270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24

Reason

Machine shutdown

General

Target

270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exe
Size

348KB
MD5

9e4cab69981fa679c9a84375676fcc1d
SHA1

f58cc7f89276024b549330f7b957ff04d0ac1c42
SHA256

270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24
SHA512

380fb1bf9e0d8f47bd166fe36cba92d7052cfe064c5cc390e28cf3f0c1e52dcf3b666246ca6ac06a3a79a30a1706c54e261ae53a4813030b5434929268b84528
SSDEEP

6144:nyWxwCjWwKpb7x+pyO1sYbg0L4J7CpLa6D+qtFukVYG74gdSNDkmmpybIWU:ny5ee7wpyvYby7CpLKqrVYhgYmmoyb

Score

9^/10

evasion ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
2912	bcdedit.exe
2304	bcdedit.exe
4672	bcdedit.exe
1932	bcdedit.exe
4756	bcdedit.exe
4264	bcdedit.exe
548	bcdedit.exe
1800	bcdedit.exe
848	bcdedit.exe
3296	bcdedit.exe

Drops file in Drivers directory 1 IoCs

Processes:

syshost.exe

description ioc process

File created C:\Windows\system32\drivers\e56b7cb.sys syshost.exe
Executes dropped EXE 1 IoCs

Processes:

syshost.exe

pid process

1428 syshost.exe

description	ioc	process
File created	C:\Windows\system32\drivers\e56b7cb.sys	syshost.exe

pid	process
1428	syshost.exe

Drops file in Windows directory 3 IoCs

Processes:

270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exesyshost.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\{0E8EF68D-9D3F-1FF4-DBD1-C8FEB9218EC6}\syshost.exe	270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exe
File opened for modification	C:\Windows\Installer\{0E8EF68D-9D3F-1FF4-DBD1-C8FEB9218EC6}\syshost.exe.tmp	syshost.exe
File created	C:\Windows\Installer\{0E8EF68D-9D3F-1FF4-DBD1-C8FEB9218EC6}\syshost.exe	270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "174"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656
Suspicious behavior: RenamesItself 1 IoCs

Processes:

270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exe

pid process

404 270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

syshost.exe

description pid process

Token: SeShutdownPrivilege 1428 syshost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

2636 LogonUI.exe

pid	process
656

pid	process
404	270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exe

description	pid	process
Token: SeShutdownPrivilege	1428	syshost.exe

pid	process
2636	LogonUI.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exesyshost.exe

description	pid	process	target process
PID 404 wrote to memory of 4984	404	270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exe	cmd.exe
PID 404 wrote to memory of 4984	404	270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exe	cmd.exe
PID 404 wrote to memory of 4984	404	270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exe	cmd.exe
PID 1428 wrote to memory of 2912	1428	syshost.exe	bcdedit.exe
PID 1428 wrote to memory of 2912	1428	syshost.exe	bcdedit.exe
PID 1428 wrote to memory of 2304	1428	syshost.exe	bcdedit.exe
PID 1428 wrote to memory of 2304	1428	syshost.exe	bcdedit.exe
PID 1428 wrote to memory of 4672	1428	syshost.exe	bcdedit.exe
PID 1428 wrote to memory of 4672	1428	syshost.exe	bcdedit.exe
PID 1428 wrote to memory of 4756	1428	syshost.exe	bcdedit.exe
PID 1428 wrote to memory of 4756	1428	syshost.exe	bcdedit.exe
PID 1428 wrote to memory of 1932	1428	syshost.exe	bcdedit.exe
PID 1428 wrote to memory of 1932	1428	syshost.exe	bcdedit.exe
PID 1428 wrote to memory of 4264	1428	syshost.exe	bcdedit.exe
PID 1428 wrote to memory of 4264	1428	syshost.exe	bcdedit.exe
PID 1428 wrote to memory of 548	1428	syshost.exe	bcdedit.exe
PID 1428 wrote to memory of 548	1428	syshost.exe	bcdedit.exe
PID 1428 wrote to memory of 1800	1428	syshost.exe	bcdedit.exe
PID 1428 wrote to memory of 1800	1428	syshost.exe	bcdedit.exe
PID 1428 wrote to memory of 848	1428	syshost.exe	bcdedit.exe
PID 1428 wrote to memory of 848	1428	syshost.exe	bcdedit.exe
PID 1428 wrote to memory of 3296	1428	syshost.exe	bcdedit.exe
PID 1428 wrote to memory of 3296	1428	syshost.exe	bcdedit.exe

C:\Users\Admin\AppData\Local\Temp\270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exe
"C:\Users\Admin\AppData\Local\Temp\270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\664bae6b.tmp"
2⤵
PID:4984

C:\Windows\Installer\{0E8EF68D-9D3F-1FF4-DBD1-C8FEB9218EC6}\syshost.exe
"C:\Windows\Installer\{0E8EF68D-9D3F-1FF4-DBD1-C8FEB9218EC6}\syshost.exe" /service
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:2912

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:2304

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:4672

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:1932

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:4756

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:4264

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:548

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:1800

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:848

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
2⤵
- Modifies boot configuration data using bcdedit
PID:3296

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39d0855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\{0E8EF68D-9D3F-1FF4-DBD1-C8FEB9218EC6}\syshost.exe
Filesize
348KB

MD5
9e4cab69981fa679c9a84375676fcc1d

SHA1
f58cc7f89276024b549330f7b957ff04d0ac1c42

SHA256
270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24

SHA512
380fb1bf9e0d8f47bd166fe36cba92d7052cfe064c5cc390e28cf3f0c1e52dcf3b666246ca6ac06a3a79a30a1706c54e261ae53a4813030b5434929268b84528

Download Submit
C:\Windows\Installer\{0E8EF68D-9D3F-1FF4-DBD1-C8FEB9218EC6}\syshost.exe
Filesize
348KB

MD5
9e4cab69981fa679c9a84375676fcc1d

SHA1
f58cc7f89276024b549330f7b957ff04d0ac1c42

SHA256
270d5d46ea16e02b8bd73e23904653304d4bd41c79aaccf42cf0cce1efa8fb24

SHA512
380fb1bf9e0d8f47bd166fe36cba92d7052cfe064c5cc390e28cf3f0c1e52dcf3b666246ca6ac06a3a79a30a1706c54e261ae53a4813030b5434929268b84528

Download Submit
memory/404-137-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/404-133-0x0000000002250000-0x00000000022AA000-memory.dmp

Filesize
360KB

Download
memory/404-136-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/548-146-0x0000000000000000-mapping.dmp

Download
memory/848-148-0x0000000000000000-mapping.dmp

Download
memory/1428-150-0x0000000000EC0000-0x0000000000F1A000-memory.dmp

Filesize
360KB

Download
memory/1428-152-0x00000000004B0000-0x00000000004B6000-memory.dmp

Filesize
24KB

Download
memory/1428-142-0x00000000004B0000-0x00000000004B6000-memory.dmp

Filesize
24KB

Download
memory/1428-140-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1428-151-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1800-147-0x0000000000000000-mapping.dmp

Download
memory/1932-144-0x0000000000000000-mapping.dmp

Download
memory/2304-139-0x0000000000000000-mapping.dmp

Download
memory/2912-138-0x0000000000000000-mapping.dmp

Download
memory/3296-149-0x0000000000000000-mapping.dmp

Download
memory/4264-145-0x0000000000000000-mapping.dmp

Download
memory/4672-141-0x0000000000000000-mapping.dmp

Download
memory/4756-143-0x0000000000000000-mapping.dmp

Download
memory/4984-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads