903e81e3fdb527a15f694ca5a9b38b541b60491e53ee01fa30b9721dbb38cb35

Reason

Machine shutdown

General

Target

DualShot.bin.exe
Size

18KB
MD5

15c9143498141f0e29c2cc411c011649
SHA1

1b511413cd5a3e18b56684c4c68723125b749e95
SHA256

fed9e1bfcbd37a9f6df28c65adbb07ecc9745ed96a03ddaf3716d4324730b3df
SHA512

562677945e922043bfaaa08b66229d4467428364db08c7eedd8f5817171e74d561e2d736e21bea2382dad9ec3a40b51973f51ed09285a35b2fd2d21f5dd995a5

Score

8^/10

persistence ransomware bootkit

Malware Config

Signatures

Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
ransomware bootkit

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

LogonUI.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

DualShot.bin.exeDSNWIN7930.exe

description	pid	process	target process
PID 3692 wrote to memory of 420	3692	DualShot.bin.exe	DSNWIN7930.exe
PID 3692 wrote to memory of 420	3692	DualShot.bin.exe	DSNWIN7930.exe
PID 3692 wrote to memory of 644	3692	DualShot.bin.exe	cmd.exe
PID 3692 wrote to memory of 644	3692	DualShot.bin.exe	cmd.exe
PID 420 wrote to memory of 1292	420	DSNWIN7930.exe	shutdown.exe
PID 420 wrote to memory of 1292	420	DSNWIN7930.exe	shutdown.exe

Executes dropped EXE 1 IoCs

Processes:

DSNWIN7930.exe

pid process

420 DSNWIN7930.exe

pid	process
420	DSNWIN7930.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

DualShot.bin.exeDSNWIN7930.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	3692	DualShot.bin.exe
Token: SeDebugPrivilege	420	DSNWIN7930.exe
Token: SeShutdownPrivilege	1292	shutdown.exe
Token: SeRemoteShutdownPrivilege	1292	shutdown.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

wlrmdr.exe

pid process

1524 wlrmdr.exe
1524 wlrmdr.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

wlrmdr.exeLogonUI.exe

pid process

1524 wlrmdr.exe
3436 LogonUI.exe

pid	process
1524	wlrmdr.exe
1524	wlrmdr.exe

pid	process
1524	wlrmdr.exe
3436	LogonUI.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DSNWIN7930.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\WINUPD31581 = "C:\\Users\\Admin\\AppData\\Local\\DSNWIN7930.exe /ainain C:\\Users\\Admin\\AppData\\Local\\Temp\\TMP78188.dat C:\\Users\\Admin\\AppData\\Local\\Temp\\TMP1093744.dat"	DSNWIN7930.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe

C:\Users\Admin\AppData\Local\Temp\DualShot.bin.exe
"C:\Users\Admin\AppData\Local\Temp\DualShot.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Users\Admin\AppData\Local\DSNWIN7930.exe
"C:\Users\Admin\AppData\Local\DSNWIN7930.exe" /inin
2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
PID:420

C:\Windows\SYSTEM32\shutdown.exe
"shutdown" -r -t 60 -c "Please restart."
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c choice /c Y /n /d Y /t 3 & del "C:\Users\Admin\AppData\Local\Temp\DualShot.bin.exe"
2⤵
PID:644

C:\Windows\system32\choice.exe
choice /c Y /n /d Y /t 3
3⤵
PID:824

C:\Windows\system32\wlrmdr.exe
-s -1 -f 2 -t You're about to be signed out -m Please restart. -a 3
1⤵
PID:1520

C:\Windows\system32\wlrmdr.exe
-s -1 -f 2 -t You're about to be signed out -m Please restart. -a 3
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3acc855 /state1:0x41c64e6d
1⤵
- Modifies WinLogon to allow AutoLogon
- Suspicious use of SetWindowsHookEx
- Modifies data under HKEY_USERS
PID:3436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DSNWIN7930.exe

Download Submit
C:\Users\Admin\AppData\Local\DSNWIN7930.exe

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads