d5395f121277d2b38f4173c7df0a20a3de99edfcfe2aa697080cc81170eb76ab

max time kernel
31s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2025, 21:20

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

My-Skidded-malwares-main.zip
Size

106.4MB
MD5

d01f58a973cfceca5abbb124f8e580ff
SHA1

b60fd4d18c92322819300af17bc44e798d0ddef4
SHA256

d5395f121277d2b38f4173c7df0a20a3de99edfcfe2aa697080cc81170eb76ab
SHA512

81d6c94f56d53cd7fa29f5c1d9f8077a176b07b9a2c859b8525f6451660fb906dd960b71358ff870019990f541e816489c131a96b1fb2b7c66178a04ed35904d
SSDEEP

3145728:Sg2PlA+mrMHCwbc/bAjXC0P5JCe94RWQRVBCXD7:SJlmxTAj7PtGR9RVBE3

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
868	❾➈➒.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CustomMBR = "C:\\Users\\Admin\\Desktop\\My-Skidded-malwares-main\\❾➈➒.exe -BypassWarning"	❾➈➒.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	❾➈➒.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	❾➈➒.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "228"	LogonUI.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
700	schtasks.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	1800	7zG.exe
Token: 35	1800	7zG.exe
Token: SeSecurityPrivilege	1800	7zG.exe
Token: SeSecurityPrivilege	1800	7zG.exe
Token: SeShutdownPrivilege	868	❾➈➒.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1800	7zG.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
868	❾➈➒.exe
228	LogonUI.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 700	868	❾➈➒.exe	105
PID 868 wrote to memory of 700	868	❾➈➒.exe	105
PID 868 wrote to memory of 700	868	❾➈➒.exe	105

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main.zip
1⤵
PID:4460

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:228

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap18836:106:7zEvent28859
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1800

C:\Users\Admin\Desktop\My-Skidded-malwares-main\❾➈➒.exe
"C:\Users\Admin\Desktop\My-Skidded-malwares-main\❾➈➒.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Create /TN CustomMBR /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\Desktop\My-Skidded-malwares-main\❾➈➒.exe -BypassWarning"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:700

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3950855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\My-Skidded-malwares-main\NazrinMBR.exe

Filesize
585KB

MD5
edd65f78ef00c65c4c1aaf6b0008bb6e

SHA1
15c89a818f1f77e37c5834ef0c1206ae503b88fe

SHA256
39f10bd32de22b4495d01191017485261a937ed1b60373720ae831feed973031

SHA512
0cf6ad704170fcd7c3b62ad2a7015e9f5ce520fe26533a83729b4bc9554d2b2bc7038afb84fe1207379d9af983f9bee263fa1b78fcea46ddac77785fa7d173dd

Download Submit
C:\Users\Admin\Desktop\My-Skidded-malwares-main\❾➈➒.exe

Filesize
765KB

MD5
e889a77cc88bb18d715d71b0b7299c3c

SHA1
8d55cbe8f51fd02619e97dab126238e4c1f970e9

SHA256
9eaf693c8eb41ff809960380f1a27b9341533f3ac13c5bd6317fc98dde473aaf

SHA512
bc3d1476f4f5e852291c98a3e05dd44a87a21d6046093671afa0ad24264a188a8298e685005006649a88447a841e256a8b7ff6a64542a5631da30758b15d1d10

Download Submit
memory/868-88-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads