516dd8ee7dfdb7d0f9ae3536b54e438639031ba330dbaeb498694448e3d8da4e

Analysis

max time kernel
13s
max time network
14s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 15:15

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ioo.bat
Size

544B
MD5

6a1d9e96c65fc9f1514b1dd47b627a58
SHA1

a3f2cd825dd64bd870ab7537be79498a902f821c
SHA256

516dd8ee7dfdb7d0f9ae3536b54e438639031ba330dbaeb498694448e3d8da4e
SHA512

83ddd6c0c02b2f1bdab60d3a76eef6d31a8f165939a93b09685c71553065ccef33f2096d58095fa5712ce75e791c333ed16e553d7675cc83282724d4c34bd3c3

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "242"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	calc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4724	shutdown.exe
Token: SeRemoteShutdownPrivilege	4724	shutdown.exe
Token: SeSystemtimePrivilege	948	cmd.exe
Token: SeSystemtimePrivilege	948	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3960	OpenWith.exe
2884	LogonUI.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 4896	948	cmd.exe	83
PID 948 wrote to memory of 4896	948	cmd.exe	83
PID 948 wrote to memory of 4360	948	cmd.exe	84
PID 948 wrote to memory of 4360	948	cmd.exe	84
PID 948 wrote to memory of 2528	948	cmd.exe	85
PID 948 wrote to memory of 2528	948	cmd.exe	85
PID 948 wrote to memory of 4724	948	cmd.exe	86
PID 948 wrote to memory of 4724	948	cmd.exe	86
PID 948 wrote to memory of 1376	948	cmd.exe	88
PID 948 wrote to memory of 1376	948	cmd.exe	88
PID 1376 wrote to memory of 2296	1376	cmd.exe	90
PID 1376 wrote to memory of 2296	1376	cmd.exe	90

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ioo.bat"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\system32\calc.exe
  calc
  2⤵
  - Modifies registry class
  PID:4896
- C:\Windows\system32\msg.exe
  msg * R.I.P
  2⤵
  PID:4360
- C:\Windows\system32\msg.exe
  msg * R.I.P
  2⤵
  PID:2528
- C:\Windows\system32\shutdown.exe
  shutdown -r -t 10 -c "your computer is hacked bitch"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K start
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2296

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3960

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3981855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2884

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads