-20-0x0000000000400000-0x00000000004CE000-memory.dmp autoit_exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\reset.exe Eset Fix.exe File opened for modification C:\Windows\reset.exe Eset Fix.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2452 sc.exe 4764 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eset Fix.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "242" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 4200 Eset Fix.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe -
Suspicious use of SendNotifyMessage 35 IoCs
pid Process 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe 4200 Eset Fix.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1668 LogonUI.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4200 wrote to memory of 1940 4200 Eset Fix.exe 87 PID 4200 wrote to memory of 1940 4200 Eset Fix.exe 87 PID 4200 wrote to memory of 1940 4200 Eset Fix.exe 87 PID 1940 wrote to memory of 2452 1940 cmd.exe 89 PID 1940 wrote to memory of 2452 1940 cmd.exe 89 PID 1940 wrote to memory of 2452 1940 cmd.exe 89 PID 4200 wrote to memory of 2448 4200 Eset Fix.exe 90 PID 4200 wrote to memory of 2448 4200 Eset Fix.exe 90 PID 4200 wrote to memory of 2448 4200 Eset Fix.exe 90 PID 2448 wrote to memory of 4764 2448 cmd.exe 92 PID 2448 wrote to memory of 4764 2448 cmd.exe 92 PID 2448 wrote to memory of 4764 2448 cmd.exe 92 PID 4200 wrote to memory of 2820 4200 Eset Fix.exe 100 PID 4200 wrote to memory of 2820 4200 Eset Fix.exe 100 PID 4200 wrote to memory of 2820 4200 Eset Fix.exe 100 PID 2820 wrote to memory of 3056 2820 cmd.exe 102 PID 2820 wrote to memory of 3056 2820 cmd.exe 102 PID 2820 wrote to memory of 3056 2820 cmd.exe 102 PID 3056 wrote to memory of 1728 3056 net.exe 103 PID 3056 wrote to memory of 1728 3056 net.exe 103 PID 3056 wrote to memory of 1728 3056 net.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\mara-fix_1.5\Eset Fix.exe"C:\Users\Admin\AppData\Local\Temp\mara-fix_1.5\Eset Fix.exe"1⤵
- Sets service image path in registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config ekrn start= disabled2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\sc.exesc config ekrn start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config ekrn start= auto2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\sc.exesc config ekrn start= auto3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net start ekrn2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\net.exenet start ekrn3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start ekrn4⤵
- System Location Discovery: System Language Discovery
PID:1728
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39bb055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1668
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348KB
MD52e5445a4c9e9a5d1168205aec44aeacf
SHA1a73a1c1bf8416150249f6d829c1f465aba75aed2
SHA256fe8fba8417fd77dac4a33fe4a1d661960144f94e8db505edac9f169cbe7dcddb
SHA512f52c2c921f00514185d866fc70cbede7bd5e6543cab8c7cc772438f86485e3319617c0d359675de2e033d13c537e97ad6d5345aeb404c370e1519048b27691ad