Resubmissions
23-04-2020 11:35
200423-dt293wkflj 7Analysis
-
max time kernel
31s -
max time network
80s -
platform
windows10_x64 -
resource
win10v200410 -
submitted
23-04-2020 11:35
Static task
static1
Behavioral task
behavioral1
Sample
7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe
Resource
win10v200410
windows10_x64
0 signatures
0 seconds
General
-
Target
7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe
-
Size
5.8MB
-
MD5
e0fcab5451ba3ef48206e7f177d236a4
-
SHA1
f2be770730720167c2bdd45fb691916cec21d23d
-
SHA256
7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d
-
SHA512
143f380bce1ef43ff2910da4fea7d4245eacc2208cfc8df20e1ae095470233e9b1b2568f143333f58499df4956491e4893a5cf8735071e8d7102b58e28344086
Score
7/10
Malware Config
Signatures
-
Makes http(s) request 1 IoCs
Contacts server via http/https, possibly for C2 communication.
Processes:
description flow ioc HTTP URL 2 http://api.keen.io/3.0/projects/57b37f2f80a7bd714c4f66d0/events/key?api_key=f6e3537decd42999efaa57798b66df8aeb7cece04ae830e2c449a547ba629e6724e812fd7327cee0557d96c9bee474d127199290ecd9e3863ea67cf4963b8e02197133375d52d92e656f0490bfeaadf3004db0b1c85f1cfde1c81a9aadd2cc5d&data=eyAia2V5IjogInp1cGs3ZXN1MXc3aExkQnV5ZzhWdkVvWDNUQW8yd0lWIiwgInVzZXJuYW1lIjogIkFkbWluIiwgImlwX2FkZHJlc3MiOiIke2tlZW4uaXB9Iiwia2VlbiI6eyJhZGRvbnMiOlt7Im5hbWUiOiJrZWVuOmlwX3RvX2dlbyIsImlucHV0Ijp7ImlwIjoiaXBfYWRkcmVzcyJ9LCJvdXRwdXQiOiJpcF9nZW9faW5mbyJ9XX19 -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe -
Modifies Winlogon 2 TTPs 1 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Drops startup file 1 IoCs
Processes:
7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\decrypt.exe 7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.execmd.exedescription pid process target process PID 4008 wrote to memory of 3992 4008 7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe 7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe PID 4008 wrote to memory of 3992 4008 7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe 7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe PID 4008 wrote to memory of 3992 4008 7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe 7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe PID 3992 wrote to memory of 1832 3992 7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe cmd.exe PID 3992 wrote to memory of 1832 3992 7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe cmd.exe PID 3992 wrote to memory of 1832 3992 7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe cmd.exe PID 1832 wrote to memory of 3840 1832 cmd.exe shutdown.exe PID 1832 wrote to memory of 3840 1832 cmd.exe shutdown.exe PID 1832 wrote to memory of 3840 1832 cmd.exe shutdown.exe -
Loads dropped DLL 5 IoCs
Processes:
7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exepid process 3992 7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe 3992 7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe 3992 7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe 3992 7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe 3992 7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
shutdown.exedescription pid process Token: SeShutdownPrivilege 3840 shutdown.exe Token: SeRemoteShutdownPrivilege 3840 shutdown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
LogonUI.exepid process 3868 LogonUI.exe 3868 LogonUI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe"C:\Users\Admin\AppData\Local\Temp\7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe"C:\Users\Admin\AppData\Local\Temp\7bd916d7a49e2730dc0df55360e634c271bc3d2120052b67e2d76eb1fff3711d.exe"2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3b3a855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Modifies Winlogon
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI40082\python27.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI40082\test.exe.manifest
-
C:\Users\Admin\AppData\Local\Temp\_MEI40~1\_ctypes.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI40~1\_hashlib.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI40~1\_socket.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI40~1\_ssl.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI40082\python27.dll
-
\Users\Admin\AppData\Local\Temp\_MEI40~1\_ctypes.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI40~1\_hashlib.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI40~1\_socket.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI40~1\_ssl.pyd