33a24ad4b225880bee5c9d40527022ea020daf2f6d7643269f4f739b3271f5de

Reason

Machine shutdown

General

Target

HRCComplaintProcedureForm (7).doc
Size

80KB
MD5

a411bb05ee4192202c88efdbd54552db
SHA1

6b0acf8175d39a1008bf9fb0d3c45bb63a3361e9
SHA256

33a24ad4b225880bee5c9d40527022ea020daf2f6d7643269f4f739b3271f5de
SHA512

6e424b2c2a7881d4969ddfaef595822f3d987e8fc49f578118c6d4ba25461ef53613405394f4ac366606ecfda08ede4d22f436f182aaee82ba9b5f7962cce6f4

Score

8^/10

ransomware bootkit

Malware Config

Signatures

Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
ransomware bootkit

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

LogonUI.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

Enumerates system info in registry 2 TTPs 32 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

csrss.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

winlogon.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1588 WINWORD.EXE

pid	process
1588	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

7zG.exeLogonUI.exewinlogon.exe

description	pid	process
Token: SeRestorePrivilege	1948	7zG.exe
Token: 35	1948	7zG.exe
Token: SeSecurityPrivilege	1948	7zG.exe
Token: SeSecurityPrivilege	1948	7zG.exe
Token: SeShutdownPrivilege	1528	LogonUI.exe
Token: SeShutdownPrivilege	1528	LogonUI.exe
Token: SeSecurityPrivilege	1488	winlogon.exe
Token: SeBackupPrivilege	1488	winlogon.exe
Token: SeSecurityPrivilege	1488	winlogon.exe
Token: SeTcbPrivilege	1488	winlogon.exe
Token: SeShutdownPrivilege	1528	LogonUI.exe
Token: SeShutdownPrivilege	1528	LogonUI.exe
Token: SeShutdownPrivilege	1488	winlogon.exe
Token: SeShutdownPrivilege	1488	winlogon.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

1948 7zG.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1588 WINWORD.EXE
1588 WINWORD.EXE

pid	process
1948	7zG.exe

pid	process
1588	WINWORD.EXE
1588	WINWORD.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

csrss.exewinlogon.exe

description	pid	process	target process
PID 1212 wrote to memory of 1528	1212	csrss.exe	LogonUI.exe
PID 1212 wrote to memory of 1528	1212	csrss.exe	LogonUI.exe
PID 1488 wrote to memory of 1528	1488	winlogon.exe	LogonUI.exe
PID 1488 wrote to memory of 1528	1488	winlogon.exe	LogonUI.exe
PID 1488 wrote to memory of 1528	1488	winlogon.exe	LogonUI.exe
PID 1212 wrote to memory of 1528	1212	csrss.exe	LogonUI.exe
PID 1212 wrote to memory of 1528	1212	csrss.exe	LogonUI.exe
PID 1212 wrote to memory of 1528	1212	csrss.exe	LogonUI.exe
PID 1212 wrote to memory of 1528	1212	csrss.exe	LogonUI.exe
PID 1212 wrote to memory of 1528	1212	csrss.exe	LogonUI.exe
PID 1212 wrote to memory of 1528	1212	csrss.exe	LogonUI.exe
PID 1212 wrote to memory of 1528	1212	csrss.exe	LogonUI.exe
PID 1212 wrote to memory of 1528	1212	csrss.exe	LogonUI.exe
PID 1212 wrote to memory of 1528	1212	csrss.exe	LogonUI.exe

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\HRCComplaintProcedureForm (7).doc"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1588

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\BackupAssert\" -ad -an -ai#7zMap3088:84:7zEvent8777
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1948

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
2⤵
- Modifies WinLogon to allow AutoLogon
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:300

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:564

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/300-33-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1212-2-0x0000000000430000-0x0000000000432000-memory.dmp

Filesize
8KB

Download
memory/1212-4-0x0000000000430000-0x0000000000432000-memory.dmp

Filesize
8KB

Download
memory/1212-5-0x0000000000430000-0x0000000000432000-memory.dmp

Filesize
8KB

Download
memory/1212-6-0x0000000000430000-0x0000000000432000-memory.dmp

Filesize
8KB

Download
memory/1212-7-0x0000000000430000-0x0000000000432000-memory.dmp

Filesize
8KB

Download
memory/1212-8-0x0000000000430000-0x0000000000432000-memory.dmp

Filesize
8KB

Download
memory/1212-32-0x0000000000430000-0x0000000000432000-memory.dmp

Filesize
8KB

Download
memory/1488-19-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1528-1-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads