36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4

General

Target

36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.exe
Size

4.2MB
MD5

32de66a467db22cf0f5b65d1a9f4e19c
SHA1

cdb5c200cba7da3f6e80e868ef7df380ac1259c2
SHA256

36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4
SHA512

af200cc334c05e5fe0df1d4c76b5ce469d034c0d62288d207b6bb6562579e07dc4510e4bfc4b726cf1a9f82ae8cb69c4630e981f23d05fb85e3be842a34244f1

Score

9^/10

evasion ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exe

pid process

2024 bcdedit.exe

pid	process
2024	bcdedit.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

shutdown.exeshutdown.exeshutdown.exeshutdown.exe

description	pid	process
Token: SeShutdownPrivilege	1232	shutdown.exe
Token: SeRemoteShutdownPrivilege	1232	shutdown.exe
Token: SeShutdownPrivilege	2040	shutdown.exe
Token: SeRemoteShutdownPrivilege	2040	shutdown.exe
Token: SeShutdownPrivilege	1176	shutdown.exe
Token: SeRemoteShutdownPrivilege	1176	shutdown.exe
Token: SeShutdownPrivilege	1988	shutdown.exe
Token: SeRemoteShutdownPrivilege	1988	shutdown.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.exe

description	pid	process	target process
PID 484 wrote to memory of 2024	484	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.exe	bcdedit.exe
PID 484 wrote to memory of 2024	484	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.exe	bcdedit.exe
PID 484 wrote to memory of 2024	484	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.exe	bcdedit.exe
PID 484 wrote to memory of 2024	484	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.exe	bcdedit.exe
PID 484 wrote to memory of 2040	484	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.exe	shutdown.exe
PID 484 wrote to memory of 2040	484	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.exe	shutdown.exe
PID 484 wrote to memory of 2040	484	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.exe	shutdown.exe
PID 484 wrote to memory of 2040	484	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.exe	shutdown.exe
PID 484 wrote to memory of 1232	484	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.exe	shutdown.exe
PID 484 wrote to memory of 1232	484	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.exe	shutdown.exe
PID 484 wrote to memory of 1232	484	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.exe	shutdown.exe
PID 484 wrote to memory of 1232	484	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.exe	shutdown.exe
PID 484 wrote to memory of 1176	484	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.exe	shutdown.exe
PID 484 wrote to memory of 1176	484	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.exe	shutdown.exe
PID 484 wrote to memory of 1176	484	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.exe	shutdown.exe
PID 484 wrote to memory of 1176	484	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.exe	shutdown.exe
PID 484 wrote to memory of 1988	484	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.exe	shutdown.exe
PID 484 wrote to memory of 1988	484	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.exe	shutdown.exe
PID 484 wrote to memory of 1988	484	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.exe	shutdown.exe
PID 484 wrote to memory of 1988	484	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.exe	shutdown.exe

C:\Users\Admin\AppData\Local\Temp\36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.exe
"C:\Users\Admin\AppData\Local\Temp\36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:484

\??\c:\windows\system32\bcdedit.exe
c:\windows\Sysnative\bcdedit.exe /set {current} safeboot minimal
2⤵
- Modifies boot configuration data using bcdedit
PID:2024

C:\Windows\SysWOW64\shutdown.exe
shutdown /r /f /t 00
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2040

\??\c:\windows\SysWOW64\shutdown.exe
c:\windows\SysWOW64\shutdown.exe /r /f /t 00
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1232

\??\c:\windows\SysWOW64\shutdown.exe
c:\windows\System32\shutdown.exe /r /f /t 00
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1176

\??\c:\windows\system32\shutdown.exe
c:\windows\Sysnative\shutdown.exe /r /f /t 00
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1768

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1176-63-0x0000000000000000-mapping.dmp

Download
memory/1232-62-0x0000000000000000-mapping.dmp

Download
memory/1768-65-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/1768-66-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/1988-64-0x0000000000000000-mapping.dmp

Download
memory/2024-60-0x0000000000000000-mapping.dmp

Download
memory/2040-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing