5e9c621c4b78cc9b9e5ea37aaf161c0e41335c334c8e29a043a7ff47bff479be

Resubmissions

11/12/2024, 16:01

241211-tf61zszkez 10

18/02/2024, 14:57

240218-sbkrhsca46 10

Analysis

max time kernel
18s
max time network
21s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11/12/2024, 16:01

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ItachiNoSleep.exe
Size

29.4MB
MD5

0736b49f07b6ad466ced7d95d6e0f303
SHA1

77d4af83b2a288771676ebdbeea8755f5825409d
SHA256

43bf2f36a8da283a7bf5288822fdade5f2f5e420c01c840352162defdbce22e3
SHA512

1ae1229bb306ab7ed290d074f02f10d67d00d82cd1805fe53aa42f2615b297e7a8671c2694ee9d8d180b28a5686cac3dd516a5840e3fbcefd3c904de10a228e7
SSDEEP

786432:b/9ozzOd+SlaO70TskW0nf0p3w9ozzOd+SlaO70TskW0nf0p3e:JozzM+wBITe0cpmozzM+wBITe0cp

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Program Files\\Temp\\ItachiWindowsHorror.exe, C:\\Program Files\\Temp\\MBR.exe"	ItachiNoSleep.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ItachiNoSleep.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ItachiNoSleep.exe

Disables Task Manager via registry modification
evasion

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ItachiNoSleep.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ItachiNoSleep.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Temp\BSOD.exe	ItachiNoSleep.exe
File opened for modification	C:\Program Files\Temp\ItachiWindowsHorror.exe	ItachiNoSleep.exe
File opened for modification	C:\Program Files\Temp\a lot of skulls.jpg	ItachiNoSleep.exe
File opened for modification	C:\Program Files\Temp\hol333.ani	ItachiNoSleep.exe
File opened for modification	C:\Program Files\Temp\skull_real_ico.ico	ItachiNoSleep.exe
File opened for modification	C:\Program Files\Temp\some_music.wav	ItachiNoSleep.exe
File opened for modification	C:\Program Files\Temp\MBR.exe	ItachiNoSleep.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 14 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\ = "C:\\Program Files\\Temp\\hol333.ani"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\Temp\\hol333.ani"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\NWPen = "C:\\Program Files\\Temp\\hol333.ani"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\SizeAll = "C:\\Program Files\\Temp\\hol333.ani"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\SizeNWSE = "C:\\Program Files\\Temp\\hol333.ani"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\Temp\\hol333.ani"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\Help = "C:\\Program Files\\Temp\\hol333.ani"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\Wait = "C:\\Program Files\\Temp\\hol333.ani"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\Temp\\hol333.ani"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\No = "C:\\Program Files\\Temp\\hol333.ani"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\SizeNESW = "C:\\Program Files\\Temp\\hol333.ani"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\SizeNS = "C:\\Program Files\\Temp\\hol333.ani"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\SizeWE = "C:\\Program Files\\Temp\\hol333.ani"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Cursors\UpArrow = "C:\\Program Files\\Temp\\hol333.ani"	ItachiNoSleep.exe

Modifies File Icons 3 IoCs

ransomware

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\4 = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\3 = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "14"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon	ItachiNoSleep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\icmfile\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ratfile\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\CLSID	ItachiNoSleep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htlm	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JSEFile\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pjpegfile\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pnffile\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile	ItachiNoSleep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\icofile\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\giffile\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\DefaultIcon	ItachiNoSleep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon	ItachiNoSleep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jntfile	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zapfile\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon	ItachiNoSleep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\textfile	ItachiNoSleep.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}	ItachiNoSleep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile	ItachiNoSleep.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon	ItachiNoSleep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon\ = "C:\\Program Files\\Temp\\skull_real_ico.ico"	ItachiNoSleep.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3052	shutdown.exe
Token: SeRemoteShutdownPrivilege	3052	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4248	LogonUI.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 984 wrote to memory of 3052	984	ItachiNoSleep.exe	78
PID 984 wrote to memory of 3052	984	ItachiNoSleep.exe	78

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ItachiNoSleep.exe

C:\Users\Admin\AppData\Local\Temp\ItachiNoSleep.exe
"C:\Users\Admin\AppData\Local\Temp\ItachiNoSleep.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies File Icons
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:984
- C:\Windows\System32\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /r /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3052

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a01855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\There.txt

Filesize
77B

MD5
2b609310f9aaffe3c7b852f86c393693

SHA1
34e6b392319ffe622524c29df0cd0e0422b22008

SHA256
7520cd6319e299b6f7ac32209c93a552cd067a427e797615ab2dcffc31043c31

SHA512
896bc71942fa6d7e0303b7d38e8a80cdd9526587e7bf433244c94bb3140c43d5cef2996f7a7971e0324fd54d7eb5ee8ecdb2a55e0c3b98ca4e0718d02c71706a

Download Submit
memory/984-0-0x00007FFB4E593000-0x00007FFB4E595000-memory.dmp

Filesize
8KB

Download
memory/984-1-0x0000000000010000-0x0000000001D80000-memory.dmp

Filesize
29.4MB

Download
memory/984-2-0x00007FFB4E590000-0x00007FFB4F052000-memory.dmp

Filesize
10.8MB

Download
memory/984-3-0x00007FFB4E593000-0x00007FFB4E595000-memory.dmp

Filesize
8KB

Download
memory/984-4-0x00007FFB4E590000-0x00007FFB4F052000-memory.dmp

Filesize
10.8MB

Download
memory/984-279-0x00007FFB4E590000-0x00007FFB4F052000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads