38f55d4fb0e4721db824f7dd44b4c9b132180087f277d6ae9d5991ec89510382

Reason

Machine shutdown

General

Target

Release/TorrentParser-CLI.exe
Size

8KB
MD5

8a2b9a6128c3c4a9701ed0504033dd58
SHA1

9d7b57c784f3f4aa7b700a115f52c086de19b74b
SHA256

6c738a8033611e29b67057b4401e5c8718998ad7caac94d4dfb0762275956652
SHA512

93e86b3edc47b93937a7158220efae4508e048d418c94472d6474c68673fed8379055251034d28aa664c88eb6fbec930da2d4721cd591d9e5958451490f62070

Score

10^/10

bootkit ransomware

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

SystemSettings.exe

description pid process target process

PID 1216 created 3020 1216 SystemSettings.exe Explorer.EXE
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
ransomware bootkit

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

LogonUI.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe

description	pid	process	target process
PID 1216 created 3020	1216	SystemSettings.exe	Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SystemSettings.exeSystemSettings.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	SystemSettings.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\User Profile	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\User Profile	rundll32.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

SystemSettings.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings SystemSettings.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	SystemSettings.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

TorrentParser-CLI.exeSystemSettings.exeSystemSettings.exerundll32.exe

description	pid	process
Token: SeDebugPrivilege	68	TorrentParser-CLI.exe
Token: SeShutdownPrivilege	3264	SystemSettings.exe
Token: SeCreatePagefilePrivilege	3264	SystemSettings.exe
Token: SeShutdownPrivilege	3264	SystemSettings.exe
Token: SeCreatePagefilePrivilege	3264	SystemSettings.exe
Token: SeShutdownPrivilege	1216	SystemSettings.exe
Token: SeCreatePagefilePrivilege	1216	SystemSettings.exe
Token: SeShutdownPrivilege	1216	SystemSettings.exe
Token: SeCreatePagefilePrivilege	1216	SystemSettings.exe
Token: SeTakeOwnershipPrivilege	1216	SystemSettings.exe
Token: SeRestorePrivilege	1216	SystemSettings.exe
Token: SeShutdownPrivilege	3460	rundll32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

SystemSettings.exeSystemSettings.exe

pid process

3264 SystemSettings.exe
1216 SystemSettings.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

SystemSettings.exeSystemSettings.exe

pid process

3264 SystemSettings.exe
3264 SystemSettings.exe
1216 SystemSettings.exe
1216 SystemSettings.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

SystemSettings.exeSystemSettings.exeLogonUI.exe

pid process

3264 SystemSettings.exe
1216 SystemSettings.exe
2152 LogonUI.exe
2152 LogonUI.exe

pid	process
3264	SystemSettings.exe
1216	SystemSettings.exe

pid	process
3264	SystemSettings.exe
3264	SystemSettings.exe
1216	SystemSettings.exe
1216	SystemSettings.exe

pid	process
3264	SystemSettings.exe
1216	SystemSettings.exe
2152	LogonUI.exe
2152	LogonUI.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

SystemSettings.exe

description	pid	process	target process
PID 1216 wrote to memory of 4000	1216	SystemSettings.exe	SystemSettingsAdminFlows.exe
PID 1216 wrote to memory of 4000	1216	SystemSettings.exe	SystemSettingsAdminFlows.exe
PID 1216 wrote to memory of 4000	1216	SystemSettings.exe	SystemSettingsAdminFlows.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\Release\TorrentParser-CLI.exe
"C:\Users\Admin\AppData\Local\Temp\Release\TorrentParser-CLI.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:68

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" LanguagePackInstaller
2⤵
PID:4000

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL intl.cpl
2⤵
- Checks computer location settings
- Modifies Control Panel
PID:1760

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL intl.cpl
2⤵
- Checks computer location settings
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3264

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2584

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad9055 /state1:0x41c64e6d
1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f18460fded109990.customDestinations-ms
MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
memory/68-2-0x0000000073300000-0x00000000739EE000-memory.dmp

Filesize
6.9MB

Download
memory/68-3-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/68-5-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/68-6-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/4000-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads