91697fa6d5e1a59f0c71e7ae0f2a8928879a8522901153708d09bfe430bfa7cb

Reason

Machine shutdown

General

Target

02ae530ebb33ee8528ac0b9061d41216d3f3d4dcd8e9b0fe7f7cd0511247b7df.exe
Size

54KB
MD5

cdb6e431b4eeb2909b1cf198f70ae444
SHA1

98205803babd17587e99913934eb6975c3dc8779
SHA256

02ae530ebb33ee8528ac0b9061d41216d3f3d4dcd8e9b0fe7f7cd0511247b7df
SHA512

c24c5b4c3d1b9355db8e82aa3c1c228e12b107c2f2ad76ac5e1ec62dda516cbe2237b1839547ff80e9059a3f2debc1cf07daf30dc3dad2b579aa4eddb9ba33a0

Score

8^/10

bootkit persistence ransomware

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

EyeCry.exe

pid process

2076 EyeCry.exe
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
ransomware bootkit

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

LogonUI.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

EyeCry.exe

description ioc process

File opened for modification \??\PhysicalDrive0 EyeCry.exe

pid	process
2076	EyeCry.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	EyeCry.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

shutdown.exeshutdown.exe

description	pid	process
Token: SeShutdownPrivilege	2192	shutdown.exe
Token: SeRemoteShutdownPrivilege	2192	shutdown.exe
Token: SeShutdownPrivilege	2824	shutdown.exe
Token: SeRemoteShutdownPrivilege	2824	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

2592 LogonUI.exe

pid	process
2592	LogonUI.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

02ae530ebb33ee8528ac0b9061d41216d3f3d4dcd8e9b0fe7f7cd0511247b7df.exeEyeCry.exe

description	pid	process	target process
PID 2868 wrote to memory of 2076	2868	02ae530ebb33ee8528ac0b9061d41216d3f3d4dcd8e9b0fe7f7cd0511247b7df.exe	EyeCry.exe
PID 2868 wrote to memory of 2076	2868	02ae530ebb33ee8528ac0b9061d41216d3f3d4dcd8e9b0fe7f7cd0511247b7df.exe	EyeCry.exe
PID 2868 wrote to memory of 2076	2868	02ae530ebb33ee8528ac0b9061d41216d3f3d4dcd8e9b0fe7f7cd0511247b7df.exe	EyeCry.exe
PID 2076 wrote to memory of 2192	2076	EyeCry.exe	shutdown.exe
PID 2076 wrote to memory of 2192	2076	EyeCry.exe	shutdown.exe
PID 2076 wrote to memory of 2192	2076	EyeCry.exe	shutdown.exe
PID 2076 wrote to memory of 2824	2076	EyeCry.exe	shutdown.exe
PID 2076 wrote to memory of 2824	2076	EyeCry.exe	shutdown.exe
PID 2076 wrote to memory of 2824	2076	EyeCry.exe	shutdown.exe

C:\Users\Admin\AppData\Local\Temp\02ae530ebb33ee8528ac0b9061d41216d3f3d4dcd8e9b0fe7f7cd0511247b7df.exe
"C:\Users\Admin\AppData\Local\Temp\02ae530ebb33ee8528ac0b9061d41216d3f3d4dcd8e9b0fe7f7cd0511247b7df.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\EyeCry.exe
"C:\Users\Admin\AppData\Local\Temp\EyeCry.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\shutdown.exe
shutdown.exe -r -f -t 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\SysWOW64\shutdown.exe
C:\Windows\System32\shutdown.exe -r -f -t 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad1055 /state1:0x41c64e6d
1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EyeCry.exe
MD5
89aa34d7e47e5eaf4fca900c8b512f4f

SHA1
e91e288a5279a981759e1574fbba672c5cd0a6c0

SHA256
be382041837eb1dfd57227858359a56ecd4be9a5902b399bb684c9c7d9606f15

SHA512
f05058b4320799ec2ec1fc9c6224da71e390b36c2c8394b9924ff9889e8f72165823d327aaa130b0c1c9e1a43c8bcf7a086ae4059c94647b66e53d653c8c83e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EyeCry.exe
MD5
89aa34d7e47e5eaf4fca900c8b512f4f

SHA1
e91e288a5279a981759e1574fbba672c5cd0a6c0

SHA256
be382041837eb1dfd57227858359a56ecd4be9a5902b399bb684c9c7d9606f15

SHA512
f05058b4320799ec2ec1fc9c6224da71e390b36c2c8394b9924ff9889e8f72165823d327aaa130b0c1c9e1a43c8bcf7a086ae4059c94647b66e53d653c8c83e6

Download Submit
memory/2076-0-0x0000000000000000-mapping.dmp

Download
memory/2192-3-0x0000000000000000-mapping.dmp

Download
memory/2824-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads