Analysis
-
max time kernel
123s -
max time network
126s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-11-2020 08:13
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe
-
Size
1.2MB
-
MD5
94e0fdb02e15e6aa0cbb0d0241a79c8d
-
SHA1
fb2eae92ce3a5c8b558668db9ef5560451d6528d
-
SHA256
1e43c91ddfe9fab0e41657d423fe3c4fb87aad1993e5fb3f173bb36a268273f7
-
SHA512
341b1de271b3e861b4c9deb2a1d2a6a017e1ae0ca1700283f990385156ea9e3928d0a3a19f54ee97e0bb9a2765b8c670660c0a13695a520f2b79bfdc3eb953cd
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\WINDOWS\\boohbahshell.exe" SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe -
Disables Task Manager via registry modification
-
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Drops file in Windows directory 2 IoCs
Processes:
SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exedescription ioc process File created C:\WINDOWS\boohbahshell.exe SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe File created C:\WINDOWS\boohbahmain.exe SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe -
Enumerates system info in registry 2 TTPs 32 IoCs
Processes:
csrss.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe -
Modifies data under HKEY_USERS 9 IoCs
Processes:
winlogon.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000 winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" winlogon.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
LogonUI.exedescription pid process Token: SeShutdownPrivilege 932 LogonUI.exe Token: SeShutdownPrivilege 932 LogonUI.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
csrss.exewinlogon.exedescription pid process target process PID 788 wrote to memory of 932 788 csrss.exe LogonUI.exe PID 788 wrote to memory of 932 788 csrss.exe LogonUI.exe PID 1960 wrote to memory of 932 1960 winlogon.exe LogonUI.exe PID 1960 wrote to memory of 932 1960 winlogon.exe LogonUI.exe PID 1960 wrote to memory of 932 1960 winlogon.exe LogonUI.exe PID 788 wrote to memory of 932 788 csrss.exe LogonUI.exe PID 788 wrote to memory of 932 788 csrss.exe LogonUI.exe PID 788 wrote to memory of 932 788 csrss.exe LogonUI.exe PID 788 wrote to memory of 932 788 csrss.exe LogonUI.exe PID 788 wrote to memory of 932 788 csrss.exe LogonUI.exe PID 788 wrote to memory of 932 788 csrss.exe LogonUI.exe PID 788 wrote to memory of 932 788 csrss.exe LogonUI.exe PID 788 wrote to memory of 932 788 csrss.exe LogonUI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Windows directory
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x02⤵
- Modifies WinLogon to allow AutoLogon
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/788-3-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/788-5-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/788-6-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/788-7-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/788-8-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/788-9-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/932-2-0x0000000000000000-mapping.dmp
-
memory/1196-0-0x00000000027A0000-0x00000000027A1000-memory.dmpFilesize
4KB
-
memory/1960-10-0x0000000001F50000-0x0000000001F51000-memory.dmpFilesize
4KB