f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

Target

[email protected]
Size

315KB
MD5

9f8bc96c96d43ecb69f883388d228754
SHA1

61ed25a706afa2f6684bb4d64f69c5fb29d20953
SHA256

7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
SHA512

550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

Score

10^/10

bootkit evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2532	system.exe

Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs

Enables rebooting of the machine without requiring login credentials.

ransomware bootkit

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
208	SCHTASKS.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Accessibility\StickyKeys	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Accessibility\StickyKeys\Flags = "506"	reg.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2740	wlrmdr.exe
2740	wlrmdr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3028	shutdown.exe
Token: SeRemoteShutdownPrivilege	3028	shutdown.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2740	wlrmdr.exe
3856	LogonUI.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 2532	744	[email protected]	75
PID 744 wrote to memory of 2532	744	[email protected]	75
PID 744 wrote to memory of 2532	744	[email protected]	75
PID 2532 wrote to memory of 1320	2532	system.exe	76
PID 2532 wrote to memory of 1320	2532	system.exe	76
PID 2532 wrote to memory of 1320	2532	system.exe	76
PID 2532 wrote to memory of 208	2532	system.exe	78
PID 2532 wrote to memory of 208	2532	system.exe	78
PID 2532 wrote to memory of 208	2532	system.exe	78
PID 2532 wrote to memory of 1492	2532	system.exe	80
PID 2532 wrote to memory of 1492	2532	system.exe	80
PID 2532 wrote to memory of 1492	2532	system.exe	80
PID 2532 wrote to memory of 1200	2532	system.exe	81
PID 2532 wrote to memory of 1200	2532	system.exe	81
PID 2532 wrote to memory of 1200	2532	system.exe	81
PID 2532 wrote to memory of 3928	2532	system.exe	82
PID 2532 wrote to memory of 3928	2532	system.exe	82
PID 2532 wrote to memory of 3928	2532	system.exe	82
PID 2532 wrote to memory of 3604	2532	system.exe	84
PID 2532 wrote to memory of 3604	2532	system.exe	84
PID 2532 wrote to memory of 3604	2532	system.exe	84
PID 2532 wrote to memory of 3508	2532	system.exe	86
PID 2532 wrote to memory of 3508	2532	system.exe	86
PID 2532 wrote to memory of 3508	2532	system.exe	86
PID 2532 wrote to memory of 2168	2532	system.exe	88
PID 2532 wrote to memory of 2168	2532	system.exe	88
PID 2532 wrote to memory of 2168	2532	system.exe	88
PID 2168 wrote to memory of 3148	2168	cmd.exe	97
PID 2168 wrote to memory of 3148	2168	cmd.exe	97
PID 2168 wrote to memory of 3148	2168	cmd.exe	97
PID 1492 wrote to memory of 3164	1492	cmd.exe	92
PID 1492 wrote to memory of 3164	1492	cmd.exe	92
PID 1492 wrote to memory of 3164	1492	cmd.exe	92
PID 1200 wrote to memory of 3736	1200	cmd.exe	96
PID 1200 wrote to memory of 3736	1200	cmd.exe	96
PID 1200 wrote to memory of 3736	1200	cmd.exe	96
PID 3604 wrote to memory of 3176	3604	cmd.exe	95
PID 3604 wrote to memory of 3176	3604	cmd.exe	95
PID 3604 wrote to memory of 3176	3604	cmd.exe	95
PID 3508 wrote to memory of 496	3508	cmd.exe	93
PID 3508 wrote to memory of 496	3508	cmd.exe	93
PID 3508 wrote to memory of 496	3508	cmd.exe	93
PID 3928 wrote to memory of 3840	3928	cmd.exe	94
PID 3928 wrote to memory of 3840	3928	cmd.exe	94
PID 3928 wrote to memory of 3840	3928	cmd.exe	94
PID 2532 wrote to memory of 2296	2532	system.exe	102
PID 2532 wrote to memory of 2296	2532	system.exe	102
PID 2532 wrote to memory of 2296	2532	system.exe	102
PID 2296 wrote to memory of 3384	2296	cmd.exe	104
PID 2296 wrote to memory of 3384	2296	cmd.exe	104
PID 2296 wrote to memory of 3384	2296	cmd.exe	104
PID 2532 wrote to memory of 3692	2532	system.exe	105
PID 2532 wrote to memory of 3692	2532	system.exe	105
PID 2532 wrote to memory of 3692	2532	system.exe	105
PID 3692 wrote to memory of 3028	3692	cmd.exe	107
PID 3692 wrote to memory of 3028	3692	cmd.exe	107
PID 3692 wrote to memory of 3028	3692	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Suspicious use of WriteProcessMemory
PID:744
- C:\Users\Admin\AppData\Local\system.exe
  "C:\Users\Admin\AppData\Local\system.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat
    3⤵
    PID:1320
- - C:\Windows\SysWOW64\SCHTASKS.exe
    C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:208
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      Modifies WinLogon for persistence
      PID:3164
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      PID:3736
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
      4⤵
      PID:3840
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
      4⤵
      Modifies Control Panel
      PID:3176
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
      4⤵
      PID:496
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
      4⤵
      PID:3148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
      4⤵
      PID:3384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -r -t 10 -f
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3028

C:\Windows\system32\wlrmdr.exe
-s -1 -f 2 -t You're about to be signed out -m Windows will shut down in less than a minute. -a 3
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2740

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad3855 /state1:0x41c64e6d
1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads