7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d

General

Target

7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe
Size

5.8MB
MD5

e0fcab5451ba3ef48206e7f177d236a4
SHA1

f2be770730720167c2bdd45fb691916cec21d23d
SHA256

7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d
SHA512

143f380bce1ef43ff2910da4fea7d4245eacc2208cfc8df20e1ae095470233e9b1b2568f143333f58499df4956491e4893a5cf8735071e8d7102b58e28344086

Score

7^/10

persistence

Malware Config

Signatures

Makes http(s) request 1 IoCs

Contacts server via http/https, possibly for C2 communication.

Processes:

description	flow	ioc
HTTP URL	2	http://api.keen.io/3.0/projects/57b37f2f80a7bd714c4f66d0/events/key?api_key=f6e3537decd42999efaa57798b66df8aeb7cece04ae830e2c449a547ba629e6724e812fd7327cee0557d96c9bee474d127199290ecd9e3863ea67cf4963b8e02197133375d52d92e656f0490bfeaadf3004db0b1c85f1cfde1c81a9aadd2cc5d&data=eyAia2V5IjogInp1cGs3ZXN1MXc3aExkQnV5ZzhWdkVvWDNUQW8yd0lWIiwgInVzZXJuYW1lIjogIkFkbWluIiwgImlwX2FkZHJlc3MiOiIke2tlZW4uaXB9Iiwia2VlbiI6eyJhZGRvbnMiOlt7Im5hbWUiOiJrZWVuOmlwX3RvX2dlbyIsImlucHV0Ijp7ImlwIjoiaXBfYWRkcmVzcyJ9LCJvdXRwdXQiOiJpcF9nZW9faW5mbyJ9XX19

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Modifies Winlogon 2 TTPs 1 IoCs
persistence

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

LogonUI.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

Drops startup file 1 IoCs

Processes:

7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\decrypt.exe	7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.execmd.exe

description	pid	process	target process
PID 4008 wrote to memory of 3992	4008	7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe	7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe
PID 4008 wrote to memory of 3992	4008	7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe	7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe
PID 4008 wrote to memory of 3992	4008	7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe	7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe
PID 3992 wrote to memory of 1832	3992	7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe	cmd.exe
PID 3992 wrote to memory of 1832	3992	7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe	cmd.exe
PID 3992 wrote to memory of 1832	3992	7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe	cmd.exe
PID 1832 wrote to memory of 3840	1832	cmd.exe	shutdown.exe
PID 1832 wrote to memory of 3840	1832	cmd.exe	shutdown.exe
PID 1832 wrote to memory of 3840	1832	cmd.exe	shutdown.exe

Loads dropped DLL 5 IoCs

Processes:

7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe

pid	process
3992	7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe
3992	7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe
3992	7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe
3992	7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe
3992	7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

shutdown.exe

description pid process

Token: SeShutdownPrivilege 3840 shutdown.exe
Token: SeRemoteShutdownPrivilege 3840 shutdown.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

LogonUI.exe

pid process

3868 LogonUI.exe
3868 LogonUI.exe

description	pid	process
Token: SeShutdownPrivilege	3840	shutdown.exe
Token: SeRemoteShutdownPrivilege	3840	shutdown.exe

pid	process
3868	LogonUI.exe
3868	LogonUI.exe

C:\Users\Admin\AppData\Local\Temp\7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe
"C:\Users\Admin\AppData\Local\Temp\7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Users\Admin\AppData\Local\Temp\7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe
"C:\Users\Admin\AppData\Local\Temp\7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe"
2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:3992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c shutdown -r -t 0
3⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\shutdown.exe
shutdown -r -t 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3840

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3b3a855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Modifies Winlogon
- Suspicious use of SetWindowsHookEx
PID:3868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI40082\python27.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40082\test.exe.manifest

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40~1\_ctypes.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40~1\_hashlib.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40~1\_socket.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40~1\_ssl.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI40082\python27.dll

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI40~1\_ctypes.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI40~1\_hashlib.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI40~1\_socket.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI40~1\_ssl.pyd

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads