Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-09-2024 11:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ASIdle.dll
Resource
win7-20240903-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
ASIdle.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral3
Sample
AutoShutdown.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral4
Sample
AutoShutdown.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
Behavioral task
behavioral5
Sample
TEMP/W32INST_PATH_.dll
Resource
win7-20240708-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral6
Sample
TEMP/W32INST_PATH_.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral7
Sample
UNINSTALL_PATH.exe
Resource
win7-20240708-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral8
Sample
UNINSTALL_PATH.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
AutoShutdown.exe
-
Size
1.3MB
-
MD5
e0a9a1d822f204870f1c72a68ca5c85a
-
SHA1
697deff0878dba2a0f2aaa3554f5d4c0d7bfd066
-
SHA256
8ee3d7ad6303f7fb5cd077c1ace0f65c73d18e9da2fd1dc709604ccb5a41a007
-
SHA512
e83191270ae540d7c76dd882e05cc639181af9f808126372af6f3e1b021bb2da82c2ccb8d5985826bfc1a5a42967d1bf9179d4d226cd2a5996875852216f9871
-
SSDEEP
12288:Hc8fxh0kY71EaOsnnDcLGt4zZpyKkvoc6qXwBCZP+NuJdr7u+mXOzjmbuCT/:HXA1tOsnnDCGu/yKkkOfP++DJjmb9
Score
6/10
Malware Config
Signatures
-
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\PowerdownAfterShutdown = "1" AutoShutdown.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AutoShutdown.exe -
Modifies Control Panel 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop AutoShutdown.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\AutoEndTasks = "0" AutoShutdown.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\AutoEndTasks = "20000" AutoShutdown.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node AutoShutdown.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID AutoShutdown.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D139C04A-30A1-4D98-AF34-8ADDEAA8ECE4} AutoShutdown.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DE7617A-D292-4555-BF8A-D5805E201EEE}\ImplementedCategories\{D139C04A-30A1-4D98-AF34-8ADDEAA8ECE4} AutoShutdown.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DE7617A-D292-4555-BF8A-D5805E201EEE}\ImplementedCategories AutoShutdown.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DE7617A-D292-4555-BF8A-D5805E201EEE}\ImplementedCategories\{D139C04A-30A1-4D98-AF34-8ADDEAA8ECE4}\ThreadingModel = "Apartment" AutoShutdown.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D139C04A-30A1-4D98-AF34-8ADDEAA8ECE4}\ProgID\InProcServer32 = "13" AutoShutdown.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D139C04A-30A1-4D98-AF34-8ADDEAA8ECE4}\ProgID AutoShutdown.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D139C04A-30A1-4D98-AF34-8ADDEAA8ECE4}\ProgID\TypeLib = e8070900060007000b0024002d00aa03 AutoShutdown.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DE7617A-D292-4555-BF8A-D5805E201EEE} AutoShutdown.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 4040 AutoShutdown.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe 4040 AutoShutdown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AutoShutdown.exe"C:\Users\Admin\AppData\Local\Temp\AutoShutdown.exe"1⤵
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3036,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:81⤵PID:2212