110fd83bdeee1785c51b4ae919ea9aabffe74dfd9014a42577bb5ede476ea58a

Resubmissions

01-10-2024 16:24

241001-twvynayfpr 10

27-09-2024 00:57

26-09-2024 23:29

26-09-2024 18:54

26-09-2024 18:38

26-09-2024 16:26

Analysis

max time kernel
291s
max time network
297s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
26-09-2024 23:29

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Toolz (astro).zip
Size

161.1MB
MD5

103e93f9408f4195f294dc1aea765604
SHA1

6e25051cb67851af85c1df5d1b91a90321e0957e
SHA256

110fd83bdeee1785c51b4ae919ea9aabffe74dfd9014a42577bb5ede476ea58a
SHA512

99dc616c28b3389bf4c5b49eaa5cb2f91eaeb0c9a22147a5da5bbe9e1dc061410f90ebc8e0064a4a070faba40448b551278cc578fa8dea638f9e45a27cbcdf56
SSDEEP

3145728:sZparHZgZR/+0kZSi9vkbRNjX8GXKXaU5OgTbt+J7y+rL58Nj6m+ctQ+xhZJZSrl:6oGZp+0kut2OgTIJ7y+rL5oxaNb

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "142"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeRestorePrivilege	424	7zG.exe
Token: 35	424	7zG.exe
Token: SeSecurityPrivilege	424	7zG.exe
Token: SeSecurityPrivilege	424	7zG.exe
Token: SeRestorePrivilege	3024	7zG.exe
Token: 35	3024	7zG.exe
Token: SeSecurityPrivilege	3024	7zG.exe
Token: SeSecurityPrivilege	3024	7zG.exe
Token: SeRestorePrivilege	5008	7zG.exe
Token: 35	5008	7zG.exe
Token: SeSecurityPrivilege	5008	7zG.exe
Token: SeSecurityPrivilege	5008	7zG.exe
Token: SeRestorePrivilege	2572	7zG.exe
Token: 35	2572	7zG.exe
Token: SeSecurityPrivilege	2572	7zG.exe
Token: SeSecurityPrivilege	2572	7zG.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
424	7zG.exe
3024	7zG.exe
5008	7zG.exe
2572	7zG.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
232	LogonUI.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Toolz (astro).zip"
1⤵
PID:3112

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1076

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Videos\Toolz (astro)\Toolz (astro)\" -an -ai#7zMap2397:138:7zEvent10741
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:424

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Videos\Toolz (astro)\Toolz (astro)\" -an -ai#7zMap5001:138:7zEvent30843
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3024

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Videos\Toolz (astro)\Toolz (astro)\" -an -ai#7zMap1489:144:7zEvent28709
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5008

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Videos\Toolz (astro)\Toolz (astro)\" -an -ai#7zMap18982:120:7zEvent17869
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2572

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a12855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:232

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads