9a463e6f526a181780da19ab9f569e1b1c131288c2d1ab18b3c18a656f9bf06d

Reason

Machine shutdown

General

Target

e28a0b40_extracted.exe
Size

71KB
MD5

db2da08dff1c398dc9690419cbe36673
SHA1

a45d06df8f11bdb3ab10ec44ed4c9040fe154afe
SHA256

9a463e6f526a181780da19ab9f569e1b1c131288c2d1ab18b3c18a656f9bf06d
SHA512

5774296dd59362d6fc515aa58a1d05c5d232c8a0f3a08c34439947dc85080b9b7f697ca39f9439d5890a38d9cf385d13443b2ebdc7f6adbbacc2ed4d01bb0ea6

Score

8^/10

bootkit persistence ransomware

Malware Config

Signatures

Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
ransomware bootkit

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

LogonUI.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

e28a0b40_extracted.exe

description ioc process

File opened for modification \??\PhysicalDrive0 e28a0b40_extracted.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	e28a0b40_extracted.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

shutdown.exeshutdown.exe

description	pid	process
Token: SeShutdownPrivilege	2548	shutdown.exe
Token: SeRemoteShutdownPrivilege	2548	shutdown.exe
Token: SeShutdownPrivilege	2820	shutdown.exe
Token: SeRemoteShutdownPrivilege	2820	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

1912 LogonUI.exe

pid	process
1912	LogonUI.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e28a0b40_extracted.exe

description	pid	process	target process
PID 1316 wrote to memory of 2548	1316	e28a0b40_extracted.exe	shutdown.exe
PID 1316 wrote to memory of 2548	1316	e28a0b40_extracted.exe	shutdown.exe
PID 1316 wrote to memory of 2548	1316	e28a0b40_extracted.exe	shutdown.exe
PID 1316 wrote to memory of 2820	1316	e28a0b40_extracted.exe	shutdown.exe
PID 1316 wrote to memory of 2820	1316	e28a0b40_extracted.exe	shutdown.exe
PID 1316 wrote to memory of 2820	1316	e28a0b40_extracted.exe	shutdown.exe

C:\Users\Admin\AppData\Local\Temp\e28a0b40_extracted.exe
"C:\Users\Admin\AppData\Local\Temp\e28a0b40_extracted.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\shutdown.exe
shutdown.exe -r -f -t 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\SysWOW64\shutdown.exe
C:\Windows\System32\shutdown.exe -r -f -t 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ac8855 /state1:0x41c64e6d
1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2548-2-0x0000000000000000-mapping.dmp

Download
memory/2820-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads