69f40b23e0605683899e5df5d843266665790fce6c7e61fc84c7c85f53313dfa

Reason

Machine shutdown

General

Target

Atikus9Bumpers.exe
Size

278.1MB
MD5

c8e4fd178e3816a8507efd185f8f3b26
SHA1

b20226115f0d6330182b7ae9bdbfdb3855de6641
SHA256

69f40b23e0605683899e5df5d843266665790fce6c7e61fc84c7c85f53313dfa
SHA512

4e31091d35cd593531917c611d284907e43e473800464c22937443a5649d84de9b47fa6d33d06e6fdfb6ae177d5f10c6ead73fa42f10d8186037ec5096e60ff3

Score

8^/10

ransomware bootkit spyware

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

Atikus9Bumpers.exe

pid	process
1328	Atikus9Bumpers.exe
1328	Atikus9Bumpers.exe
1328	Atikus9Bumpers.exe
1328	Atikus9Bumpers.exe
1328	Atikus9Bumpers.exe
1328	Atikus9Bumpers.exe
1328	Atikus9Bumpers.exe
1328	Atikus9Bumpers.exe
1328	Atikus9Bumpers.exe
1328	Atikus9Bumpers.exe
1328	Atikus9Bumpers.exe
1328	Atikus9Bumpers.exe
1328	Atikus9Bumpers.exe
1328	Atikus9Bumpers.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Atikus9Bumpers.exe

description pid process

Token: SeDebugPrivilege 1328 Atikus9Bumpers.exe
Token: SeShutdownPrivilege 1328 Atikus9Bumpers.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ipinfo.io
Drops startup file 1 IoCs

Processes:

Atikus9Bumpers.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZIOCKDDHaHWHSKW.lnk Atikus9Bumpers.exe

description	pid	process
Token: SeDebugPrivilege	1328	Atikus9Bumpers.exe
Token: SeShutdownPrivilege	1328	Atikus9Bumpers.exe

flow	ioc
4	ipinfo.io

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZIOCKDDHaHWHSKW.lnk	Atikus9Bumpers.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Loads dropped DLL 1 IoCs

Processes:

Atikus9Bumpers.exe

pid process

1328 Atikus9Bumpers.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

2820 LogonUI.exe
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
ransomware bootkit

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

LogonUI.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe
Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2820	LogonUI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

C:\Users\Admin\AppData\Local\Temp\Atikus9Bumpers.exe
"C:\Users\Admin\AppData\Local\Temp\Atikus9Bumpers.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Drops startup file
- Loads dropped DLL
PID:1328

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ace055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Modifies WinLogon to allow AutoLogon
PID:2820