a8c35c7bd501ca58d64791fbb065d32c3265440a78995f3fdccf7da0f77aa7c4

Reason

Machine shutdown

General

Target

XMLFC-NI_91.msi
Size

268KB
MD5

ea216c4397537df9d792c82c852796fa
SHA1

c9706304fa18ff3640f4f4db414f026b4de4cbee
SHA256

eb1cc652821c6f0665e79abe6dffee13461ffd001a331ffc6752460b7e2d073d
SHA512

32c00bf837c78c4e4c6e14fd57ee658100547231255aa08cafd4ff9e65455c79e6c405e3b2574da2f422253a32f5a185d41edaad1d0e33c08744514e84cf7e1a

Score

8^/10

bootkit persistence ransomware

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

Processes:

MsiExec.exe

flow pid process

8 3364 MsiExec.exe
15 3364 MsiExec.exe
17 3364 MsiExec.exe
19 3364 MsiExec.exe
21 3364 MsiExec.exe
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
ransomware bootkit

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

LogonUI.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe
Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

3364 MsiExec.exe
3364 MsiExec.exe

flow	pid	process
8	3364	MsiExec.exe
15	3364	MsiExec.exe
17	3364	MsiExec.exe
19	3364	MsiExec.exe
21	3364	MsiExec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

pid	process
3364	MsiExec.exe
3364	MsiExec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ÓzÑÙÎÌÖàâÓrìåàáÌ.App.Refresh.System = "C:\\ProgramData\\Exported Files\\ÓzÑÙÎÌÖàâÓrìåàáÌ.App.Refresh.System.exe"	reg.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\f744135.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI425E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI452E.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{187B873D-9E06-4065-A278-668510B1CE94}	msiexec.exe
File opened for modification	C:\Windows\Installer\f744135.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4677.tmp	msiexec.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exewlrmdr.exe

pid process

4928 msiexec.exe
4928 msiexec.exe
4384 wlrmdr.exe
4384 wlrmdr.exe

pid	process
4928	msiexec.exe
4928	msiexec.exe
4384	wlrmdr.exe
4384	wlrmdr.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

msiexec.exemsiexec.exeshutdown.exe

description	pid	process
Token: SeShutdownPrivilege	4704	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4704	msiexec.exe
Token: SeSecurityPrivilege	4928	msiexec.exe
Token: SeCreateTokenPrivilege	4704	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4704	msiexec.exe
Token: SeLockMemoryPrivilege	4704	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4704	msiexec.exe
Token: SeMachineAccountPrivilege	4704	msiexec.exe
Token: SeTcbPrivilege	4704	msiexec.exe
Token: SeSecurityPrivilege	4704	msiexec.exe
Token: SeTakeOwnershipPrivilege	4704	msiexec.exe
Token: SeLoadDriverPrivilege	4704	msiexec.exe
Token: SeSystemProfilePrivilege	4704	msiexec.exe
Token: SeSystemtimePrivilege	4704	msiexec.exe
Token: SeProfSingleProcessPrivilege	4704	msiexec.exe
Token: SeIncBasePriorityPrivilege	4704	msiexec.exe
Token: SeCreatePagefilePrivilege	4704	msiexec.exe
Token: SeCreatePermanentPrivilege	4704	msiexec.exe
Token: SeBackupPrivilege	4704	msiexec.exe
Token: SeRestorePrivilege	4704	msiexec.exe
Token: SeShutdownPrivilege	4704	msiexec.exe
Token: SeDebugPrivilege	4704	msiexec.exe
Token: SeAuditPrivilege	4704	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4704	msiexec.exe
Token: SeChangeNotifyPrivilege	4704	msiexec.exe
Token: SeRemoteShutdownPrivilege	4704	msiexec.exe
Token: SeUndockPrivilege	4704	msiexec.exe
Token: SeSyncAgentPrivilege	4704	msiexec.exe
Token: SeEnableDelegationPrivilege	4704	msiexec.exe
Token: SeManageVolumePrivilege	4704	msiexec.exe
Token: SeImpersonatePrivilege	4704	msiexec.exe
Token: SeCreateGlobalPrivilege	4704	msiexec.exe
Token: SeRestorePrivilege	4928	msiexec.exe
Token: SeTakeOwnershipPrivilege	4928	msiexec.exe
Token: SeRestorePrivilege	4928	msiexec.exe
Token: SeTakeOwnershipPrivilege	4928	msiexec.exe
Token: SeRestorePrivilege	4928	msiexec.exe
Token: SeTakeOwnershipPrivilege	4928	msiexec.exe
Token: SeRestorePrivilege	4928	msiexec.exe
Token: SeTakeOwnershipPrivilege	4928	msiexec.exe
Token: SeShutdownPrivilege	4084	shutdown.exe
Token: SeRemoteShutdownPrivilege	4084	shutdown.exe
Token: SeRestorePrivilege	4928	msiexec.exe
Token: SeTakeOwnershipPrivilege	4928	msiexec.exe
Token: SeRestorePrivilege	4928	msiexec.exe
Token: SeTakeOwnershipPrivilege	4928	msiexec.exe
Token: SeRestorePrivilege	4928	msiexec.exe
Token: SeTakeOwnershipPrivilege	4928	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4704 msiexec.exe
4704 msiexec.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

wlrmdr.exeLogonUI.exe

pid process

4384 wlrmdr.exe
4480 LogonUI.exe

pid	process
4704	msiexec.exe
4704	msiexec.exe

pid	process
4384	wlrmdr.exe
4480	LogonUI.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

msiexec.exeMsiExec.exe

description	pid	process	target process
PID 4928 wrote to memory of 3364	4928	msiexec.exe	MsiExec.exe
PID 4928 wrote to memory of 3364	4928	msiexec.exe	MsiExec.exe
PID 4928 wrote to memory of 3364	4928	msiexec.exe	MsiExec.exe
PID 3364 wrote to memory of 4076	3364	MsiExec.exe	reg.exe
PID 3364 wrote to memory of 4076	3364	MsiExec.exe	reg.exe
PID 3364 wrote to memory of 4076	3364	MsiExec.exe	reg.exe
PID 3364 wrote to memory of 4084	3364	MsiExec.exe	shutdown.exe
PID 3364 wrote to memory of 4084	3364	MsiExec.exe	shutdown.exe
PID 3364 wrote to memory of 4084	3364	MsiExec.exe	shutdown.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\XMLFC-NI_91.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4704

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CFD42D283A77CBB7AB15ED046B042AF0
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "ÓzÑÙÎÌÖàâÓrìåàáÌ.App.Refresh.System" /t REG_SZ /F /D "C:\ProgramData\Exported Files\ÓzÑÙÎÌÖàâÓrìåàáÌ.App.Refresh.System.exe"
3⤵
- Adds Run key to start application
PID:4076

C:\WINDOWS\SysWOW64\shutdown.exe
"C:\WINDOWS\system32\shutdown.exe" -r -t 1 -f
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\system32\wlrmdr.exe
-s -1 -f 2 -t You're about to be signed out -m Windows will shut down in less than a minute. -a 3
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4384

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad1055 /state1:0x41c64e6d
1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI43eb4.LOG
MD5
64b7bbd8a96846db2c034c3484232a4f

SHA1
22a589eabc888ba9d74ad71663ab2fd16951abb2

SHA256
e74744474480f5b363153181b268b595c1a0bd83b9200bbba38ad5de1eb336af

SHA512
c53afa94eac78d29487953918a98641e8871549812618c1a65e3beef211e753f8813f7c16a7f8e19b5732b9bf449df776e040081569d23194305b8972f5805ba

Download Submit
C:\Windows\Installer\MSI425E.tmp
MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
C:\Windows\Installer\MSI452E.tmp
MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
\Windows\Installer\MSI425E.tmp
MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
\Windows\Installer\MSI452E.tmp
MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
memory/3364-3-0x0000000000000000-mapping.dmp

Download
memory/4076-8-0x0000000000000000-mapping.dmp

Download
memory/4084-9-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads