35ce50d16718caf747a38faa9643b57aadf62c0d5dbd69cab304c378b4cc7291

Resubmissions

20/09/2024, 22:38

240920-2kmrxasdnn 6

Analysis

max time kernel
57s
max time network
60s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
20/09/2024, 22:38

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

misakaX-2.2-windows-edition.zip
Size

77.2MB
MD5

48bccb38ff7ca015961b34068ac81305
SHA1

87a575196dc5a5aedd8b0dcc47e6768dd4859f38
SHA256

35ce50d16718caf747a38faa9643b57aadf62c0d5dbd69cab304c378b4cc7291
SHA512

2ba7aff6e0b08142ea61bdf23e44a55afbbdf58364949c6150aa1a4c0dc4c990795b75357d4268da29f31f96217bb4608e153ce7d72c9820e817dc99f785f5b6
SSDEEP

1572864:Dw53Pspd69t7jXv7lqLWp/sxdgwWScIuYoP7yUGAeQj/g+50Lz3vVCC:Dw5fEd69t7jf7lqy0Hg/SsyUd/j/wz3l

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	SearchIndexer.exe
File opened (read-only)	\??\g:	SearchIndexer.exe
File opened (read-only)	\??\h:	SearchIndexer.exe
File opened (read-only)	\??\J:	SearchIndexer.exe
File opened (read-only)	\??\U:	SearchIndexer.exe
File opened (read-only)	\??\x:	SearchIndexer.exe
File opened (read-only)	\??\b:	SearchIndexer.exe
File opened (read-only)	\??\L:	SearchIndexer.exe
File opened (read-only)	\??\m:	SearchIndexer.exe
File opened (read-only)	\??\S:	SearchIndexer.exe
File opened (read-only)	\??\t:	SearchIndexer.exe
File opened (read-only)	\??\G:	SearchIndexer.exe
File opened (read-only)	\??\B:	SearchIndexer.exe
File opened (read-only)	\??\e:	SearchIndexer.exe
File opened (read-only)	\??\E:	SearchIndexer.exe
File opened (read-only)	\??\F:	SearchIndexer.exe
File opened (read-only)	\??\l:	SearchIndexer.exe
File opened (read-only)	\??\M:	SearchIndexer.exe
File opened (read-only)	\??\p:	SearchIndexer.exe
File opened (read-only)	\??\A:	SearchIndexer.exe
File opened (read-only)	\??\R:	SearchIndexer.exe
File opened (read-only)	\??\y:	SearchIndexer.exe
File opened (read-only)	\??\Y:	SearchIndexer.exe
File opened (read-only)	\??\r:	SearchIndexer.exe
File opened (read-only)	\??\k:	SearchIndexer.exe
File opened (read-only)	\??\P:	SearchIndexer.exe
File opened (read-only)	\??\Q:	SearchIndexer.exe
File opened (read-only)	\??\s:	SearchIndexer.exe
File opened (read-only)	\??\T:	SearchIndexer.exe
File opened (read-only)	\??\u:	SearchIndexer.exe
File opened (read-only)	\??\v:	SearchIndexer.exe
File opened (read-only)	\??\i:	SearchIndexer.exe
File opened (read-only)	\??\O:	SearchIndexer.exe
File opened (read-only)	\??\q:	SearchIndexer.exe
File opened (read-only)	\??\w:	SearchIndexer.exe
File opened (read-only)	\??\W:	SearchIndexer.exe
File opened (read-only)	\??\Z:	SearchIndexer.exe
File opened (read-only)	\??\o:	SearchIndexer.exe
File opened (read-only)	\??\j:	SearchIndexer.exe
File opened (read-only)	\??\N:	SearchIndexer.exe
File opened (read-only)	\??\z:	SearchIndexer.exe
File opened (read-only)	\??\H:	SearchIndexer.exe
File opened (read-only)	\??\n:	SearchIndexer.exe
File opened (read-only)	\??\X:	SearchIndexer.exe
File opened (read-only)	\??\I:	SearchIndexer.exe
File opened (read-only)	\??\K:	SearchIndexer.exe
File opened (read-only)	\??\V:	SearchIndexer.exe
File opened (read-only)	\??\a:	SearchIndexer.exe

Modifies data under HKEY_USERS 26 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063cc2a2aae0bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "14"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	1488	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1084	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 256	1488	SearchIndexer.exe	83
PID 1488 wrote to memory of 256	1488	SearchIndexer.exe	83
PID 1488 wrote to memory of 2356	1488	SearchIndexer.exe	84
PID 1488 wrote to memory of 2356	1488	SearchIndexer.exe	84

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\misakaX-2.2-windows-edition.zip
1⤵
PID:3804

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2496

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\System32\SearchProtocolHost.exe
  "C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:256
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 828 2724 2720 812 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}
  2⤵
  PID:2356

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a0f855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1488-32-0x00000291FD330000-0x00000291FD338000-memory.dmp

Filesize
32KB

Download
memory/1488-16-0x00000291FCE40000-0x00000291FCE50000-memory.dmp

Filesize
64KB

Download
memory/1488-0-0x00000291FCD40000-0x00000291FCD50000-memory.dmp

Filesize
64KB

Download
memory/1488-39-0x00000291FE8F0000-0x00000291FE8F8000-memory.dmp

Filesize
32KB

Download
memory/1488-40-0x00000291FE8E0000-0x00000291FE8E1000-memory.dmp

Filesize
4KB

Download
memory/1488-42-0x00000291FD360000-0x00000291FD368000-memory.dmp

Filesize
32KB

Download
memory/1488-43-0x00000291FD350000-0x00000291FD351000-memory.dmp

Filesize
4KB

Download
memory/1488-45-0x00000291FD350000-0x00000291FD358000-memory.dmp

Filesize
32KB

Download
memory/1488-48-0x00000291FD140000-0x00000291FD141000-memory.dmp

Filesize
4KB

Download