270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24

General

Target

270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exe
Size

348KB
MD5

9e4cab69981fa679c9a84375676fcc1d
SHA1

f58cc7f89276024b549330f7b957ff04d0ac1c42
SHA256

270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24
SHA512

380fb1bf9e0d8f47bd166fe36cba92d7052cfe064c5cc390e28cf3f0c1e52dcf3b666246ca6ac06a3a79a30a1706c54e261ae53a4813030b5434929268b84528
SSDEEP

6144:nyWxwCjWwKpb7x+pyO1sYbg0L4J7CpLa6D+qtFukVYG74gdSNDkmmpybIWU:ny5ee7wpyvYby7CpLKqrVYhgYmmoyb

Score

9^/10

evasion ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
996	bcdedit.exe
520	bcdedit.exe
1112	bcdedit.exe
1364	bcdedit.exe
1912	bcdedit.exe
692	bcdedit.exe
1372	bcdedit.exe
1876	bcdedit.exe
1040	bcdedit.exe
1192	bcdedit.exe

Drops file in Drivers directory 1 IoCs

Processes:

syshost.exe

description ioc process

File created C:\Windows\system32\drivers\6c7fac.sys syshost.exe
Executes dropped EXE 1 IoCs

Processes:

syshost.exe

pid process

968 syshost.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1580 cmd.exe

description	ioc	process
File created	C:\Windows\system32\drivers\6c7fac.sys	syshost.exe

pid	process
968	syshost.exe

pid	process
1580	cmd.exe

Drops file in Windows directory 3 IoCs

Processes:

270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exesyshost.exe

description	ioc	process
File created	C:\Windows\Installer\{FED52A0C-D8E3-277B-330E-F3BF11BEE6D1}\syshost.exe	270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exe
File opened for modification	C:\Windows\Installer\{FED52A0C-D8E3-277B-330E-F3BF11BEE6D1}\syshost.exe	270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exe
File opened for modification	C:\Windows\Installer\{FED52A0C-D8E3-277B-330E-F3BF11BEE6D1}\syshost.exe.tmp	syshost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious behavior: RenamesItself 1 IoCs

Processes:

270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exe

pid process

1748 270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

syshost.exe

description pid process

Token: SeShutdownPrivilege 968 syshost.exe

pid	process
460

pid	process
1748	270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exe

description	pid	process
Token: SeShutdownPrivilege	968	syshost.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

syshost.exe270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exe

description	pid	process	target process
PID 968 wrote to memory of 996	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 996	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 996	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 996	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 520	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 520	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 520	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 520	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1112	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1112	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1112	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1112	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1364	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1364	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1364	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1364	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1912	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1912	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1912	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1912	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 692	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 692	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 692	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 692	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1372	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1372	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1372	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1372	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1876	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1876	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1876	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1876	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1040	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1040	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1040	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1040	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1192	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1192	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1192	968	syshost.exe	bcdedit.exe
PID 968 wrote to memory of 1192	968	syshost.exe	bcdedit.exe
PID 1748 wrote to memory of 1580	1748	270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exe	cmd.exe
PID 1748 wrote to memory of 1580	1748	270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exe	cmd.exe
PID 1748 wrote to memory of 1580	1748	270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exe	cmd.exe
PID 1748 wrote to memory of 1580	1748	270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exe
"C:\Users\Admin\AppData\Local\Temp\270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\924fe5e3.tmp"
2⤵
- Deletes itself
PID:1580

C:\Windows\Installer\{FED52A0C-D8E3-277B-330E-F3BF11BEE6D1}\syshost.exe
"C:\Windows\Installer\{FED52A0C-D8E3-277B-330E-F3BF11BEE6D1}\syshost.exe" /service
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:996

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:520

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:1112

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:1364

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:1912

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:692

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:1372

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:1876

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:1040

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:1192

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1756

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\{FED52A0C-D8E3-277B-330E-F3BF11BEE6D1}\syshost.exe

Filesize
348KB

MD5
9e4cab69981fa679c9a84375676fcc1d

SHA1
f58cc7f89276024b549330f7b957ff04d0ac1c42

SHA256
270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24

SHA512
380fb1bf9e0d8f47bd166fe36cba92d7052cfe064c5cc390e28cf3f0c1e52dcf3b666246ca6ac06a3a79a30a1706c54e261ae53a4813030b5434929268b84528

Download Submit
memory/520-64-0x0000000000000000-mapping.dmp

Download
memory/692-68-0x0000000000000000-mapping.dmp

Download
memory/968-76-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/968-75-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/968-60-0x0000000000A60000-0x0000000000ABA000-memory.dmp

Filesize
360KB

Download
memory/968-61-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/968-62-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/996-63-0x0000000000000000-mapping.dmp

Download
memory/1040-71-0x0000000000000000-mapping.dmp

Download
memory/1112-65-0x0000000000000000-mapping.dmp

Download
memory/1192-72-0x0000000000000000-mapping.dmp

Download
memory/1364-66-0x0000000000000000-mapping.dmp

Download
memory/1372-69-0x0000000000000000-mapping.dmp

Download
memory/1580-73-0x0000000000000000-mapping.dmp

Download
memory/1748-54-0x0000000076191000-0x0000000076193000-memory.dmp

Filesize
8KB

Download
memory/1748-57-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download
memory/1748-74-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1748-56-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1748-55-0x00000000004D0000-0x000000000052A000-memory.dmp

Filesize
360KB

Download
memory/1756-77-0x000007FEFC171000-0x000007FEFC173000-memory.dmp

Filesize
8KB

Download
memory/1876-70-0x0000000000000000-mapping.dmp

Download
memory/1912-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads