a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258

General

Target

a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe
Size

355KB
MD5

de6e3970ad991d0214e6dfa06439e31f
SHA1

b8792436f1541e76f4468769561b9a7bad03bd35
SHA256

a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258
SHA512

b3a2ec4d97a3b756fc6a6c949b100606bb9350a3fef3bd89896b88025989001185f721faa0f497144aa8132302486ae0166b2218f2ce1bf9a09ad89177853979
SSDEEP

6144:SEyr5y6XSQkxREpgdc9CfJ1pfQAEAzULiqvrAQbtWz4U0kDtFsp1fNv2RSRp0vU:Or5y6XzkxuHCfhPEAY93bmZ0kDtq3Nv3

Score

9^/10

evasion persistence ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
3564	bcdedit.exe
1664	bcdedit.exe
1088	bcdedit.exe
3796	bcdedit.exe
4532	bcdedit.exe
3636	bcdedit.exe
3504	bcdedit.exe
4568	bcdedit.exe
1536	bcdedit.exe
1304	bcdedit.exe

Drops file in Drivers directory 1 IoCs

Processes:

syshost.exe

description ioc process

File created C:\Windows\system32\drivers\e5720b7.sys syshost.exe
Executes dropped EXE 2 IoCs

Processes:

syshost.exesyshost.exe

pid process

2528 syshost.exe
216 syshost.exe

description	ioc	process
File created	C:\Windows\system32\drivers\e5720b7.sys	syshost.exe

pid	process
2528	syshost.exe
216	syshost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syshost32 = "C:\\Windows\\Installer\\{D36CA0BE-EC2C-4522-49A4-077627BEFD55}\\syshost.exe"	a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe

Drops file in Windows directory 3 IoCs

Processes:

a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exesyshost.exe

description	ioc	process
File created	C:\Windows\Installer\{D36CA0BE-EC2C-4522-49A4-077627BEFD55}\syshost.exe	a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe
File opened for modification	C:\Windows\Installer\{D36CA0BE-EC2C-4522-49A4-077627BEFD55}\syshost.exe	a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe
File opened for modification	C:\Windows\Installer\{D36CA0BE-EC2C-4522-49A4-077627BEFD55}\syshost.exe.tmp	syshost.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2100 2528 WerFault.exe syshost.exe

pid	pid_target	process	target process
2100	2528	WerFault.exe	syshost.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "147"	LogonUI.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

664
Suspicious behavior: RenamesItself 1 IoCs

Processes:

a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe

pid process

3080 a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

syshost.exe

description pid process

Token: SeShutdownPrivilege 216 syshost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4756 LogonUI.exe

pid	process
664

pid	process
3080	a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe

description	pid	process
Token: SeShutdownPrivilege	216	syshost.exe

pid	process
4756	LogonUI.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exesyshost.exe

description	pid	process	target process
PID 3080 wrote to memory of 216	3080	a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe	syshost.exe
PID 3080 wrote to memory of 216	3080	a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe	syshost.exe
PID 3080 wrote to memory of 216	3080	a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe	syshost.exe
PID 3080 wrote to memory of 5116	3080	a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe	cmd.exe
PID 3080 wrote to memory of 5116	3080	a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe	cmd.exe
PID 3080 wrote to memory of 5116	3080	a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe	cmd.exe
PID 216 wrote to memory of 3564	216	syshost.exe	bcdedit.exe
PID 216 wrote to memory of 3564	216	syshost.exe	bcdedit.exe
PID 216 wrote to memory of 1664	216	syshost.exe	bcdedit.exe
PID 216 wrote to memory of 1664	216	syshost.exe	bcdedit.exe
PID 216 wrote to memory of 1088	216	syshost.exe	bcdedit.exe
PID 216 wrote to memory of 1088	216	syshost.exe	bcdedit.exe
PID 216 wrote to memory of 3796	216	syshost.exe	bcdedit.exe
PID 216 wrote to memory of 3796	216	syshost.exe	bcdedit.exe
PID 216 wrote to memory of 4532	216	syshost.exe	bcdedit.exe
PID 216 wrote to memory of 4532	216	syshost.exe	bcdedit.exe
PID 216 wrote to memory of 3636	216	syshost.exe	bcdedit.exe
PID 216 wrote to memory of 3636	216	syshost.exe	bcdedit.exe
PID 216 wrote to memory of 3504	216	syshost.exe	bcdedit.exe
PID 216 wrote to memory of 3504	216	syshost.exe	bcdedit.exe
PID 216 wrote to memory of 1536	216	syshost.exe	bcdedit.exe
PID 216 wrote to memory of 1536	216	syshost.exe	bcdedit.exe
PID 216 wrote to memory of 4568	216	syshost.exe	bcdedit.exe
PID 216 wrote to memory of 4568	216	syshost.exe	bcdedit.exe
PID 216 wrote to memory of 1304	216	syshost.exe	bcdedit.exe
PID 216 wrote to memory of 1304	216	syshost.exe	bcdedit.exe

C:\Users\Admin\AppData\Local\Temp\a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe
"C:\Users\Admin\AppData\Local\Temp\a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3080

C:\Windows\Installer\{D36CA0BE-EC2C-4522-49A4-077627BEFD55}\syshost.exe
C:\Windows\Installer\{D36CA0BE-EC2C-4522-49A4-077627BEFD55}\syshost.exe
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:3564

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:1664

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:1088

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:3796

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:4532

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:3636

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:3504

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:4568

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:1536

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:1304

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\97abecaf.tmp"
2⤵
PID:5116

C:\Windows\Installer\{D36CA0BE-EC2C-4522-49A4-077627BEFD55}\syshost.exe
"C:\Windows\Installer\{D36CA0BE-EC2C-4522-49A4-077627BEFD55}\syshost.exe" /service
1⤵
- Executes dropped EXE
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 372
2⤵
- Program crash
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2528 -ip 2528
1⤵
PID:428

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39e2855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\{D36CA0BE-EC2C-4522-49A4-077627BEFD55}\syshost.exe
Filesize
355KB

MD5
de6e3970ad991d0214e6dfa06439e31f

SHA1
b8792436f1541e76f4468769561b9a7bad03bd35

SHA256
a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258

SHA512
b3a2ec4d97a3b756fc6a6c949b100606bb9350a3fef3bd89896b88025989001185f721faa0f497144aa8132302486ae0166b2218f2ce1bf9a09ad89177853979

Download Submit
C:\Windows\Installer\{D36CA0BE-EC2C-4522-49A4-077627BEFD55}\syshost.exe
Filesize
355KB

MD5
de6e3970ad991d0214e6dfa06439e31f

SHA1
b8792436f1541e76f4468769561b9a7bad03bd35

SHA256
a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258

SHA512
b3a2ec4d97a3b756fc6a6c949b100606bb9350a3fef3bd89896b88025989001185f721faa0f497144aa8132302486ae0166b2218f2ce1bf9a09ad89177853979

Download Submit
C:\Windows\Installer\{D36CA0BE-EC2C-4522-49A4-077627BEFD55}\syshost.exe
Filesize
355KB

MD5
de6e3970ad991d0214e6dfa06439e31f

SHA1
b8792436f1541e76f4468769561b9a7bad03bd35

SHA256
a205ef0ffe66b669ecf1c9e081792ddc2974a63f6d605b4a39fcc9b0d6012258

SHA512
b3a2ec4d97a3b756fc6a6c949b100606bb9350a3fef3bd89896b88025989001185f721faa0f497144aa8132302486ae0166b2218f2ce1bf9a09ad89177853979

Download Submit
memory/216-155-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/216-153-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/216-138-0x0000000000000000-mapping.dmp

Download
memory/216-152-0x0000000001FF0000-0x00000000020F0000-memory.dmp

Filesize
1024KB

Download
memory/216-154-0x0000000000630000-0x0000000000636000-memory.dmp

Filesize
24KB

Download
memory/1088-144-0x0000000000000000-mapping.dmp

Download
memory/1304-151-0x0000000000000000-mapping.dmp

Download
memory/1536-149-0x0000000000000000-mapping.dmp

Download
memory/1664-143-0x0000000000000000-mapping.dmp

Download
memory/2528-137-0x0000000000CA0000-0x0000000000DA0000-memory.dmp

Filesize
1024KB

Download
memory/3080-134-0x0000000002230000-0x0000000002330000-memory.dmp

Filesize
1024KB

Download
memory/3080-136-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/3080-141-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3080-135-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3504-148-0x0000000000000000-mapping.dmp

Download
memory/3564-142-0x0000000000000000-mapping.dmp

Download
memory/3636-147-0x0000000000000000-mapping.dmp

Download
memory/3796-145-0x0000000000000000-mapping.dmp

Download
memory/4532-146-0x0000000000000000-mapping.dmp

Download
memory/4568-150-0x0000000000000000-mapping.dmp

Download
memory/5116-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads