5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d

Reason

Machine shutdown

General

Target

5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
Size

712KB
MD5

1395bd7b00ccb67c9efb90b673c8ef71
SHA1

633b6900f79e1c57e1095e72088f6fe45d8df6a6
SHA256

5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d
SHA512

4805c5068fff8bc556f7850d8fb40f18f2aab02c146544bb0471320a33731f1c3c590b63cb0fb6685806e199c8c12336a9be07eda5443a1808fbeafbca6212cc
SSDEEP

6144:xLLk69/CyxsWTEWs1dPwFrwKzYOX83AES9526mznYLpJfDP8WXP/LDqy5QaHHy:x/EyymEWs1pRPVgFmzoRDPkYy

Score

8^/10

evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\N:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\O:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\R:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\T:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\Z:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\A:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\I:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\V:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\B:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\H:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\M:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\P:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\W:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\E:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\L:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\J:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\Q:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\S:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\U:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\X:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\Y:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\F:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
File opened (read-only)	\??\G:	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Policies\System	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Software	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2036	shutdown.exe
Token: SeShutdownPrivilege	1932	shutdown.exe
Token: SeRemoteShutdownPrivilege	2036	shutdown.exe
Token: SeRemoteShutdownPrivilege	1932	shutdown.exe
Token: 33	848	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	848	AUDIODG.EXE
Token: 33	848	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	848	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1956	1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	27
PID 1148 wrote to memory of 1956	1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	27
PID 1148 wrote to memory of 1956	1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	27
PID 1148 wrote to memory of 1956	1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	27
PID 1148 wrote to memory of 1256	1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	29
PID 1148 wrote to memory of 1256	1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	29
PID 1148 wrote to memory of 1256	1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	29
PID 1148 wrote to memory of 1256	1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	29
PID 1148 wrote to memory of 1292	1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	30
PID 1148 wrote to memory of 1292	1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	30
PID 1148 wrote to memory of 1292	1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	30
PID 1148 wrote to memory of 1292	1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	30
PID 1148 wrote to memory of 844	1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	33
PID 1148 wrote to memory of 844	1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	33
PID 1148 wrote to memory of 844	1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	33
PID 1148 wrote to memory of 844	1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	33
PID 1148 wrote to memory of 2036	1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	35
PID 1148 wrote to memory of 2036	1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	35
PID 1148 wrote to memory of 2036	1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	35
PID 1148 wrote to memory of 2036	1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	35
PID 1148 wrote to memory of 904	1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	36
PID 1148 wrote to memory of 904	1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	36
PID 1148 wrote to memory of 904	1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	36
PID 1148 wrote to memory of 904	1148	5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe	36
PID 904 wrote to memory of 1932	904	cmd.exe	39
PID 904 wrote to memory of 1932	904	cmd.exe	39
PID 904 wrote to memory of 1932	904	cmd.exe	39
PID 904 wrote to memory of 1932	904	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe
"C:\Users\Admin\AppData\Local\Temp\5cd036c9837a49389b91bbc78bf42fefec199e91c2e1b20dfcb0ffe6c90e0a5d.exe"
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\1dll.bat
  2⤵
  PID:1956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\1exe.bat
  2⤵
  PID:1256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\2dll.bat
  2⤵
  PID:1292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\2exe.bat
  2⤵
  PID:844
- C:\Windows\SysWOW64\shutdown.exe
  shutdown -s -t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\slear.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown -s -t 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1932

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:608

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x570
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\1dll.bat

Filesize
24B

MD5
e5fad0eebdbdb290ba8e7e45b783eb80

SHA1
d0134651bc51f9b818508dbdb21690800c5ed127

SHA256
15c12f019428c39e6a96d46fb531b763d0dea5151e23376a6aabe2e05180aa83

SHA512
e61a0756f71654febc40f181a01df302eb0c1328f87e5ae8138b7f9a7414027ad9b913d9d5381a8497f25439fa8fed5b80dbacc3c4b760e8c40f256872857469

Download Submit
\??\c:\1exe.bat

Filesize
24B

MD5
160dd1581a3262e00b5d069afa1ae5c8

SHA1
d33671ab873dc34186a1ddc7b4aea3c7cf20489b

SHA256
79427c9185f986215682123d50dab3ed30442078f30dfeaa369a048fe11f5544

SHA512
999a8d45cd04d1a6622a0c0a1e6fadda43258e5cb01f6730f7f57a1ad38fbc3b0609965419e181cbf48765c804342298e534805e5b6f3f8b38744debc7333ed0

Download Submit
\??\c:\2dll.bat

Filesize
24B

MD5
6a1d86cd3e6e4ae9e7825c57e9af2ef7

SHA1
fdf3b6bbc7ef88d22e990a395665059bea146f19

SHA256
38038479a9b0bce22eb8d4c16698e399476695f05d486ce25d9359dca4f85473

SHA512
9a719fdddb595baccabcef46767786957518685bd65aa8e4bee2a5204d454af4b97d744b800c047b187f516cc20ac4babcf7c29e3e0ab30cfd087abe658714db

Download Submit
\??\c:\2exe.bat

Filesize
24B

MD5
2e42bfbb9fb87f82e354dddf976f2173

SHA1
a7367507e6c4eba22c1146b9252ada5655cbd3b1

SHA256
2f6bedcdb6bf0767f7181dd620a9e696c7f74679d1666afebe414178190a2ab5

SHA512
1dc7cf0590661e408afefed0aa3eb5c700afaf9f8c9c008897592759d38ad35e9cfb433311bb841fc83c2ca0b60d767b859145f8d01d3b73c80614a0cd5d2dff

Download Submit
\??\c:\slear.bat

Filesize
48B

MD5
263e023a4fc06130c3d2ec3f841c7484

SHA1
99977df65ba7c9d3623b6126562e931ced7746e0

SHA256
b97c6221c776add6af65837f627778f853e9adc0d06c00fba0e1a9772a72c68a

SHA512
c26b8f34f4bccc589f9843488fa8f25b8e1701d2bb0535632ec795b90fcef90e73e41ebae0f6680704ba1ab2ab0fbf7b7c10b4775778093d772114ede9b22246

Download Submit
memory/608-67-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download
memory/1148-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

Errors