effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3

Reason

Machine shutdown

General

Target

effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe
Size

407KB
MD5

60e7da890c323a6f0685d0b5fe8b8ead
SHA1

3716c45a6fc02b9be96951a5a7ce861536472af3
SHA256

effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3
SHA512

c1a7d2cc8296776855a31a30960e1fe5861e269896261c31d817136390b86bc015b94018f7708cb2d75d80992acfa24203701f70e9ad947994123e50bca5045f
SSDEEP

12288:2gwj35X0zH2T07744h7NlOxSlcO0gz9BzNm:gz5X6HM0774876md/z4

Score

9^/10

evasion persistence ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
1504	bcdedit.exe
1148	bcdedit.exe
1364	bcdedit.exe
2044	bcdedit.exe
1288	bcdedit.exe
932	bcdedit.exe
880	bcdedit.exe
816	bcdedit.exe
1740	bcdedit.exe
2036	bcdedit.exe

Drops file in Drivers directory 1 IoCs

Processes:

naez.exe

description ioc process

File created C:\Windows\system32\drivers\6c0d5a.sys naez.exe
Executes dropped EXE 1 IoCs

Processes:

naez.exe

pid process

1508 naez.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

340 cmd.exe

description	ioc	process
File created	C:\Windows\system32\drivers\6c0d5a.sys	naez.exe

pid	process
1508	naez.exe

pid	process
340	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe

pid	process
1596	effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe
1596	effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

naez.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	naez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Naez = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Widojy\\naez.exe"	naez.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe

description pid process target process

PID 1596 set thread context of 340 1596 effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe cmd.exe

description	pid	process	target process
PID 1596 set thread context of 340	1596	effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exenaez.exe

pid	process
1596	effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe
1508	naez.exe
1508	naez.exe
1508	naez.exe
1508	naez.exe
1508	naez.exe
1508	naez.exe
1508	naez.exe
1508	naez.exe
1508	naez.exe
1508	naez.exe
1508	naez.exe
1508	naez.exe
1508	naez.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

naez.exe

description pid process

Token: SeShutdownPrivilege 1508 naez.exe

pid	process
460

description	pid	process
Token: SeShutdownPrivilege	1508	naez.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exenaez.exe

description	pid	process	target process
PID 1596 wrote to memory of 1508	1596	effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe	naez.exe
PID 1596 wrote to memory of 1508	1596	effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe	naez.exe
PID 1596 wrote to memory of 1508	1596	effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe	naez.exe
PID 1596 wrote to memory of 1508	1596	effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe	naez.exe
PID 1508 wrote to memory of 1504	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 1504	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 1504	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 1504	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 1148	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 1148	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 1148	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 1148	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 1364	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 1364	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 1364	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 1364	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 932	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 932	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 932	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 932	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 1288	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 1288	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 1288	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 1288	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 2044	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 2044	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 2044	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 2044	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 880	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 880	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 880	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 880	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 2036	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 2036	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 2036	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 2036	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 1740	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 1740	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 1740	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 1740	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 816	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 816	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 816	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 816	1508	naez.exe	bcdedit.exe
PID 1508 wrote to memory of 1128	1508	naez.exe	taskhost.exe
PID 1508 wrote to memory of 1128	1508	naez.exe	taskhost.exe
PID 1508 wrote to memory of 1128	1508	naez.exe	taskhost.exe
PID 1508 wrote to memory of 1128	1508	naez.exe	taskhost.exe
PID 1508 wrote to memory of 1128	1508	naez.exe	taskhost.exe
PID 1508 wrote to memory of 1244	1508	naez.exe	Dwm.exe
PID 1508 wrote to memory of 1244	1508	naez.exe	Dwm.exe
PID 1508 wrote to memory of 1244	1508	naez.exe	Dwm.exe
PID 1508 wrote to memory of 1244	1508	naez.exe	Dwm.exe
PID 1508 wrote to memory of 1244	1508	naez.exe	Dwm.exe
PID 1508 wrote to memory of 1276	1508	naez.exe	Explorer.EXE
PID 1508 wrote to memory of 1276	1508	naez.exe	Explorer.EXE
PID 1508 wrote to memory of 1276	1508	naez.exe	Explorer.EXE
PID 1508 wrote to memory of 1276	1508	naez.exe	Explorer.EXE
PID 1508 wrote to memory of 1276	1508	naez.exe	Explorer.EXE
PID 1508 wrote to memory of 1596	1508	naez.exe	effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe
PID 1508 wrote to memory of 1596	1508	naez.exe	effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe
PID 1508 wrote to memory of 1596	1508	naez.exe	effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe
PID 1508 wrote to memory of 1596	1508	naez.exe	effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe
PID 1508 wrote to memory of 1596	1508	naez.exe	effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1244

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe
"C:\Users\Admin\AppData\Local\Temp\effb29ff4f343f9264cdb28c27e3789ea8da7b1f971ad92febb9ff061396d6b3.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1596

C:\Users\Admin\AppData\Local\Temp\Widojy\naez.exe
"C:\Users\Admin\AppData\Local\Temp\Widojy\naez.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:1504

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:1148

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:1364

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:2044

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:1288

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:932

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:880

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:816

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:1740

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:2036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PLPD51F.bat"
3⤵
- Deletes itself
PID:340

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1752

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PLPD51F.bat
Filesize
278B

MD5
699e63dabe51d59825d93388e0439b7d

SHA1
3f64a191d54887d9bf1aa9a75c289b9b8aa3c7c4

SHA256
26ede97c15a14bbdd42f21f9b144f8245813e6ab87c050a46d9c8b9c5102a9dd

SHA512
e599ee915ae61ef8da1d77d4031a3fcb32e6d4c031bb9d9c31b27e3a47526e2fef68c07ffd26a1ac182a35f45e506371cbe7478022be03261c75952f1f72266c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Widojy\naez.exe
Filesize
407KB

MD5
923f1e06d6b10b1159005f6693ab2338

SHA1
df40b84f69d886a4d1dcd5629a27d55b56d53245

SHA256
8bdafe6bd94c45e9b4be77c356fa08df8efc66f859ece7acecb60b65c00e7cf2

SHA512
13b315cb90420cee851197cfba1b0b804858ef8b7d873b388866d39e2f339e4dbd1b4e57c1cc5949c85e4219a3123e75d2333858ce2c4e16a7c591a29515cd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Widojy\naez.exe
Filesize
407KB

MD5
923f1e06d6b10b1159005f6693ab2338

SHA1
df40b84f69d886a4d1dcd5629a27d55b56d53245

SHA256
8bdafe6bd94c45e9b4be77c356fa08df8efc66f859ece7acecb60b65c00e7cf2

SHA512
13b315cb90420cee851197cfba1b0b804858ef8b7d873b388866d39e2f339e4dbd1b4e57c1cc5949c85e4219a3123e75d2333858ce2c4e16a7c591a29515cd39

Download Submit
\Users\Admin\AppData\Local\Temp\Widojy\naez.exe
Filesize
407KB

MD5
923f1e06d6b10b1159005f6693ab2338

SHA1
df40b84f69d886a4d1dcd5629a27d55b56d53245

SHA256
8bdafe6bd94c45e9b4be77c356fa08df8efc66f859ece7acecb60b65c00e7cf2

SHA512
13b315cb90420cee851197cfba1b0b804858ef8b7d873b388866d39e2f339e4dbd1b4e57c1cc5949c85e4219a3123e75d2333858ce2c4e16a7c591a29515cd39

Download Submit
\Users\Admin\AppData\Local\Temp\Widojy\naez.exe
Filesize
407KB

MD5
923f1e06d6b10b1159005f6693ab2338

SHA1
df40b84f69d886a4d1dcd5629a27d55b56d53245

SHA256
8bdafe6bd94c45e9b4be77c356fa08df8efc66f859ece7acecb60b65c00e7cf2

SHA512
13b315cb90420cee851197cfba1b0b804858ef8b7d873b388866d39e2f339e4dbd1b4e57c1cc5949c85e4219a3123e75d2333858ce2c4e16a7c591a29515cd39

Download Submit
memory/340-118-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/340-112-0x000000000008D99D-mapping.dmp

Download
memory/340-124-0x0000000000050000-0x00000000000B9000-memory.dmp

Filesize
420KB

Download
memory/340-122-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/340-121-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/340-109-0x0000000000050000-0x00000000000B9000-memory.dmp

Filesize
420KB

Download
memory/340-120-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/340-119-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/340-110-0x0000000000050000-0x00000000000B9000-memory.dmp

Filesize
420KB

Download
memory/340-107-0x0000000000050000-0x00000000000B9000-memory.dmp

Filesize
420KB

Download
memory/340-111-0x0000000000050000-0x00000000000B9000-memory.dmp

Filesize
420KB

Download
memory/340-117-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/340-116-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/816-70-0x0000000000000000-mapping.dmp

Download
memory/880-67-0x0000000000000000-mapping.dmp

Download
memory/932-64-0x0000000000000000-mapping.dmp

Download
memory/1128-74-0x0000000001F00000-0x0000000001F69000-memory.dmp

Filesize
420KB

Download
memory/1128-76-0x0000000001F00000-0x0000000001F69000-memory.dmp

Filesize
420KB

Download
memory/1128-77-0x0000000001F00000-0x0000000001F69000-memory.dmp

Filesize
420KB

Download
memory/1128-78-0x0000000001F00000-0x0000000001F69000-memory.dmp

Filesize
420KB

Download
memory/1128-79-0x0000000001F00000-0x0000000001F69000-memory.dmp

Filesize
420KB

Download
memory/1148-62-0x0000000000000000-mapping.dmp

Download
memory/1244-82-0x0000000001BB0000-0x0000000001C19000-memory.dmp

Filesize
420KB

Download
memory/1244-85-0x0000000001BB0000-0x0000000001C19000-memory.dmp

Filesize
420KB

Download
memory/1244-84-0x0000000001BB0000-0x0000000001C19000-memory.dmp

Filesize
420KB

Download
memory/1244-83-0x0000000001BB0000-0x0000000001C19000-memory.dmp

Filesize
420KB

Download
memory/1276-90-0x00000000029F0000-0x0000000002A59000-memory.dmp

Filesize
420KB

Download
memory/1276-91-0x00000000029F0000-0x0000000002A59000-memory.dmp

Filesize
420KB

Download
memory/1276-88-0x00000000029F0000-0x0000000002A59000-memory.dmp

Filesize
420KB

Download
memory/1276-89-0x00000000029F0000-0x0000000002A59000-memory.dmp

Filesize
420KB

Download
memory/1288-65-0x0000000000000000-mapping.dmp

Download
memory/1364-63-0x0000000000000000-mapping.dmp

Download
memory/1504-61-0x0000000000000000-mapping.dmp

Download
memory/1508-126-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1508-125-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1508-57-0x0000000000000000-mapping.dmp

Download
memory/1508-72-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1508-73-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/1596-99-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1596-100-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1596-104-0x00000000004C0000-0x000000000052D000-memory.dmp

Filesize
436KB

Download
memory/1596-103-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1596-102-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1596-113-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1596-114-0x00000000004C0000-0x0000000000529000-memory.dmp

Filesize
420KB

Download
memory/1596-94-0x00000000004C0000-0x0000000000529000-memory.dmp

Filesize
420KB

Download
memory/1596-71-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1596-95-0x00000000004C0000-0x0000000000529000-memory.dmp

Filesize
420KB

Download
memory/1596-97-0x00000000004C0000-0x0000000000529000-memory.dmp

Filesize
420KB

Download
memory/1596-96-0x00000000004C0000-0x0000000000529000-memory.dmp

Filesize
420KB

Download
memory/1596-101-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1596-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1596-98-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1740-69-0x0000000000000000-mapping.dmp

Download
memory/1752-127-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

Filesize
8KB

Download
memory/2036-68-0x0000000000000000-mapping.dmp

Download
memory/2044-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads