14c9466ae2013053d20cf15258c8fcdf886e752542c7a0519fd39537d91c537b

Reason

Machine shutdown

General

Target

sample.html
Size

267KB
MD5

65624ae0f03e4b0b37b193246a35de15
SHA1

b91e192d5b0199ddf70bec6dbc5e6237791c80de
SHA256

14c9466ae2013053d20cf15258c8fcdf886e752542c7a0519fd39537d91c537b
SHA512

e3ab55d6104b4ba7c70f67e66e8663e461c6317df593d9478994abeb2292e5edef1bf1782d1535bf486a6618f6ff35ad05d6ddedd34570a0fa44d0d976c7a8f2
SSDEEP

3072:7Oh7Oi+0joZWm0ITADlNRzh4bgEJfzrIugDAwtN+Tl/jS4:7Oh7A0joZQITeRIgEJHIbCS4

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2468	SystemSettingsAdminFlows.exe
2468	SystemSettingsAdminFlows.exe
2468	SystemSettingsAdminFlows.exe
2468	SystemSettingsAdminFlows.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	SystemSettingsAdminFlows.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	bootim.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Logs\MoSetup\UpdateAgent.log	SystemSettingsAdminFlows.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "165"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2964	bootim.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	2468	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	2468	SystemSettingsAdminFlows.exe
Token: SeSystemEnvironmentPrivilege	2468	SystemSettingsAdminFlows.exe
Token: SeBackupPrivilege	2468	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	2468	SystemSettingsAdminFlows.exe
Token: SeSecurityPrivilege	2468	SystemSettingsAdminFlows.exe
Token: SeTakeOwnershipPrivilege	2468	SystemSettingsAdminFlows.exe
Token: SeBackupPrivilege	2468	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	2468	SystemSettingsAdminFlows.exe
Token: SeSecurityPrivilege	2468	SystemSettingsAdminFlows.exe
Token: SeSystemEnvironmentPrivilege	2964	bootim.exe
Token: SeTakeOwnershipPrivilege	2964	bootim.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2468	SystemSettingsAdminFlows.exe
964	LogonUI.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
PID:3684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=5220,i,4931345718161570516,7922954771140051020,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:1
1⤵
PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=5168,i,4931345718161570516,7922954771140051020,262144 --variations-seed-version --mojo-platform-channel-handle=4636 /prefetch:1
1⤵
PID:3288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=5600,i,4931345718161570516,7922954771140051020,262144 --variations-seed-version --mojo-platform-channel-handle=5632 /prefetch:8
1⤵
PID:2468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --string-annotations=is-enterprise-managed=no --field-trial-handle=5608,i,4931345718161570516,7922954771140051020,262144 --variations-seed-version --mojo-platform-channel-handle=5776 /prefetch:8
1⤵
PID:1992

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3188

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:1756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:4572

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:1276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --string-annotations=is-enterprise-managed=no --field-trial-handle=6356,i,4931345718161570516,7922954771140051020,262144 --variations-seed-version --mojo-platform-channel-handle=6392 /prefetch:8
1⤵
PID:1072

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2468

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4808

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4704

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ea055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:964

C:\Windows\system32\bootim.exe
bootim.exe /startpage:1
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$SysReset\CloudImage\metadata\Mitigation.dll

Filesize
274KB

MD5
efff7b0c3cee09f948249b2a9af29e15

SHA1
080a32cb0529c51713c6dd126d454c860ec5fd3a

SHA256
564f605edf447149045ef80d7bf4e70122eb805ab7d4d66d5a4f91e008bb0169

SHA512
85646bd8ab7c57c4e82d6e9f9f828756f1daae6b7e778c2d732f53b3f5694940c011ccebe47740a24e520da89d0568d96d06bed5ab92dbaf67ea5c5869ec71e1

Download Submit
C:\$SysReset\CloudImage\metadata\UAOneSettings.dll

Filesize
89KB

MD5
78b328548c8448827ca647ae43e90161

SHA1
f517c5ed4dbb8c5d77fd0124cfc189b1001dce1a

SHA256
2cc60156932d25c8330fd24e51ac7936872c48962b9e81471690ad7c28544a13

SHA512
b2200862d4ef1622437aef75b79b4d794fe5954148b0237eb4df215d2e59b3e36e709dd5be6294795ab08d772fe8e98f4a225dcb1e8d971f1d389145f9eb9e33

Download Submit
C:\$SysReset\CloudImage\metadata\UpdateAgent.dll

Filesize
2.7MB

MD5
dbbfda7fe9ac694006b4be3128355740

SHA1
dc6e7294e23df51e1cf1c1826ce82df0402e366a

SHA256
1756efcb1d74b3db8f04a7c991b718eb163a9d09a12099116f8e6c9fcdf0d387

SHA512
3eb42c2c32173477c462461b241edd7b950c8a99bb3191f9c3a85c472373c08b1ee8b4999bde14b7d4e31cf8aa9e37aad831ee45ec24a06e7145ea7e1940df87

Download Submit
C:\$SysReset\CloudImage\metadata\dpx.dll

Filesize
720KB

MD5
82d8d90873c7de32dbb3e4e4cba33355

SHA1
3bbe600238ba6c3bf73ad725cffbbded5d932521

SHA256
3b0ea223aecd9cae3440332d24cc00582571e37c7e85320f4eb7fabfe3ad9ca7

SHA512
0416343dcbeb7fbc3f1098131596a595ed7ccb5d64c8d0f622b831cd04aba08458e85ba97b58ae1bf7357c527f7ef824abdf0998c487abb2c7ef7fcfe5de9f35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-12-14.97.1756.1.odl

Filesize
706B

MD5
d1cef5bda23b7c2e21b16bb0143c5ab2

SHA1
edf5a7b1eea0c60452e450a85c02ea6411a72ba9

SHA256
abd18d4f9f2c913ec8186a1644ae5f2e700e5f3d4aba012c88238d33eebe67d2

SHA512
fe9b516992c7171099ffad99cc67e42e4ece6dcd8552605266a4edb095cc73a3ea63a5d3c0fcd403521d4396edf1d90713d6b1e467354e30fff7898d9c48e4cc

Download Submit
C:\Windows\System32\Recovery\ReAgent.xml

Filesize
1KB

MD5
d26d8de9a345cdbc75a5912f5c8497df

SHA1
39d4c60f4fb18adbe1140ccf6937a880cb9cdc6f

SHA256
80368320103bd12ed0b6b9f88535d4a309e6d7b291b1eff447a3dfb26d9a84d3

SHA512
651abcc3e46c2c2037612f1a8d1156037d2206124d24c68aaf9d35cc0182568013c38a0802f44a87f1889b27cbae1d1536104bda0e8441fbf1dee0f098a36195

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads