b79f1eca7af5422c327e48dea7abf27af357f48694e0940b01db680c5e5f58b0

Reason

Machine shutdown

General

Target

DB VIMEWORLD.txt
Size

942.6MB
MD5

2900dc66ebe0b7d7c46e91e1663a6d9c
SHA1

6657cc5173c22aae15e019f6c3c1ed75aee0bf90
SHA256

b79f1eca7af5422c327e48dea7abf27af357f48694e0940b01db680c5e5f58b0
SHA512

87f06bbfbe49ba871c501a05c9003484d233dc95c632bc6170211cc89d329632cf01c2b35bf0f2858fac8d34b9b8428c0f2a4f44412a73ad4cae2fc9788d3dc4

Score

8^/10

ransomware bootkit

Malware Config

Signatures

Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
ransomware bootkit

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

LogonUI.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

LogonUI.exe

pid process

3760 LogonUI.exe
3760 LogonUI.exe

pid	process
3760	LogonUI.exe
3760	LogonUI.exe

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\DB VIMEWORLD.txt"
1⤵
PID:732

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\928fbd9dfc5f4daa9ff42ed7007f214b /t 736 /p 732
1⤵
PID:4064

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ac8855 /state1:0x41c64e6d
1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4064-0-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-1-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-2-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-3-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-4-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-5-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-6-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-7-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-8-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-9-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-10-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-11-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-12-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-13-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-14-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-15-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-16-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-17-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-18-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-19-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-20-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-21-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-22-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-23-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-24-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-25-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-26-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-27-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-28-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-29-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-30-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-31-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-32-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-33-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-34-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-35-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-36-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-37-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-38-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-40-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-39-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-41-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-42-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-43-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-45-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-46-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-47-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-48-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-49-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-50-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-44-0x00000256305A0000-0x00000256305A1000-memory.dmp

Filesize
4KB

Download
memory/4064-52-0x0000025630940000-0x0000025630941000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors