1e43c91ddfe9fab0e41657d423fe3c4fb87aad1993e5fb3f173bb36a268273f7

General

Target

SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe
Size

1.2MB
MD5

94e0fdb02e15e6aa0cbb0d0241a79c8d
SHA1

fb2eae92ce3a5c8b558668db9ef5560451d6528d
SHA256

1e43c91ddfe9fab0e41657d423fe3c4fb87aad1993e5fb3f173bb36a268273f7
SHA512

341b1de271b3e861b4c9deb2a1d2a6a017e1ae0ca1700283f990385156ea9e3928d0a3a19f54ee97e0bb9a2765b8c670660c0a13695a520f2b79bfdc3eb953cd

Score

10^/10

bootkit evasion persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\WINDOWS\\boohbahshell.exe"	SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe

Disables Task Manager via registry modification
evasion
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
ransomware bootkit

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

LogonUI.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

Drops file in Windows directory 2 IoCs

Processes:

SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe

description	ioc	process
File created	C:\WINDOWS\boohbahshell.exe	SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe
File created	C:\WINDOWS\boohbahmain.exe	SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe

Enumerates system info in registry 2 TTPs 32 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

csrss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

winlogon.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

LogonUI.exe

description pid process

Token: SeShutdownPrivilege 932 LogonUI.exe
Token: SeShutdownPrivilege 932 LogonUI.exe

description	pid	process
Token: SeShutdownPrivilege	932	LogonUI.exe
Token: SeShutdownPrivilege	932	LogonUI.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

csrss.exewinlogon.exe

description	pid	process	target process
PID 788 wrote to memory of 932	788	csrss.exe	LogonUI.exe
PID 788 wrote to memory of 932	788	csrss.exe	LogonUI.exe
PID 1960 wrote to memory of 932	1960	winlogon.exe	LogonUI.exe
PID 1960 wrote to memory of 932	1960	winlogon.exe	LogonUI.exe
PID 1960 wrote to memory of 932	1960	winlogon.exe	LogonUI.exe
PID 788 wrote to memory of 932	788	csrss.exe	LogonUI.exe
PID 788 wrote to memory of 932	788	csrss.exe	LogonUI.exe
PID 788 wrote to memory of 932	788	csrss.exe	LogonUI.exe
PID 788 wrote to memory of 932	788	csrss.exe	LogonUI.exe
PID 788 wrote to memory of 932	788	csrss.exe	LogonUI.exe
PID 788 wrote to memory of 932	788	csrss.exe	LogonUI.exe
PID 788 wrote to memory of 932	788	csrss.exe	LogonUI.exe
PID 788 wrote to memory of 932	788	csrss.exe	LogonUI.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Windows directory
PID:1904

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1196

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
2⤵
- Modifies WinLogon to allow AutoLogon
- Suspicious use of AdjustPrivilegeToken
PID:932

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

2

T1004

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/788-3-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/788-5-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/788-6-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/788-7-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/788-8-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/788-9-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/932-2-0x0000000000000000-mapping.dmp

Download
memory/1196-0-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/1960-10-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads