a6389119ceee7fddfcb0ef858f37cb3377f0fb44b223e6f5e8ab5f33128ed511

Reason

Machine shutdown

General

Target

question_02.26.2021.doc
Size

91KB
MD5

3e78c2d7b361f51ea5cc8bb911f970da
SHA1

84de4d86e7886b8fe7ae6510c9f27d92c53252c1
SHA256

b616ef8a46ee3aa2706f1f54e133662bf18b32d258ccadb77ca35030c56a8537
SHA512

48436fbfaf2162f7ecfd64bb825fe7563d8ef054d4e6282141767e759ba3240ccc241711a285df25661c85b21ce225ef578d78511e7cd52c7ddcdf42c1780725

Score

8^/10

bootkit ransomware

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

xml.comxml.com

pid process

2584 xml.com
2124 xml.com
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
ransomware bootkit

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

LogonUI.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe

pid	process
2584	xml.com
2124	xml.com

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1276 WINWORD.EXE
1276 WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

xml.comxml.com

description	pid	process
Token: SeIncreaseQuotaPrivilege	2584	xml.com
Token: SeSecurityPrivilege	2584	xml.com
Token: SeTakeOwnershipPrivilege	2584	xml.com
Token: SeLoadDriverPrivilege	2584	xml.com
Token: SeSystemProfilePrivilege	2584	xml.com
Token: SeSystemtimePrivilege	2584	xml.com
Token: SeProfSingleProcessPrivilege	2584	xml.com
Token: SeIncBasePriorityPrivilege	2584	xml.com
Token: SeCreatePagefilePrivilege	2584	xml.com
Token: SeBackupPrivilege	2584	xml.com
Token: SeRestorePrivilege	2584	xml.com
Token: SeShutdownPrivilege	2584	xml.com
Token: SeDebugPrivilege	2584	xml.com
Token: SeSystemEnvironmentPrivilege	2584	xml.com
Token: SeRemoteShutdownPrivilege	2584	xml.com
Token: SeUndockPrivilege	2584	xml.com
Token: SeManageVolumePrivilege	2584	xml.com
Token: 33	2584	xml.com
Token: 34	2584	xml.com
Token: 35	2584	xml.com
Token: 36	2584	xml.com
Token: SeIncreaseQuotaPrivilege	2584	xml.com
Token: SeSecurityPrivilege	2584	xml.com
Token: SeTakeOwnershipPrivilege	2584	xml.com
Token: SeLoadDriverPrivilege	2584	xml.com
Token: SeSystemProfilePrivilege	2584	xml.com
Token: SeSystemtimePrivilege	2584	xml.com
Token: SeProfSingleProcessPrivilege	2584	xml.com
Token: SeIncBasePriorityPrivilege	2584	xml.com
Token: SeCreatePagefilePrivilege	2584	xml.com
Token: SeBackupPrivilege	2584	xml.com
Token: SeRestorePrivilege	2584	xml.com
Token: SeShutdownPrivilege	2584	xml.com
Token: SeDebugPrivilege	2584	xml.com
Token: SeSystemEnvironmentPrivilege	2584	xml.com
Token: SeRemoteShutdownPrivilege	2584	xml.com
Token: SeUndockPrivilege	2584	xml.com
Token: SeManageVolumePrivilege	2584	xml.com
Token: 33	2584	xml.com
Token: 34	2584	xml.com
Token: 35	2584	xml.com
Token: 36	2584	xml.com
Token: SeIncreaseQuotaPrivilege	2124	xml.com
Token: SeSecurityPrivilege	2124	xml.com
Token: SeTakeOwnershipPrivilege	2124	xml.com
Token: SeLoadDriverPrivilege	2124	xml.com
Token: SeSystemProfilePrivilege	2124	xml.com
Token: SeSystemtimePrivilege	2124	xml.com
Token: SeProfSingleProcessPrivilege	2124	xml.com
Token: SeIncBasePriorityPrivilege	2124	xml.com
Token: SeCreatePagefilePrivilege	2124	xml.com
Token: SeBackupPrivilege	2124	xml.com
Token: SeRestorePrivilege	2124	xml.com
Token: SeShutdownPrivilege	2124	xml.com
Token: SeDebugPrivilege	2124	xml.com
Token: SeSystemEnvironmentPrivilege	2124	xml.com
Token: SeRemoteShutdownPrivilege	2124	xml.com
Token: SeUndockPrivilege	2124	xml.com
Token: SeManageVolumePrivilege	2124	xml.com
Token: 33	2124	xml.com
Token: 34	2124	xml.com
Token: 35	2124	xml.com
Token: 36	2124	xml.com
Token: SeIncreaseQuotaPrivilege	2124	xml.com

Suspicious use of SetWindowsHookEx 25 IoCs

Processes:

WINWORD.EXELogonUI.exe

pid	process
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
1276	WINWORD.EXE
516	LogonUI.exe
516	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1276 wrote to memory of 2584	1276	WINWORD.EXE	xml.com
PID 1276 wrote to memory of 2584	1276	WINWORD.EXE	xml.com
PID 1276 wrote to memory of 2124	1276	WINWORD.EXE	xml.com
PID 1276 wrote to memory of 2124	1276	WINWORD.EXE	xml.com

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\question_02.26.2021.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1276

C:\programdata\xml.com
"C:\programdata\xml.com" process list /format : "c:\programdata\i.xsl"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\programdata\xml.com
"C:\programdata\xml.com" process list /format : "c:\programdata\i.xsl"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad7855 /state1:0x41c64e6d
1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\xml.com
MD5
4191f61f2449ccc2bc2f2ac6d8898ce7

SHA1
d49936fc8a03561214ce4bf9791ca59e94ab8fe9

SHA256
74d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173

SHA512
fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f

Download Submit
C:\ProgramData\xml.com
MD5
4191f61f2449ccc2bc2f2ac6d8898ce7

SHA1
d49936fc8a03561214ce4bf9791ca59e94ab8fe9

SHA256
74d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173

SHA512
fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f

Download Submit
\??\c:\programdata\i.xsl
MD5
38c25b5908e3f920a1516d1f238b28dd

SHA1
089b3afaee7fe167fa550af5fc465d4e75934373

SHA256
bd2028a5e8b75a25b9dcfd0edf682aba093883ced5d25b98371e10625a3c2c50

SHA512
4a4a8a5b3ba1cc62e0e2ba8fa2e63ea29a4db95cb27da1122bd5b9bc24d24e734f06ef1c34117901c9c5565134accdf4c6ec399098382a419e99a80d75fc91e3

Download Submit
\??\c:\programdata\i.xsl
MD5
38c25b5908e3f920a1516d1f238b28dd

SHA1
089b3afaee7fe167fa550af5fc465d4e75934373

SHA256
bd2028a5e8b75a25b9dcfd0edf682aba093883ced5d25b98371e10625a3c2c50

SHA512
4a4a8a5b3ba1cc62e0e2ba8fa2e63ea29a4db95cb27da1122bd5b9bc24d24e734f06ef1c34117901c9c5565134accdf4c6ec399098382a419e99a80d75fc91e3

Download Submit
memory/1276-17-0x00007FFC65120000-0x00007FFC67C43000-memory.dmp

Filesize
43.1MB

Download
memory/1276-3-0x00007FFC444D0000-0x00007FFC444E0000-memory.dmp

Filesize
64KB

Download
memory/1276-21-0x00007FFC444D0000-0x00007FFC444E0000-memory.dmp

Filesize
64KB

Download
memory/1276-6-0x00007FFC444D0000-0x00007FFC444E0000-memory.dmp

Filesize
64KB

Download
memory/1276-5-0x0000025524280000-0x00000255248B7000-memory.dmp

Filesize
6.2MB

Download
memory/1276-4-0x00007FFC444D0000-0x00007FFC444E0000-memory.dmp

Filesize
64KB

Download
memory/1276-20-0x00007FFC444D0000-0x00007FFC444E0000-memory.dmp

Filesize
64KB

Download
memory/1276-7-0x0000025532A10000-0x0000025532A14000-memory.dmp

Filesize
16KB

Download
memory/1276-14-0x00007FFC65120000-0x00007FFC67C43000-memory.dmp

Filesize
43.1MB

Download
memory/1276-15-0x00007FFC65120000-0x00007FFC67C43000-memory.dmp

Filesize
43.1MB

Download
memory/1276-16-0x00007FFC65120000-0x00007FFC67C43000-memory.dmp

Filesize
43.1MB

Download
memory/1276-2-0x00007FFC444D0000-0x00007FFC444E0000-memory.dmp

Filesize
64KB

Download
memory/1276-18-0x00007FFC444D0000-0x00007FFC444E0000-memory.dmp

Filesize
64KB

Download
memory/1276-19-0x00007FFC444D0000-0x00007FFC444E0000-memory.dmp

Filesize
64KB

Download
memory/2124-11-0x0000000000000000-mapping.dmp

Download
memory/2584-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads