c0cd9a7f2987c7eca65906f7f210c53f88055822a95f7833333d3c8a3c3c43fa

Analysis

max time kernel
24s
max time network
49s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-uk
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-uklocale:uk-uaos:windows10-ltsc 2021-x64systemwindows
submitted
21-11-2024 07:51

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Активаторы/ОЕМ-Активация/W7OEMACT.exe
Size

1.5MB
MD5

b822bf9b2224a4228f3249cc07e72114
SHA1

4a56d163082dc45e2ddf32286485fd933312c88e
SHA256

6c2924c4e4d64dc8c0cc9687653979a028b83d93e04d02487c055a97946585a9
SHA512

33833912a42a148ca514bf099a4d3ccc7d20c160f720ecd03798596a85db9c7bca4edea0d96711e5f7074bc70057560e0f5925624552c9e83a988005567d3377
SSDEEP

49152:GuXME6xymYzPIgGJgw234c3nWrWX2SW0yz:Guqyzzwg8Z23Z3nd2Sgz

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	W7OEMACT.exe

Executes dropped EXE 2 IoCs

pid	Process
1804	OEM.exe
4180	OEM.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	W7OEMACT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OEM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OEM.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "130"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3144	shutdown.exe
Token: SeRemoteShutdownPrivilege	3144	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
228	LogonUI.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 1804	2416	W7OEMACT.exe	81
PID 2416 wrote to memory of 1804	2416	W7OEMACT.exe	81
PID 2416 wrote to memory of 1804	2416	W7OEMACT.exe	81
PID 1804 wrote to memory of 4180	1804	OEM.exe	84
PID 1804 wrote to memory of 4180	1804	OEM.exe	84
PID 1804 wrote to memory of 4180	1804	OEM.exe	84
PID 4180 wrote to memory of 1820	4180	OEM.tmp	86
PID 4180 wrote to memory of 1820	4180	OEM.tmp	86
PID 4180 wrote to memory of 1820	4180	OEM.tmp	86
PID 1820 wrote to memory of 3960	1820	cmd.exe	88
PID 1820 wrote to memory of 3960	1820	cmd.exe	88
PID 1820 wrote to memory of 3960	1820	cmd.exe	88
PID 1820 wrote to memory of 3288	1820	cmd.exe	94
PID 1820 wrote to memory of 3288	1820	cmd.exe	94
PID 1820 wrote to memory of 3288	1820	cmd.exe	94
PID 1820 wrote to memory of 3144	1820	cmd.exe	95
PID 1820 wrote to memory of 3144	1820	cmd.exe	95
PID 1820 wrote to memory of 3144	1820	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\Активаторы\ОЕМ-Активация\W7OEMACT.exe
"C:\Users\Admin\AppData\Local\Temp\Активаторы\ОЕМ-Активация\W7OEMACT.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\OEM.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\OEM.exe" /VERYSILENT
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Users\Admin\AppData\Local\Temp\is-FUNTK.tmp\OEM.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-FUNTK.tmp\OEM.tmp" /SL5="$50254,712478,497152,C:\Users\Admin\AppData\Local\Temp\RarSFX0\OEM.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\OEM\Install.cmd""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1820
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo C:\Windows\system32\slmgr.vbs -ipk 2Y4WT-DHTBF-Q6MMK-KYK6X-VKM6G
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3960
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo "C:\Users\Admin\AppData\Local\Temp\OEM\install.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3288
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown /t 0 /r
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3144

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a19055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OEM\Install.cmd

Filesize
194B

MD5
5e9ee33e1825530d41b4115106a52d34

SHA1
bfa19294fa820d4524c6513b19af61190ace8191

SHA256
5390ae2b6d389ec6c6c0f2886e028a501dcf54d54c8860e5adb6e7e80371a907

SHA512
42c440c7c8a4ef49d63b737ad6b34a994d361933606e72bd0207206787b544bd8bc4925d4ee9e57c54d33896a3e72f76c5f9bdf43ca78a96f971a768c2bb5ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEM\install.vbs

Filesize
10KB

MD5
c453e90e05a130d53914c03049fd89cb

SHA1
a500f0d1e8c70167161c22d2d43485c16846a595

SHA256
0edd67afa30505af4d9d37ebdfd8d3fcc2040d1c185f6e3ca701d17cb15c06d0

SHA512
12f1016a5d4a5f0b2bd54389276753013722969ac1445c6cabd244732669d3e361ecd1bc0ad6ee8a0c529234f96a75623971e43ef2f8e7bfc45f0f66c7e175a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\OEM.exe

Filesize
1.3MB

MD5
1b6891e258c32dd4009ff07ef2ab54d0

SHA1
59fdea80d3b7ab1d9dc7b86309d791a843279970

SHA256
6048bc9f3fdc561f21fb20c82ace961e6ac1849903b7ce39e875e64935bbc101

SHA512
457d0b48988a4c1f3fa26bc744a5cd2d9f0a278bdb5761680ada0c9d85439d5d3f6fcf32614619b3df13a87f8b989f8cf663436cad70d51b21fd3c9841d22100

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FUNTK.tmp\OEM.tmp

Filesize
1.5MB

MD5
541c6aef3bf52130e9e38a27b439d8c8

SHA1
50ab19dae3cfd7f34f00947265b0c0732cd4c32b

SHA256
d3fb5a30af7d9b0e9628bb28e6041caf5ebff6a1125d3da41f256a12f9ac09a3

SHA512
44031a7139584066d8714b63716e24002a2627631294671cc30b8aeb03d5c03a4a3ac40f799c3814e70e2086181af2bcb6381e192f08f89b8a794d79b52a398c

Download Submit
memory/1804-15-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1804-17-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/1804-101-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4180-23-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/4180-103-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/4180-142-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download