1e43c91ddfe9fab0e41657d423fe3c4fb87aad1993e5fb3f173bb36a268273f7

General

Target

SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe
Size

1.2MB
MD5

94e0fdb02e15e6aa0cbb0d0241a79c8d
SHA1

fb2eae92ce3a5c8b558668db9ef5560451d6528d
SHA256

1e43c91ddfe9fab0e41657d423fe3c4fb87aad1993e5fb3f173bb36a268273f7
SHA512

341b1de271b3e861b4c9deb2a1d2a6a017e1ae0ca1700283f990385156ea9e3928d0a3a19f54ee97e0bb9a2765b8c670660c0a13695a520f2b79bfdc3eb953cd

Score

10^/10

bootkit evasion persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\WINDOWS\\boohbahshell.exe"	SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe

Disables Task Manager via registry modification
evasion
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
ransomware bootkit

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

LogonUI.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

Drops file in Windows directory 2 IoCs

Processes:

SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe

description	ioc	process
File created	C:\WINDOWS\boohbahshell.exe	SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe
File created	C:\WINDOWS\boohbahmain.exe	SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe

Suspicious behavior: LoadsDriver 35773 IoCs

Processes:

pid	process
3808
3748
1904
3680
3712
4052
3084
2824
3248
416
508
2840
3148
2636
3672
2596
212
208
1940
1364
940
3656
2912
2308
2224
3184
2696
2620
3464
3368
1308
1172
1340
1168
1532
4080
748
3740
2132
2128
3804
2088
3268
2568
3468
1264
3824
3908
900
2936
3936
3768
3932
3976
3036
644
3904
3424
2856
3836
3868
3872
3760
3708

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

960 LogonUI.exe

pid	process
960	LogonUI.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.TaskDisabler.k5Y@aaTO94BT.2611.9681.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Windows directory
PID:640

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad1055 /state1:0x41c64e6d
1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:960

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

2

T1004

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads