a7843248abb53e4c5d331546fa3d268b261c7e82f83297c08364d3770cba333b

General

Target

a7843248abb53e4c5d331546fa3d268b261c7e82f83297c08364d3770cba333b.exe
Size

336KB
MD5

440772a59bcd96f082729fd01230e0b8
SHA1

51466aa487c81a3b14dce84d660a800b352e35ac
SHA256

a7843248abb53e4c5d331546fa3d268b261c7e82f83297c08364d3770cba333b
SHA512

518edb76aaac714137c295d8fcfaf7c2d6b4f743c67416f74c5c5fe57997396d97d2f94729655ccfbdb4e47a8e5a856b2822524e044dd8bb9749b9fb2c36c566
SSDEEP

6144:pBr9gkw1fhh/5ZnLRf3JUMKxKSqAYGOI3YWAE1Qek4Skg+Y8a9W+tQclx:jr9xsxNLR2MKIg/6ULSk7YPJt1T

Score

9^/10

evasion ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
3772	bcdedit.exe
3172	bcdedit.exe
3836	bcdedit.exe
4596	bcdedit.exe
4932	bcdedit.exe
3596	bcdedit.exe
3648	bcdedit.exe
4856	bcdedit.exe
3100	bcdedit.exe
4712	bcdedit.exe

Drops file in Drivers directory 1 IoCs

Processes:

syshost.exe

description ioc process

File created C:\Windows\system32\drivers\e57757e.sys syshost.exe
Executes dropped EXE 1 IoCs

Processes:

syshost.exe

pid process

240 syshost.exe

description	ioc	process
File created	C:\Windows\system32\drivers\e57757e.sys	syshost.exe

pid	process
240	syshost.exe

Drops file in Windows directory 3 IoCs

Processes:

a7843248abb53e4c5d331546fa3d268b261c7e82f83297c08364d3770cba333b.exesyshost.exe

description	ioc	process
File created	C:\Windows\Installer\{773E30B5-5FBB-B06C-AAC5-F23889795F07}\syshost.exe	a7843248abb53e4c5d331546fa3d268b261c7e82f83297c08364d3770cba333b.exe
File opened for modification	C:\Windows\Installer\{773E30B5-5FBB-B06C-AAC5-F23889795F07}\syshost.exe	a7843248abb53e4c5d331546fa3d268b261c7e82f83297c08364d3770cba333b.exe
File opened for modification	C:\Windows\Installer\{773E30B5-5FBB-B06C-AAC5-F23889795F07}\syshost.exe.tmp	syshost.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "147"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

644
Suspicious behavior: RenamesItself 1 IoCs

Processes:

a7843248abb53e4c5d331546fa3d268b261c7e82f83297c08364d3770cba333b.exe

pid process

600 a7843248abb53e4c5d331546fa3d268b261c7e82f83297c08364d3770cba333b.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

syshost.exe

description pid process

Token: SeShutdownPrivilege 240 syshost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

3364 LogonUI.exe

pid	process
644

pid	process
600	a7843248abb53e4c5d331546fa3d268b261c7e82f83297c08364d3770cba333b.exe

description	pid	process
Token: SeShutdownPrivilege	240	syshost.exe

pid	process
3364	LogonUI.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

a7843248abb53e4c5d331546fa3d268b261c7e82f83297c08364d3770cba333b.exesyshost.exe

description	pid	process	target process
PID 600 wrote to memory of 1532	600	a7843248abb53e4c5d331546fa3d268b261c7e82f83297c08364d3770cba333b.exe	cmd.exe
PID 600 wrote to memory of 1532	600	a7843248abb53e4c5d331546fa3d268b261c7e82f83297c08364d3770cba333b.exe	cmd.exe
PID 600 wrote to memory of 1532	600	a7843248abb53e4c5d331546fa3d268b261c7e82f83297c08364d3770cba333b.exe	cmd.exe
PID 240 wrote to memory of 3772	240	syshost.exe	bcdedit.exe
PID 240 wrote to memory of 3772	240	syshost.exe	bcdedit.exe
PID 240 wrote to memory of 3172	240	syshost.exe	bcdedit.exe
PID 240 wrote to memory of 3172	240	syshost.exe	bcdedit.exe
PID 240 wrote to memory of 3836	240	syshost.exe	bcdedit.exe
PID 240 wrote to memory of 3836	240	syshost.exe	bcdedit.exe
PID 240 wrote to memory of 4596	240	syshost.exe	bcdedit.exe
PID 240 wrote to memory of 4596	240	syshost.exe	bcdedit.exe
PID 240 wrote to memory of 3648	240	syshost.exe	bcdedit.exe
PID 240 wrote to memory of 3648	240	syshost.exe	bcdedit.exe
PID 240 wrote to memory of 4932	240	syshost.exe	bcdedit.exe
PID 240 wrote to memory of 4932	240	syshost.exe	bcdedit.exe
PID 240 wrote to memory of 3596	240	syshost.exe	bcdedit.exe
PID 240 wrote to memory of 3596	240	syshost.exe	bcdedit.exe
PID 240 wrote to memory of 4712	240	syshost.exe	bcdedit.exe
PID 240 wrote to memory of 4712	240	syshost.exe	bcdedit.exe
PID 240 wrote to memory of 4856	240	syshost.exe	bcdedit.exe
PID 240 wrote to memory of 4856	240	syshost.exe	bcdedit.exe
PID 240 wrote to memory of 3100	240	syshost.exe	bcdedit.exe
PID 240 wrote to memory of 3100	240	syshost.exe	bcdedit.exe

C:\Users\Admin\AppData\Local\Temp\a7843248abb53e4c5d331546fa3d268b261c7e82f83297c08364d3770cba333b.exe
"C:\Users\Admin\AppData\Local\Temp\a7843248abb53e4c5d331546fa3d268b261c7e82f83297c08364d3770cba333b.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\907a0a3c.tmp"
2⤵
PID:1532

C:\Windows\Installer\{773E30B5-5FBB-B06C-AAC5-F23889795F07}\syshost.exe
"C:\Windows\Installer\{773E30B5-5FBB-B06C-AAC5-F23889795F07}\syshost.exe" /service
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:3772

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:3172

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:3836

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:4596

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:4932

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:3596

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:3648

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:4856

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:3100

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:4712

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39f7055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\{773E30B5-5FBB-B06C-AAC5-F23889795F07}\syshost.exe

Filesize
336KB

MD5
440772a59bcd96f082729fd01230e0b8

SHA1
51466aa487c81a3b14dce84d660a800b352e35ac

SHA256
a7843248abb53e4c5d331546fa3d268b261c7e82f83297c08364d3770cba333b

SHA512
518edb76aaac714137c295d8fcfaf7c2d6b4f743c67416f74c5c5fe57997396d97d2f94729655ccfbdb4e47a8e5a856b2822524e044dd8bb9749b9fb2c36c566

Download Submit
C:\Windows\Installer\{773E30B5-5FBB-B06C-AAC5-F23889795F07}\syshost.exe

Filesize
336KB

MD5
440772a59bcd96f082729fd01230e0b8

SHA1
51466aa487c81a3b14dce84d660a800b352e35ac

SHA256
a7843248abb53e4c5d331546fa3d268b261c7e82f83297c08364d3770cba333b

SHA512
518edb76aaac714137c295d8fcfaf7c2d6b4f743c67416f74c5c5fe57997396d97d2f94729655ccfbdb4e47a8e5a856b2822524e044dd8bb9749b9fb2c36c566

Download Submit
memory/240-154-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/240-143-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/240-142-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/240-145-0x0000000000F60000-0x0000000001060000-memory.dmp

Filesize
1024KB

Download
memory/240-141-0x0000000000F60000-0x0000000001060000-memory.dmp

Filesize
1024KB

Download
memory/240-155-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/600-135-0x00000000004A0000-0x00000000004A6000-memory.dmp

Filesize
24KB

Download
memory/600-132-0x0000000002350000-0x0000000002450000-memory.dmp

Filesize
1024KB

Download
memory/600-134-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/600-133-0x0000000002350000-0x0000000002450000-memory.dmp

Filesize
1024KB

Download
memory/600-144-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1532-138-0x0000000000000000-mapping.dmp

Download
memory/3100-153-0x0000000000000000-mapping.dmp

Download
memory/3172-140-0x0000000000000000-mapping.dmp

Download
memory/3596-150-0x0000000000000000-mapping.dmp

Download
memory/3648-148-0x0000000000000000-mapping.dmp

Download
memory/3772-139-0x0000000000000000-mapping.dmp

Download
memory/3836-146-0x0000000000000000-mapping.dmp

Download
memory/4596-147-0x0000000000000000-mapping.dmp

Download
memory/4712-151-0x0000000000000000-mapping.dmp

Download
memory/4856-152-0x0000000000000000-mapping.dmp

Download
memory/4932-149-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads