903e81e3fdb527a15f694ca5a9b38b541b60491e53ee01fa30b9721dbb38cb35

Reason

Machine shutdown

General

Target

DualShot.bin.exe
Size

18KB
MD5

15c9143498141f0e29c2cc411c011649
SHA1

1b511413cd5a3e18b56684c4c68723125b749e95
SHA256

fed9e1bfcbd37a9f6df28c65adbb07ecc9745ed96a03ddaf3716d4324730b3df
SHA512

562677945e922043bfaaa08b66229d4467428364db08c7eedd8f5817171e74d561e2d736e21bea2382dad9ec3a40b51973f51ed09285a35b2fd2d21f5dd995a5

Score

8^/10

persistence ransomware bootkit

Malware Config

Signatures

Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs

Enables rebooting of the machine without requiring login credentials.

ransomware bootkit

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3692 wrote to memory of 420	3692	DualShot.bin.exe	66
PID 3692 wrote to memory of 420	3692	DualShot.bin.exe	66
PID 3692 wrote to memory of 644	3692	DualShot.bin.exe	67
PID 3692 wrote to memory of 644	3692	DualShot.bin.exe	67
PID 420 wrote to memory of 1292	420	DSNWIN7930.exe	71
PID 420 wrote to memory of 1292	420	DSNWIN7930.exe	71

Executes dropped EXE 1 IoCs

pid	Process
420	DSNWIN7930.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3692	DualShot.bin.exe
Token: SeDebugPrivilege	420	DSNWIN7930.exe
Token: SeShutdownPrivilege	1292	shutdown.exe
Token: SeRemoteShutdownPrivilege	1292	shutdown.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1524	wlrmdr.exe
1524	wlrmdr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1524	wlrmdr.exe
3436	LogonUI.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\WINUPD31581 = "C:\\Users\\Admin\\AppData\\Local\\DSNWIN7930.exe /ainain C:\\Users\\Admin\\AppData\\Local\\Temp\\TMP78188.dat C:\\Users\\Admin\\AppData\\Local\\Temp\\TMP1093744.dat"	DSNWIN7930.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe

C:\Users\Admin\AppData\Local\Temp\DualShot.bin.exe
"C:\Users\Admin\AppData\Local\Temp\DualShot.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:3692
- C:\Users\Admin\AppData\Local\DSNWIN7930.exe
  "C:\Users\Admin\AppData\Local\DSNWIN7930.exe" /inin
  2⤵
  - Suspicious use of WriteProcessMemory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Adds Run entry to start application
  PID:420
- - C:\Windows\SYSTEM32\shutdown.exe
    "shutdown" -r -t 60 -c "Please restart."
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1292
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c choice /c Y /n /d Y /t 3 & del "C:\Users\Admin\AppData\Local\Temp\DualShot.bin.exe"
  2⤵
  PID:644
- - C:\Windows\system32\choice.exe
    choice /c Y /n /d Y /t 3
    3⤵
    PID:824

C:\Windows\system32\wlrmdr.exe
-s -1 -f 2 -t You're about to be signed out -m Please restart. -a 3
1⤵
PID:1520

C:\Windows\system32\wlrmdr.exe
-s -1 -f 2 -t You're about to be signed out -m Please restart. -a 3
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3acc855 /state1:0x41c64e6d
1⤵
- Modifies WinLogon to allow AutoLogon
- Suspicious use of SetWindowsHookEx
- Modifies data under HKEY_USERS
PID:3436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads