d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88

Reason

Machine shutdown

General

Target

d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
Size

484KB
MD5

13ffce8662080c941703c4cf419d6344
SHA1

61fc1a13276febbdfe8ec708ebcd25aea28d5a9f
SHA256

d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88
SHA512

445ececa5903c6f07d02997cb72db5d87ae828f5b03751a8112781d1f3ec3ce4c4d2de5a6bbba09ad86e24b5400c145bdb535892f07a148d097692f16b48eb9a
SSDEEP

12288:bMz65QZEomA/fOdveGWeMK2p/VEGbvdVCR8vfy7uv:ozyGP7fOZPWew/VEGZVC6R

Score

9^/10

evasion persistence ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
1712	bcdedit.exe
1532	bcdedit.exe
1668	bcdedit.exe
1676	bcdedit.exe
964	bcdedit.exe
680	bcdedit.exe
1708	bcdedit.exe
384	bcdedit.exe
1252	bcdedit.exe
820	bcdedit.exe

Drops file in Drivers directory 1 IoCs

Processes:

linip.exe

description ioc process

File created C:\Windows\system32\drivers\6c406b.sys linip.exe
Executes dropped EXE 2 IoCs

Processes:

linip.exelinip.exe

pid process

1100 linip.exe
1188 linip.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

324 cmd.exe

description	ioc	process
File created	C:\Windows\system32\drivers\6c406b.sys	linip.exe

pid	process
1100	linip.exe
1188	linip.exe

pid	process
324	cmd.exe

Loads dropped DLL 3 IoCs

Processes:

d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exelinip.exe

pid	process
2020	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
2020	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
1100	linip.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

linip.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	linip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Linip = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Hodovo\\linip.exe"	linip.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exelinip.exe

description	pid	process	target process
PID 1672 set thread context of 2020	1672	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
PID 1100 set thread context of 1188	1100	linip.exe	linip.exe

Modifies registry class 32 IoCs

Processes:

linip.exed63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Matrix.Document\shell\printto\command	linip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Matrix.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Hodovo\\linip.exe /pt \"%1\" \"%2\" \"%3\" \"%4\""	linip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Matrix.Document	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Matrix.Document\shell\print	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Matrix.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\D63A2B~1.EXE /pt \"%1\" \"%2\" \"%3\" \"%4\""	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Matrix.Document\DefaultIcon	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Matrix.Document\shell	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.max\ShellNew	linip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.max\ShellNew\NullFile	linip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Matrix.Document\ = "Matrix Document"	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Matrix.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Hodovo\\linip.exe,0"	linip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Matrix.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Hodovo\\linip.exe \"%1\""	linip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Matrix.Document\shell\open	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.max	linip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Matrix.Document\DefaultIcon	linip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Matrix.Document\shell\open\command	linip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Matrix.Document\shell\print\command	linip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Matrix.Document\shell\print\command	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.max	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.max\ShellNew	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Matrix.Document	linip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Matrix.Document\ = "Matrix Document"	linip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.max\ = "Matrix.Document"	linip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Matrix.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\D63A2B~1.EXE \"%1\""	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Matrix.Document\shell\printto\command	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.max\ShellNew\NullFile	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Matrix.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\D63A2B~1.EXE,0"	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Matrix.Document\shell\printto	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.max\ = "Matrix.Document"	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Matrix.Document\shell\open\command	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Matrix.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\D63A2B~1.EXE /p \"%1\""	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Matrix.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Hodovo\\linip.exe /p \"%1\""	linip.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exed63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exelinip.exelinip.exe

pid	process
1672	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
2020	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
1100	linip.exe
1188	linip.exe
1188	linip.exe
1188	linip.exe
1188	linip.exe
1188	linip.exe
1188	linip.exe
1188	linip.exe
1188	linip.exe
1188	linip.exe
1188	linip.exe
1188	linip.exe
1188	linip.exe
1188	linip.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

linip.exe

description pid process

Token: SeShutdownPrivilege 1188 linip.exe

pid	process
464

description	pid	process
Token: SeShutdownPrivilege	1188	linip.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exelinip.exe

pid	process
1672	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
1672	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
1100	linip.exe
1100	linip.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exed63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exelinip.exelinip.exe

description	pid	process	target process
PID 1672 wrote to memory of 2020	1672	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
PID 1672 wrote to memory of 2020	1672	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
PID 1672 wrote to memory of 2020	1672	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
PID 1672 wrote to memory of 2020	1672	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
PID 1672 wrote to memory of 2020	1672	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
PID 1672 wrote to memory of 2020	1672	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
PID 1672 wrote to memory of 2020	1672	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
PID 1672 wrote to memory of 2020	1672	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
PID 1672 wrote to memory of 2020	1672	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
PID 1672 wrote to memory of 2020	1672	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
PID 2020 wrote to memory of 1100	2020	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe	linip.exe
PID 2020 wrote to memory of 1100	2020	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe	linip.exe
PID 2020 wrote to memory of 1100	2020	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe	linip.exe
PID 2020 wrote to memory of 1100	2020	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe	linip.exe
PID 1100 wrote to memory of 1188	1100	linip.exe	linip.exe
PID 1100 wrote to memory of 1188	1100	linip.exe	linip.exe
PID 1100 wrote to memory of 1188	1100	linip.exe	linip.exe
PID 1100 wrote to memory of 1188	1100	linip.exe	linip.exe
PID 1100 wrote to memory of 1188	1100	linip.exe	linip.exe
PID 1100 wrote to memory of 1188	1100	linip.exe	linip.exe
PID 1100 wrote to memory of 1188	1100	linip.exe	linip.exe
PID 1100 wrote to memory of 1188	1100	linip.exe	linip.exe
PID 1100 wrote to memory of 1188	1100	linip.exe	linip.exe
PID 1100 wrote to memory of 1188	1100	linip.exe	linip.exe
PID 2020 wrote to memory of 324	2020	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe	cmd.exe
PID 2020 wrote to memory of 324	2020	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe	cmd.exe
PID 2020 wrote to memory of 324	2020	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe	cmd.exe
PID 2020 wrote to memory of 324	2020	d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe	cmd.exe
PID 1188 wrote to memory of 820	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 820	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 820	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 820	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 1252	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 1252	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 1252	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 1252	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 384	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 384	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 384	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 384	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 1708	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 1708	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 1708	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 1708	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 680	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 680	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 680	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 680	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 1712	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 1712	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 1712	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 1712	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 964	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 964	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 964	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 964	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 1676	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 1676	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 1676	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 1676	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 1668	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 1668	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 1668	1188	linip.exe	bcdedit.exe
PID 1188 wrote to memory of 1668	1188	linip.exe	bcdedit.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
"C:\Users\Admin\AppData\Local\Temp\d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
C:\Users\Admin\AppData\Local\Temp\d63a2b5d1008c22d7ad41dbb6f1e31b3447f720bc2740dd0ec4df9b41d023e88.exe
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\Hodovo\linip.exe
"C:\Users\Admin\AppData\Local\Temp\Hodovo\linip.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\Hodovo\linip.exe
C:\Users\Admin\AppData\Local\Temp\Hodovo\linip.exe
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:1712

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:1532

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:1668

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:1676

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:964

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:680

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:1708

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:384

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:1252

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TJRDB22.bat"
4⤵
- Deletes itself
PID:324

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1224

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1648

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Hodovo\linip.exe

Filesize
484KB

MD5
d5f52704e61c0afbc66bb79f2f70469b

SHA1
09353844c991423b6215d9d6b91c01713c619425

SHA256
b882334ea7c9b42566e0316b5f337600432b7fd59b125eb0caae451c6b711054

SHA512
67f13efe57b3fe335fd33c5bb27891c39239e029009ae560b002bfa7f1c44b9fa0d0a947d49ea81960761fe52e1f72dc2bd34a8017b22a3b8346bdad11a2fa68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hodovo\linip.exe

Filesize
484KB

MD5
d5f52704e61c0afbc66bb79f2f70469b

SHA1
09353844c991423b6215d9d6b91c01713c619425

SHA256
b882334ea7c9b42566e0316b5f337600432b7fd59b125eb0caae451c6b711054

SHA512
67f13efe57b3fe335fd33c5bb27891c39239e029009ae560b002bfa7f1c44b9fa0d0a947d49ea81960761fe52e1f72dc2bd34a8017b22a3b8346bdad11a2fa68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hodovo\linip.exe

Filesize
484KB

MD5
d5f52704e61c0afbc66bb79f2f70469b

SHA1
09353844c991423b6215d9d6b91c01713c619425

SHA256
b882334ea7c9b42566e0316b5f337600432b7fd59b125eb0caae451c6b711054

SHA512
67f13efe57b3fe335fd33c5bb27891c39239e029009ae560b002bfa7f1c44b9fa0d0a947d49ea81960761fe52e1f72dc2bd34a8017b22a3b8346bdad11a2fa68

Download Submit
C:\Users\Admin\AppData\Local\Temp\TJRDB22.bat

Filesize
284B

MD5
337ecc9efcdaabf98949c6f11759a847

SHA1
9f62a57a3042ffcccfd7639c8a68df65e8a03833

SHA256
9ca75ea263ab8fd22a04a18cf4296104e3706c241e9021ac856433e3c14d6897

SHA512
60b48317e715e1ea49cad7aab2f06a17d8365b9cfb842796de3099641d4f99ab82edde0a0deab538b715ede08ff781d77c4e2145f28e0544f156051d16b9cbb2

Download Submit
\Users\Admin\AppData\Local\Temp\Hodovo\linip.exe

Filesize
484KB

MD5
d5f52704e61c0afbc66bb79f2f70469b

SHA1
09353844c991423b6215d9d6b91c01713c619425

SHA256
b882334ea7c9b42566e0316b5f337600432b7fd59b125eb0caae451c6b711054

SHA512
67f13efe57b3fe335fd33c5bb27891c39239e029009ae560b002bfa7f1c44b9fa0d0a947d49ea81960761fe52e1f72dc2bd34a8017b22a3b8346bdad11a2fa68

Download Submit
\Users\Admin\AppData\Local\Temp\Hodovo\linip.exe

Filesize
484KB

MD5
d5f52704e61c0afbc66bb79f2f70469b

SHA1
09353844c991423b6215d9d6b91c01713c619425

SHA256
b882334ea7c9b42566e0316b5f337600432b7fd59b125eb0caae451c6b711054

SHA512
67f13efe57b3fe335fd33c5bb27891c39239e029009ae560b002bfa7f1c44b9fa0d0a947d49ea81960761fe52e1f72dc2bd34a8017b22a3b8346bdad11a2fa68

Download Submit
\Users\Admin\AppData\Local\Temp\Hodovo\linip.exe

Filesize
484KB

MD5
d5f52704e61c0afbc66bb79f2f70469b

SHA1
09353844c991423b6215d9d6b91c01713c619425

SHA256
b882334ea7c9b42566e0316b5f337600432b7fd59b125eb0caae451c6b711054

SHA512
67f13efe57b3fe335fd33c5bb27891c39239e029009ae560b002bfa7f1c44b9fa0d0a947d49ea81960761fe52e1f72dc2bd34a8017b22a3b8346bdad11a2fa68

Download Submit
memory/324-92-0x0000000000000000-mapping.dmp

Download
memory/384-97-0x0000000000000000-mapping.dmp

Download
memory/680-99-0x0000000000000000-mapping.dmp

Download
memory/820-95-0x0000000000000000-mapping.dmp

Download
memory/964-101-0x0000000000000000-mapping.dmp

Download
memory/1100-88-0x00000000002D0000-0x00000000002D4000-memory.dmp

Filesize
16KB

Download
memory/1100-72-0x0000000000000000-mapping.dmp

Download
memory/1132-110-0x0000000002040000-0x00000000020A9000-memory.dmp

Filesize
420KB

Download
memory/1132-112-0x0000000002040000-0x00000000020A9000-memory.dmp

Filesize
420KB

Download
memory/1132-111-0x0000000002040000-0x00000000020A9000-memory.dmp

Filesize
420KB

Download
memory/1132-109-0x0000000002040000-0x00000000020A9000-memory.dmp

Filesize
420KB

Download
memory/1188-106-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1188-127-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1188-86-0x000000000043DDFD-mapping.dmp

Download
memory/1188-125-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1188-105-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/1224-115-0x0000000001D50000-0x0000000001DB9000-memory.dmp

Filesize
420KB

Download
memory/1224-116-0x0000000001D50000-0x0000000001DB9000-memory.dmp

Filesize
420KB

Download
memory/1224-118-0x0000000001D50000-0x0000000001DB9000-memory.dmp

Filesize
420KB

Download
memory/1224-117-0x0000000001D50000-0x0000000001DB9000-memory.dmp

Filesize
420KB

Download
memory/1252-96-0x0000000000000000-mapping.dmp

Download
memory/1260-122-0x0000000002A50000-0x0000000002AB9000-memory.dmp

Filesize
420KB

Download
memory/1260-124-0x0000000002A50000-0x0000000002AB9000-memory.dmp

Filesize
420KB

Download
memory/1260-123-0x0000000002A50000-0x0000000002AB9000-memory.dmp

Filesize
420KB

Download
memory/1260-121-0x0000000002A50000-0x0000000002AB9000-memory.dmp

Filesize
420KB

Download
memory/1532-104-0x0000000000000000-mapping.dmp

Download
memory/1648-126-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmp

Filesize
8KB

Download
memory/1668-103-0x0000000000000000-mapping.dmp

Download
memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1676-102-0x0000000000000000-mapping.dmp

Download
memory/1708-98-0x0000000000000000-mapping.dmp

Download
memory/1712-100-0x0000000000000000-mapping.dmp

Download
memory/2020-56-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2020-63-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2020-55-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2020-68-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2020-61-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2020-64-0x000000000043DDFD-mapping.dmp

Download
memory/2020-58-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2020-93-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2020-67-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2020-59-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2020-69-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads