200ddcab89956d3d97e74c45765e109e6ee0a18622cdcfbd21844c1676bdc562

Resubmissions

08/09/2024, 11:54

240908-n2yc3sxarb 8

08/09/2024, 11:49

08/09/2024, 11:49

08/09/2024, 11:48

08/09/2024, 11:43

Analysis

max time kernel
249s
max time network
208s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
08/09/2024, 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

F_Key_Sender.exe
Size

234KB
MD5

5d168d9c5151ac785599cdae87544cac
SHA1

a8348defb42f5e9ee127d48fc74e7f362ae2edd4
SHA256

200ddcab89956d3d97e74c45765e109e6ee0a18622cdcfbd21844c1676bdc562
SHA512

d27ca55733be3eeaf4d92112bf4051d69922ed26fd04efdb291084045c14ea881e741300b9317f568ad34392d47daca908f32d8c5398a0a5f6ed8cbc3fa3ed9a
SSDEEP

6144:yTPeKCgLOWPAPqF8GLFKCgLOWPAPPFkGh+:yTlCguP28G4CguPNkG0

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
4540	takeown.exe
4988	icacls.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4540	takeown.exe
4988	icacls.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
408	taskkill.exe
3004	taskkill.exe
1780	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "34"	LogonUI.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
1348	Process not Found
1104	Process not Found
1900	Process not Found
3448	Process not Found
3460	Process not Found
228	Process not Found
3096	Process not Found
2660	Process not Found
2144	Process not Found
3924	Process not Found
872	Process not Found
5112	Process not Found
5048	Process not Found
3592	Process not Found
916	Process not Found
2088	Process not Found
236	Process not Found
4608	Process not Found
2484	Process not Found
4552	Process not Found
1868	Process not Found
3376	Process not Found
2624	Process not Found
3676	Process not Found
3832	Process not Found
4064	Process not Found
4824	Process not Found
752	Process not Found
4728	Process not Found
1408	Process not Found
1528	Process not Found
2000	Process not Found
2116	Process not Found
1388	Process not Found
964	Process not Found
2412	Process not Found
3532	Process not Found
3784	Process not Found
3600	Process not Found
2164	Process not Found
2228	Process not Found
2112	Process not Found
2124	Process not Found
4192	Process not Found
1056	Process not Found
5012	Process not Found
1696	Process not Found
3496	Process not Found
780	Process not Found
1964	Process not Found
4492	Process not Found
2016	Process not Found
1992	Process not Found
5092	Process not Found
328	Process not Found
1120	Process not Found
5036	Process not Found
2640	Process not Found
1384	Process not Found
4656	Process not Found
2480	Process not Found
1580	Process not Found
2808	Process not Found
2620	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4540	takeown.exe
Token: SeDebugPrivilege	408	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1376	LogonUI.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 4540	4200	cmd.exe	91
PID 4200 wrote to memory of 4540	4200	cmd.exe	91
PID 4200 wrote to memory of 4988	4200	cmd.exe	92
PID 4200 wrote to memory of 4988	4200	cmd.exe	92
PID 4200 wrote to memory of 3004	4200	cmd.exe	93
PID 4200 wrote to memory of 3004	4200	cmd.exe	93
PID 4200 wrote to memory of 1780	4200	cmd.exe	94
PID 4200 wrote to memory of 1780	4200	cmd.exe	94
PID 4200 wrote to memory of 408	4200	cmd.exe	95
PID 4200 wrote to memory of 408	4200	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\F_Key_Sender.exe
"C:\Users\Admin\AppData\Local\Temp\F_Key_Sender.exe"
1⤵
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:3824

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Windows\System32\takeown.exe
  takeown /f dwm.exe
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- C:\Windows\System32\icacls.exe
  icacls dwm.exe /grant everyone:(f)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4988
- C:\Windows\System32\taskkill.exe
  taskkill dwm.exe /f
  2⤵
  - Kills process with taskkill
  PID:3004
- C:\Windows\System32\taskkill.exe
  taskkill /?
  2⤵
  - Kills process with taskkill
  PID:1780
- C:\Windows\System32\taskkill.exe
  taskkill /f /im dwm.exe /t
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:408

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a29855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1376

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2588-0-0x00007FF8A6D53000-0x00007FF8A6D55000-memory.dmp

Filesize
8KB

Download
memory/2588-1-0x0000027A20250000-0x0000027A2028C000-memory.dmp

Filesize
240KB

Download
memory/2588-2-0x00007FF8A6D50000-0x00007FF8A7812000-memory.dmp

Filesize
10.8MB

Download
memory/2588-3-0x00007FF8A6D50000-0x00007FF8A7812000-memory.dmp

Filesize
10.8MB

Download
memory/2588-4-0x00007FF8A6D50000-0x00007FF8A7812000-memory.dmp

Filesize
10.8MB

Download
memory/2588-5-0x00007FF8A6D53000-0x00007FF8A6D55000-memory.dmp

Filesize
8KB

Download
memory/2588-6-0x00007FF8A6D50000-0x00007FF8A7812000-memory.dmp

Filesize
10.8MB

Download
memory/2588-7-0x00007FF8A6D50000-0x00007FF8A7812000-memory.dmp

Filesize
10.8MB

Download
memory/2588-9-0x00007FF8A6D50000-0x00007FF8A7812000-memory.dmp

Filesize
10.8MB

Download