2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94

Reason

Remote task has failed: Machine shutdown

General

Target

Windows Loader.exe
Size

3.8MB
MD5

323c0fd51071400b51eedb1be90a8188
SHA1

0efc35935957c25193bbe9a83ab6caa25a487ada
SHA256

2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94
SHA512

4c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e

Score

8^/10

discovery exploit

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

bootsect.exe

pid process

1440 bootsect.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

1504 icacls.exe
1016 takeown.exe
1696 icacls.exe
1676 takeown.exe

pid	process
1440	bootsect.exe

pid	process
1504	icacls.exe
1016	takeown.exe
1696	icacls.exe
1676	takeown.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Windows Loader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Windows Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Windows Loader.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1676 takeown.exe
1504 icacls.exe
1016 takeown.exe
1696 icacls.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1676	takeown.exe
1504	icacls.exe
1016	takeown.exe
1696	icacls.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Windows Loader.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Windows Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Windows Loader.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Windows Loader.exe

pid process

1912 Windows Loader.exe

pid	process
1912	Windows Loader.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

Windows Loader.exetakeown.exetakeown.exeshutdown.exeAUDIODG.EXE

description	pid	process
Token: 33	1912	Windows Loader.exe
Token: SeIncBasePriorityPrivilege	1912	Windows Loader.exe
Token: 33	1912	Windows Loader.exe
Token: SeIncBasePriorityPrivilege	1912	Windows Loader.exe
Token: SeTakeOwnershipPrivilege	1676	takeown.exe
Token: SeTakeOwnershipPrivilege	1016	takeown.exe
Token: SeShutdownPrivilege	2016	shutdown.exe
Token: SeRemoteShutdownPrivilege	2016	shutdown.exe
Token: 33	1248	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1248	AUDIODG.EXE
Token: 33	1248	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1248	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Windows Loader.exe

pid process

1912 Windows Loader.exe

pid	process
1912	Windows Loader.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Windows Loader.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1912 wrote to memory of 1484	1912	Windows Loader.exe	cmd.exe
PID 1912 wrote to memory of 1484	1912	Windows Loader.exe	cmd.exe
PID 1912 wrote to memory of 1484	1912	Windows Loader.exe	cmd.exe
PID 1912 wrote to memory of 1484	1912	Windows Loader.exe	cmd.exe
PID 1484 wrote to memory of 1852	1484	cmd.exe	cmd.exe
PID 1484 wrote to memory of 1852	1484	cmd.exe	cmd.exe
PID 1484 wrote to memory of 1852	1484	cmd.exe	cmd.exe
PID 1484 wrote to memory of 1852	1484	cmd.exe	cmd.exe
PID 1852 wrote to memory of 1676	1852	cmd.exe	takeown.exe
PID 1852 wrote to memory of 1676	1852	cmd.exe	takeown.exe
PID 1852 wrote to memory of 1676	1852	cmd.exe	takeown.exe
PID 1852 wrote to memory of 1676	1852	cmd.exe	takeown.exe
PID 1912 wrote to memory of 1004	1912	Windows Loader.exe	cmd.exe
PID 1912 wrote to memory of 1004	1912	Windows Loader.exe	cmd.exe
PID 1912 wrote to memory of 1004	1912	Windows Loader.exe	cmd.exe
PID 1912 wrote to memory of 1004	1912	Windows Loader.exe	cmd.exe
PID 1004 wrote to memory of 1504	1004	cmd.exe	icacls.exe
PID 1004 wrote to memory of 1504	1004	cmd.exe	icacls.exe
PID 1004 wrote to memory of 1504	1004	cmd.exe	icacls.exe
PID 1004 wrote to memory of 1504	1004	cmd.exe	icacls.exe
PID 1912 wrote to memory of 668	1912	Windows Loader.exe	cmd.exe
PID 1912 wrote to memory of 668	1912	Windows Loader.exe	cmd.exe
PID 1912 wrote to memory of 668	1912	Windows Loader.exe	cmd.exe
PID 1912 wrote to memory of 668	1912	Windows Loader.exe	cmd.exe
PID 668 wrote to memory of 1560	668	cmd.exe	cmd.exe
PID 668 wrote to memory of 1560	668	cmd.exe	cmd.exe
PID 668 wrote to memory of 1560	668	cmd.exe	cmd.exe
PID 668 wrote to memory of 1560	668	cmd.exe	cmd.exe
PID 1560 wrote to memory of 1016	1560	cmd.exe	takeown.exe
PID 1560 wrote to memory of 1016	1560	cmd.exe	takeown.exe
PID 1560 wrote to memory of 1016	1560	cmd.exe	takeown.exe
PID 1560 wrote to memory of 1016	1560	cmd.exe	takeown.exe
PID 1912 wrote to memory of 1868	1912	Windows Loader.exe	cmd.exe
PID 1912 wrote to memory of 1868	1912	Windows Loader.exe	cmd.exe
PID 1912 wrote to memory of 1868	1912	Windows Loader.exe	cmd.exe
PID 1912 wrote to memory of 1868	1912	Windows Loader.exe	cmd.exe
PID 1868 wrote to memory of 1696	1868	cmd.exe	icacls.exe
PID 1868 wrote to memory of 1696	1868	cmd.exe	icacls.exe
PID 1868 wrote to memory of 1696	1868	cmd.exe	icacls.exe
PID 1868 wrote to memory of 1696	1868	cmd.exe	icacls.exe
PID 1912 wrote to memory of 1688	1912	Windows Loader.exe	cmd.exe
PID 1912 wrote to memory of 1688	1912	Windows Loader.exe	cmd.exe
PID 1912 wrote to memory of 1688	1912	Windows Loader.exe	cmd.exe
PID 1912 wrote to memory of 1688	1912	Windows Loader.exe	cmd.exe
PID 1688 wrote to memory of 944	1688	cmd.exe	cscript.exe
PID 1688 wrote to memory of 944	1688	cmd.exe	cscript.exe
PID 1688 wrote to memory of 944	1688	cmd.exe	cscript.exe
PID 1912 wrote to memory of 1108	1912	Windows Loader.exe	cmd.exe
PID 1912 wrote to memory of 1108	1912	Windows Loader.exe	cmd.exe
PID 1912 wrote to memory of 1108	1912	Windows Loader.exe	cmd.exe
PID 1912 wrote to memory of 1108	1912	Windows Loader.exe	cmd.exe
PID 1108 wrote to memory of 1536	1108	cmd.exe	cscript.exe
PID 1108 wrote to memory of 1536	1108	cmd.exe	cscript.exe
PID 1108 wrote to memory of 1536	1108	cmd.exe	cscript.exe
PID 1912 wrote to memory of 276	1912	Windows Loader.exe	cmd.exe
PID 1912 wrote to memory of 276	1912	Windows Loader.exe	cmd.exe
PID 1912 wrote to memory of 276	1912	Windows Loader.exe	cmd.exe
PID 1912 wrote to memory of 276	1912	Windows Loader.exe	cmd.exe
PID 276 wrote to memory of 1092	276	cmd.exe	compact.exe
PID 276 wrote to memory of 1092	276	cmd.exe	compact.exe
PID 276 wrote to memory of 1092	276	cmd.exe	compact.exe
PID 276 wrote to memory of 1092	276	cmd.exe	compact.exe
PID 1912 wrote to memory of 1836	1912	Windows Loader.exe	cmd.exe
PID 1912 wrote to memory of 1836	1912	Windows Loader.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe"
1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
2⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\ldrscan\bootwin
3⤵
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\ldrscan\bootwin
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
2⤵
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\icacls.exe
icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1504

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
2⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\ldrscan\bootwin
3⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\ldrscan\bootwin
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
2⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\icacls.exe
icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1696

C:\Windows\system32\cmd.exe
cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""
2⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"
3⤵
PID:944

C:\Windows\system32\cmd.exe
cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk YKHFT-KW986-GK4PY-FDWYH-7TP9F"
2⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk YKHFT-KW986-GK4PY-FDWYH-7TP9F
3⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "compact /u \\?\Volume{efb60be3-9a04-11eb-be03-806e6f6e6963}\CZWFV"
2⤵
- Suspicious use of WriteProcessMemory
PID:276

C:\Windows\SysWOW64\compact.exe
compact /u \\?\Volume{efb60be3-9a04-11eb-be03-806e6f6e6963}\CZWFV
3⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"
2⤵
PID:1836

C:\bootsect.exe
C:\bootsect.exe /nt60 SYS /force
3⤵
- Executes dropped EXE
PID:1440

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "shutdown -r -t 0"
2⤵
PID:1696

C:\Windows\SysWOW64\shutdown.exe
shutdown -r -t 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1700

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x570
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1016

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Acer.XRM-MS
MD5
f25832af6a684360950dbb15589de34a

SHA1
17ff1d21005c1695ae3dcbdc3435017c895fff5d

SHA256
266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f

SHA512
e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f

Download Submit
C:\bootsect.exe
MD5
1f7512b88ad5bd506b6ef9b8ac9aad4d

SHA1
1bf442e8c3a5365597a4a910e972e655c6eea04b

SHA256
f2b942bef619631a9e84936644fae83fc5f22e86cdc2ff892c138c63458a36ec

SHA512
689252299fb170e8a246c1b163c1ad134a79a6905d7d103e7027d29abfe42a0017c0b1f74eb6e81dcb019ead4e98c87067025fc6aaa2668bc1d944454aadc4d1

Download Submit
C:\bootsect.exe
MD5
1f7512b88ad5bd506b6ef9b8ac9aad4d

SHA1
1bf442e8c3a5365597a4a910e972e655c6eea04b

SHA256
f2b942bef619631a9e84936644fae83fc5f22e86cdc2ff892c138c63458a36ec

SHA512
689252299fb170e8a246c1b163c1ad134a79a6905d7d103e7027d29abfe42a0017c0b1f74eb6e81dcb019ead4e98c87067025fc6aaa2668bc1d944454aadc4d1

Download Submit
\??\Volume{efb60be3-9a04-11eb-be03-806e6f6e6963}\CZWFV
MD5
e06104bdd9c4634b3bba29d9e418d8cb

SHA1
8d4e75c994bb59dec54341b52ad4cd876ad3e0d1

SHA256
a0953e46aab858b1690ff3ef6d66b09d06ca760b79fdfcfb2339311a6ffe0b61

SHA512
c5d3269934555107c417fd9c9e1b5d684c66902eadeac7d5861eaf1114fa5550b875dd8a9c30dfde0f8122d3dd30aae6f32b726bb49be96b404eb7633eb02cbe

Download Submit
memory/276-76-0x0000000000000000-mapping.dmp

Download
memory/668-66-0x0000000000000000-mapping.dmp

Download
memory/944-72-0x0000000000000000-mapping.dmp

Download
memory/1004-64-0x0000000000000000-mapping.dmp

Download
memory/1016-68-0x0000000000000000-mapping.dmp

Download
memory/1016-90-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1092-77-0x0000000000000000-mapping.dmp

Download
memory/1108-74-0x0000000000000000-mapping.dmp

Download
memory/1440-82-0x0000000000000000-mapping.dmp

Download
memory/1440-84-0x0000000001000000-0x000000000101B000-memory.dmp

Filesize
108KB

Download
memory/1484-61-0x0000000000000000-mapping.dmp

Download
memory/1504-65-0x0000000000000000-mapping.dmp

Download
memory/1536-75-0x0000000000000000-mapping.dmp

Download
memory/1560-67-0x0000000000000000-mapping.dmp

Download
memory/1676-63-0x0000000000000000-mapping.dmp

Download
memory/1688-71-0x0000000000000000-mapping.dmp

Download
memory/1696-70-0x0000000000000000-mapping.dmp

Download
memory/1696-85-0x0000000000000000-mapping.dmp

Download
memory/1700-87-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/1700-88-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/1836-80-0x0000000000000000-mapping.dmp

Download
memory/1852-62-0x0000000000000000-mapping.dmp

Download
memory/1868-69-0x0000000000000000-mapping.dmp

Download
memory/1912-59-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download
memory/1912-60-0x0000000002080000-0x0000000002223000-memory.dmp

Filesize
1.6MB

Download
memory/2016-86-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads