36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4

Reason

Remote task has failed: Machine shutdown

General

Target

36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.sample.exe
Size

4.2MB
MD5

32de66a467db22cf0f5b65d1a9f4e19c
SHA1

cdb5c200cba7da3f6e80e868ef7df380ac1259c2
SHA256

36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4
SHA512

af200cc334c05e5fe0df1d4c76b5ce469d034c0d62288d207b6bb6562579e07dc4510e4bfc4b726cf1a9f82ae8cb69c4630e981f23d05fb85e3be842a34244f1

Score

9^/10

evasion ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exe

pid process

1988 bcdedit.exe

pid	process
1988	bcdedit.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

shutdown.exeshutdown.exeshutdown.exeshutdown.exe

description	pid	process
Token: SeShutdownPrivilege	1944	shutdown.exe
Token: SeRemoteShutdownPrivilege	1944	shutdown.exe
Token: SeShutdownPrivilege	1028	shutdown.exe
Token: SeRemoteShutdownPrivilege	1028	shutdown.exe
Token: SeShutdownPrivilege	1872	shutdown.exe
Token: SeRemoteShutdownPrivilege	1872	shutdown.exe
Token: SeShutdownPrivilege	1864	shutdown.exe
Token: SeRemoteShutdownPrivilege	1864	shutdown.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.sample.exe

description	pid	process	target process
PID 1104 wrote to memory of 1988	1104	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.sample.exe	bcdedit.exe
PID 1104 wrote to memory of 1988	1104	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.sample.exe	bcdedit.exe
PID 1104 wrote to memory of 1988	1104	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.sample.exe	bcdedit.exe
PID 1104 wrote to memory of 1988	1104	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.sample.exe	bcdedit.exe
PID 1104 wrote to memory of 1028	1104	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.sample.exe	shutdown.exe
PID 1104 wrote to memory of 1028	1104	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.sample.exe	shutdown.exe
PID 1104 wrote to memory of 1028	1104	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.sample.exe	shutdown.exe
PID 1104 wrote to memory of 1028	1104	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.sample.exe	shutdown.exe
PID 1104 wrote to memory of 1944	1104	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.sample.exe	shutdown.exe
PID 1104 wrote to memory of 1944	1104	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.sample.exe	shutdown.exe
PID 1104 wrote to memory of 1944	1104	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.sample.exe	shutdown.exe
PID 1104 wrote to memory of 1944	1104	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.sample.exe	shutdown.exe
PID 1104 wrote to memory of 1872	1104	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.sample.exe	shutdown.exe
PID 1104 wrote to memory of 1872	1104	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.sample.exe	shutdown.exe
PID 1104 wrote to memory of 1872	1104	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.sample.exe	shutdown.exe
PID 1104 wrote to memory of 1872	1104	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.sample.exe	shutdown.exe
PID 1104 wrote to memory of 1864	1104	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.sample.exe	shutdown.exe
PID 1104 wrote to memory of 1864	1104	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.sample.exe	shutdown.exe
PID 1104 wrote to memory of 1864	1104	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.sample.exe	shutdown.exe
PID 1104 wrote to memory of 1864	1104	36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.sample.exe	shutdown.exe

C:\Users\Admin\AppData\Local\Temp\36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.sample.exe
"C:\Users\Admin\AppData\Local\Temp\36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4.sample.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1104
- \??\c:\windows\system32\bcdedit.exe
  c:\windows\Sysnative\bcdedit.exe /set {current} safeboot minimal
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1988
- C:\Windows\SysWOW64\shutdown.exe
  shutdown /r /f /t 00
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- \??\c:\windows\SysWOW64\shutdown.exe
  c:\windows\SysWOW64\shutdown.exe /r /f /t 00
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- \??\c:\windows\SysWOW64\shutdown.exe
  c:\windows\System32\shutdown.exe /r /f /t 00
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- \??\c:\windows\system32\shutdown.exe
  c:\windows\Sysnative\shutdown.exe /r /f /t 00
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1864

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:876

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/876-65-0x000007FEFC031000-0x000007FEFC033000-memory.dmp

Filesize
8KB

Download
memory/876-66-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/1028-61-0x0000000000000000-mapping.dmp

Download
memory/1512-68-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/1864-64-0x0000000000000000-mapping.dmp

Download
memory/1872-63-0x0000000000000000-mapping.dmp

Download
memory/1944-62-0x0000000000000000-mapping.dmp

Download
memory/1988-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors