0bbb936eebd11c7bd9709a9570db61afd101bbc27d376d52d8ee2688895bc148

Reason

Machine shutdown

General

Target

ScaryLarry.bat
Size

1KB
MD5

04e38f8edf7a73a04c94407ffb02e335
SHA1

6a7e89633a43b1323af89e79f5163a23d9382c94
SHA256

0bbb936eebd11c7bd9709a9570db61afd101bbc27d376d52d8ee2688895bc148
SHA512

14d13c90d93edbdbbc0b1061d9d1653a6f8cdc2aad43fee848d3c689f8b820ecb4e41be2ebcadc0b951b677ded3e1228ef7fb71bfbcf2cad43d3c3ecae801fe2

Score

7^/10

execution

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ScaryLarry.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ScaryLarry.bat	cmd.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1560	powershell.exe
2408	powershell.exe
4860	powershell.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "198"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4860	powershell.exe
4860	powershell.exe
1560	powershell.exe
1560	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeShutdownPrivilege	3404	shutdown.exe
Token: SeRemoteShutdownPrivilege	3404	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4112	LogonUI.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 4860	1004	cmd.exe	85
PID 1004 wrote to memory of 4860	1004	cmd.exe	85
PID 1004 wrote to memory of 1560	1004	cmd.exe	94
PID 1004 wrote to memory of 1560	1004	cmd.exe	94
PID 1004 wrote to memory of 3404	1004	cmd.exe	98
PID 1004 wrote to memory of 3404	1004	cmd.exe	98
PID 1004 wrote to memory of 2408	1004	cmd.exe	100
PID 1004 wrote to memory of 2408	1004	cmd.exe	100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ScaryLarry.bat"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('If you dont dont know what you had executed then press No but if you know what you are doing and you are an malware ethusiat and using proper equipment press Yes ', 'THIS IS A MALWARE', 'YesNo', [System.Windows.Forms.MessageBoxIcon]::Error);}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('THIS IS THE LAST WARNING ARE YOU SURE YOU WANT TO EXECUTE THIS MALWARE? THE CREATOR IS NOT RESPONSIBLE FOR ANY DAMAGES! Do you want to run it? ', 'LAST WARNING', 'YesNo', [System.Windows.Forms.MessageBoxIcon]::Error);}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\system32\shutdown.exe
  Shutdown -r -t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; Add-Type -AssemblyName System.Drawing; $notify = New-Object System.Windows.Forms.NotifyIcon; $notify.Icon = [System.Drawing.SystemIcons]::Error; $notify.Visible = $true; $notify.ShowBalloonTip(0, 'DONT LOOK BEHIND YOU', 'SCARY LARRY.', [System.Windows.Forms.ToolTipIcon]::None)}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2408

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3948855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
614f88cf39eb3223246afec4bf1463b4

SHA1
74d738ee6fdada75ac1ef1645073005e3f6b6cfb

SHA256
021636a793f57f23b16356c5b84fdf0122fdcadfaba305e4df4654bfbfa442bd

SHA512
84a7151e0471e659699a15c25d9063af1975e79bb5f23de6b3bc0d3b96cd161d70ad35f6acdbc8123b38bac9918df8b202bd6f1f4ca8061919074973e6063a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7933e0baa897b4fd2670463100130180

SHA1
f153bbbf679272fb402b97d7d512fa87e7a1b4b5

SHA256
480cb95927ce0d2b85aea907e31b166982104f6b356d46ea7e3725f64e8331ff

SHA512
e308b8bba73551966152fba0178549a0759f5cfe74190464ae0c68cfd25c7fdb791662fd8e87b7aeeb4488039ac50882342b99058314f0b85e2f518e6b08ec21

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5pukfkvx.tjt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\out.tmp

Filesize
5B

MD5
0d45313959d4f8220f3aed3958f22791

SHA1
6ca1cc1ff6f96422294741b6549e340b57891f00

SHA256
97f9973acffcd86691239b33272f810880ca14c4476a24e88abdf294518cbc65

SHA512
efed79df45f60447db075ae19ed300facca280e82723b430238549fb2023675855169a0563bbbc369e97013928b261cb7cfbb998906926c813fc52412da34399

Download Submit
memory/1560-26-0x00007FFE8FBC0000-0x00007FFE90681000-memory.dmp

Filesize
10.8MB

Download
memory/1560-36-0x00007FFE8FBC0000-0x00007FFE90681000-memory.dmp

Filesize
10.8MB

Download
memory/1560-33-0x00007FFE8FBC0000-0x00007FFE90681000-memory.dmp

Filesize
10.8MB

Download
memory/1560-31-0x00007FFE8FBC0000-0x00007FFE90681000-memory.dmp

Filesize
10.8MB

Download
memory/4860-11-0x00007FFE8FBC0000-0x00007FFE90681000-memory.dmp

Filesize
10.8MB

Download
memory/4860-17-0x00007FFE8FBC0000-0x00007FFE90681000-memory.dmp

Filesize
10.8MB

Download
memory/4860-16-0x00000219EDE10000-0x00000219EE02C000-memory.dmp

Filesize
2.1MB

Download
memory/4860-12-0x00007FFE8FBC0000-0x00007FFE90681000-memory.dmp

Filesize
10.8MB

Download
memory/4860-0-0x00007FFE8FBC3000-0x00007FFE8FBC5000-memory.dmp

Filesize
8KB

Download
memory/4860-10-0x00000219EE160000-0x00000219EE182000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

Errors