05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841

Reason

Machine shutdown

General

Target

05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841.exe
Size

354KB
MD5

c7f0b60cb67b263d2d83cf3d7b7689d1
SHA1

0b90ef666968e5de30d93c8608107879a118b840
SHA256

05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841
SHA512

742aaecdd7c0f60dc91094fe3b62c0650760828735aaeaee765af5d074af9ec24f704ffa2e0f2b84be057030c5cef25874f80beb5dbae25f7d1f4a208ea6647c
SSDEEP

6144:ZHYKnUf8h+jyl10FqQ55vAy1NxkyOPf2V4/QdzZA6zva1gX+aohzpI:LUfi+j410FP55xxkNf2V1hZoq+R

Score

9^/10

evasion persistence ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
1820	bcdedit.exe
1780	bcdedit.exe
1360	bcdedit.exe
1484	bcdedit.exe
824	bcdedit.exe
968	bcdedit.exe
604	bcdedit.exe
1372	bcdedit.exe
1036	bcdedit.exe
1920	bcdedit.exe

Drops file in Drivers directory 1 IoCs

Processes:

syshost.exe

description ioc process

File created C:\Windows\system32\drivers\6c2434.sys syshost.exe
Executes dropped EXE 2 IoCs

Processes:

syshost.exesyshost.exe

pid process

1720 syshost.exe
1716 syshost.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

576 cmd.exe
Loads dropped DLL 5 IoCs

Processes:

WerFault.exe05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841.exe

pid process

1540 WerFault.exe
1540 WerFault.exe
1540 WerFault.exe
1540 WerFault.exe
1672 05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841.exe

description	ioc	process
File created	C:\Windows\system32\drivers\6c2434.sys	syshost.exe

pid	process
1720	syshost.exe
1716	syshost.exe

pid	process
576	cmd.exe

pid	process
1540	WerFault.exe
1540	WerFault.exe
1540	WerFault.exe
1540	WerFault.exe
1672	05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syshost32 = "C:\\Windows\\Installer\\{8AFA70A1-43F9-0928-36E6-22841654EBCB}\\syshost.exe"	05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841.exe

Drops file in Windows directory 3 IoCs

Processes:

05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841.exesyshost.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\{8AFA70A1-43F9-0928-36E6-22841654EBCB}\syshost.exe	05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841.exe
File opened for modification	C:\Windows\Installer\{8AFA70A1-43F9-0928-36E6-22841654EBCB}\syshost.exe.tmp	syshost.exe
File created	C:\Windows\Installer\{8AFA70A1-43F9-0928-36E6-22841654EBCB}\syshost.exe	05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1540 1720 WerFault.exe syshost.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious behavior: RenamesItself 1 IoCs

Processes:

05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841.exe

pid process

1672 05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

syshost.exe

description pid process

Token: SeShutdownPrivilege 1716 syshost.exe

pid	pid_target	process	target process
1540	1720	WerFault.exe	syshost.exe

pid	process
464

pid	process
1672	05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841.exe

description	pid	process
Token: SeShutdownPrivilege	1716	syshost.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

syshost.exe05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841.exesyshost.exe

description	pid	process	target process
PID 1720 wrote to memory of 1540	1720	syshost.exe	WerFault.exe
PID 1720 wrote to memory of 1540	1720	syshost.exe	WerFault.exe
PID 1720 wrote to memory of 1540	1720	syshost.exe	WerFault.exe
PID 1720 wrote to memory of 1540	1720	syshost.exe	WerFault.exe
PID 1672 wrote to memory of 1716	1672	05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841.exe	syshost.exe
PID 1672 wrote to memory of 1716	1672	05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841.exe	syshost.exe
PID 1672 wrote to memory of 1716	1672	05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841.exe	syshost.exe
PID 1672 wrote to memory of 1716	1672	05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841.exe	syshost.exe
PID 1672 wrote to memory of 576	1672	05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841.exe	cmd.exe
PID 1672 wrote to memory of 576	1672	05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841.exe	cmd.exe
PID 1672 wrote to memory of 576	1672	05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841.exe	cmd.exe
PID 1672 wrote to memory of 576	1672	05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841.exe	cmd.exe
PID 1716 wrote to memory of 1820	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1820	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1820	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1820	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1780	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1780	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1780	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1780	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1484	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1484	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1484	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1484	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1360	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1360	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1360	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1360	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 968	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 968	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 968	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 968	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 824	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 824	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 824	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 824	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 604	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 604	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 604	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 604	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1920	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1920	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1920	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1920	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1036	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1036	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1036	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1036	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1372	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1372	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1372	1716	syshost.exe	bcdedit.exe
PID 1716 wrote to memory of 1372	1716	syshost.exe	bcdedit.exe

C:\Users\Admin\AppData\Local\Temp\05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841.exe
"C:\Users\Admin\AppData\Local\Temp\05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\Installer\{8AFA70A1-43F9-0928-36E6-22841654EBCB}\syshost.exe
C:\Windows\Installer\{8AFA70A1-43F9-0928-36E6-22841654EBCB}\syshost.exe
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:1820

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:1780

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:1360

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:1484

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:824

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:968

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:604

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:1372

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:1036

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:1920

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\314d7556.tmp"
2⤵
- Deletes itself
PID:576

C:\Windows\Installer\{8AFA70A1-43F9-0928-36E6-22841654EBCB}\syshost.exe
"C:\Windows\Installer\{8AFA70A1-43F9-0928-36E6-22841654EBCB}\syshost.exe" /service
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 132
2⤵
- Loads dropped DLL
- Program crash
PID:1540

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:316

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1952

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\{8AFA70A1-43F9-0928-36E6-22841654EBCB}\syshost.exe
Filesize
354KB

MD5
c7f0b60cb67b263d2d83cf3d7b7689d1

SHA1
0b90ef666968e5de30d93c8608107879a118b840

SHA256
05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841

SHA512
742aaecdd7c0f60dc91094fe3b62c0650760828735aaeaee765af5d074af9ec24f704ffa2e0f2b84be057030c5cef25874f80beb5dbae25f7d1f4a208ea6647c

Download Submit
C:\Windows\Installer\{8AFA70A1-43F9-0928-36E6-22841654EBCB}\syshost.exe
Filesize
354KB

MD5
c7f0b60cb67b263d2d83cf3d7b7689d1

SHA1
0b90ef666968e5de30d93c8608107879a118b840

SHA256
05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841

SHA512
742aaecdd7c0f60dc91094fe3b62c0650760828735aaeaee765af5d074af9ec24f704ffa2e0f2b84be057030c5cef25874f80beb5dbae25f7d1f4a208ea6647c

Download Submit
\Windows\Installer\{8AFA70A1-43F9-0928-36E6-22841654EBCB}\syshost.exe
Filesize
354KB

MD5
c7f0b60cb67b263d2d83cf3d7b7689d1

SHA1
0b90ef666968e5de30d93c8608107879a118b840

SHA256
05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841

SHA512
742aaecdd7c0f60dc91094fe3b62c0650760828735aaeaee765af5d074af9ec24f704ffa2e0f2b84be057030c5cef25874f80beb5dbae25f7d1f4a208ea6647c

Download Submit
\Windows\Installer\{8AFA70A1-43F9-0928-36E6-22841654EBCB}\syshost.exe
Filesize
354KB

MD5
c7f0b60cb67b263d2d83cf3d7b7689d1

SHA1
0b90ef666968e5de30d93c8608107879a118b840

SHA256
05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841

SHA512
742aaecdd7c0f60dc91094fe3b62c0650760828735aaeaee765af5d074af9ec24f704ffa2e0f2b84be057030c5cef25874f80beb5dbae25f7d1f4a208ea6647c

Download Submit
\Windows\Installer\{8AFA70A1-43F9-0928-36E6-22841654EBCB}\syshost.exe
Filesize
354KB

MD5
c7f0b60cb67b263d2d83cf3d7b7689d1

SHA1
0b90ef666968e5de30d93c8608107879a118b840

SHA256
05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841

SHA512
742aaecdd7c0f60dc91094fe3b62c0650760828735aaeaee765af5d074af9ec24f704ffa2e0f2b84be057030c5cef25874f80beb5dbae25f7d1f4a208ea6647c

Download Submit
\Windows\Installer\{8AFA70A1-43F9-0928-36E6-22841654EBCB}\syshost.exe
Filesize
354KB

MD5
c7f0b60cb67b263d2d83cf3d7b7689d1

SHA1
0b90ef666968e5de30d93c8608107879a118b840

SHA256
05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841

SHA512
742aaecdd7c0f60dc91094fe3b62c0650760828735aaeaee765af5d074af9ec24f704ffa2e0f2b84be057030c5cef25874f80beb5dbae25f7d1f4a208ea6647c

Download Submit
\Windows\Installer\{8AFA70A1-43F9-0928-36E6-22841654EBCB}\syshost.exe
Filesize
354KB

MD5
c7f0b60cb67b263d2d83cf3d7b7689d1

SHA1
0b90ef666968e5de30d93c8608107879a118b840

SHA256
05306ac3918a6f5bf386fed597c86dbeda62f0aa89a3873de41689a99f507841

SHA512
742aaecdd7c0f60dc91094fe3b62c0650760828735aaeaee765af5d074af9ec24f704ffa2e0f2b84be057030c5cef25874f80beb5dbae25f7d1f4a208ea6647c

Download Submit
memory/316-85-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp

Filesize
8KB

Download
memory/576-68-0x0000000000000000-mapping.dmp

Download
memory/604-77-0x0000000000000000-mapping.dmp

Download
memory/824-76-0x0000000000000000-mapping.dmp

Download
memory/968-75-0x0000000000000000-mapping.dmp

Download
memory/1036-79-0x0000000000000000-mapping.dmp

Download
memory/1360-74-0x0000000000000000-mapping.dmp

Download
memory/1372-80-0x0000000000000000-mapping.dmp

Download
memory/1484-73-0x0000000000000000-mapping.dmp

Download
memory/1540-56-0x0000000000000000-mapping.dmp

Download
memory/1672-62-0x0000000000300000-0x000000000035D000-memory.dmp

Filesize
372KB

Download
memory/1672-70-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1672-64-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/1672-63-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1672-54-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/1716-81-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1716-82-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download
memory/1716-83-0x0000000001FE0000-0x000000000203D000-memory.dmp

Filesize
372KB

Download
memory/1716-84-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1716-66-0x0000000000000000-mapping.dmp

Download
memory/1720-61-0x0000000000A40000-0x0000000000A9D000-memory.dmp

Filesize
372KB

Download
memory/1780-72-0x0000000000000000-mapping.dmp

Download
memory/1820-71-0x0000000000000000-mapping.dmp

Download
memory/1920-78-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads