028e483bed0c1b82058abb6106b1c5fbcbc1d373b22ba4fa051108eaf7080f91

General

Target

028e483bed0c1b82058abb6106b1c5fbcbc1d373b22ba4fa051108eaf7080f91.exe
Size

345KB
MD5

6c6056a7353a8cf8744fe608cea84730
SHA1

6734e499e0de7fe55b3959d4cab063c6da33ca21
SHA256

028e483bed0c1b82058abb6106b1c5fbcbc1d373b22ba4fa051108eaf7080f91
SHA512

48e6858ada8f549ba59d6125f71f8f401599581565b86777fe65de7c9af37a492176438fdd6cdd3ec63cbdb95e311bb3cd8d3a58981b5296a3281286896fe051
SSDEEP

6144:6nDHGTp/jxo3QdWxUNosbn1PcI/IA4+tB2gHTOqmB96TffzurD7Xy70g+m553:6nDmN3bDUI/xB2gzU6ffeD7Xi0g+K

Score

9^/10

evasion ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
240	bcdedit.exe
4260	bcdedit.exe
3496	bcdedit.exe
4952	bcdedit.exe
3740	bcdedit.exe
4300	bcdedit.exe
1708	bcdedit.exe
3880	bcdedit.exe
4692	bcdedit.exe
3476	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\e571e07.sys	syshost.exe

Executes dropped EXE 1 IoCs

pid	Process
1236	syshost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{FFE2EB21-7672-6C16-EAEE-313CC9069E47}\syshost.exe	028e483bed0c1b82058abb6106b1c5fbcbc1d373b22ba4fa051108eaf7080f91.exe
File opened for modification	C:\Windows\Installer\{FFE2EB21-7672-6C16-EAEE-313CC9069E47}\syshost.exe	028e483bed0c1b82058abb6106b1c5fbcbc1d373b22ba4fa051108eaf7080f91.exe
File opened for modification	C:\Windows\Installer\{FFE2EB21-7672-6C16-EAEE-313CC9069E47}\syshost.exe.tmp	syshost.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "147"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1376	028e483bed0c1b82058abb6106b1c5fbcbc1d373b22ba4fa051108eaf7080f91.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1236	syshost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3088	LogonUI.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 4920	1376	028e483bed0c1b82058abb6106b1c5fbcbc1d373b22ba4fa051108eaf7080f91.exe	82
PID 1376 wrote to memory of 4920	1376	028e483bed0c1b82058abb6106b1c5fbcbc1d373b22ba4fa051108eaf7080f91.exe	82
PID 1376 wrote to memory of 4920	1376	028e483bed0c1b82058abb6106b1c5fbcbc1d373b22ba4fa051108eaf7080f91.exe	82
PID 1236 wrote to memory of 240	1236	syshost.exe	84
PID 1236 wrote to memory of 240	1236	syshost.exe	84
PID 1236 wrote to memory of 4260	1236	syshost.exe	85
PID 1236 wrote to memory of 4260	1236	syshost.exe	85
PID 1236 wrote to memory of 3880	1236	syshost.exe	96
PID 1236 wrote to memory of 3880	1236	syshost.exe	96
PID 1236 wrote to memory of 4952	1236	syshost.exe	89
PID 1236 wrote to memory of 4952	1236	syshost.exe	89
PID 1236 wrote to memory of 3496	1236	syshost.exe	86
PID 1236 wrote to memory of 3496	1236	syshost.exe	86
PID 1236 wrote to memory of 3740	1236	syshost.exe	91
PID 1236 wrote to memory of 3740	1236	syshost.exe	91
PID 1236 wrote to memory of 4300	1236	syshost.exe	92
PID 1236 wrote to memory of 4300	1236	syshost.exe	92
PID 1236 wrote to memory of 1708	1236	syshost.exe	94
PID 1236 wrote to memory of 1708	1236	syshost.exe	94
PID 1236 wrote to memory of 4692	1236	syshost.exe	98
PID 1236 wrote to memory of 4692	1236	syshost.exe	98
PID 1236 wrote to memory of 3476	1236	syshost.exe	99
PID 1236 wrote to memory of 3476	1236	syshost.exe	99

C:\Users\Admin\AppData\Local\Temp\028e483bed0c1b82058abb6106b1c5fbcbc1d373b22ba4fa051108eaf7080f91.exe
"C:\Users\Admin\AppData\Local\Temp\028e483bed0c1b82058abb6106b1c5fbcbc1d373b22ba4fa051108eaf7080f91.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\1a1f0a4b.tmp"
  2⤵
  PID:4920

C:\Windows\Installer\{FFE2EB21-7672-6C16-EAEE-313CC9069E47}\syshost.exe
"C:\Windows\Installer\{FFE2EB21-7672-6C16-EAEE-313CC9069E47}\syshost.exe" /service
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe -set TESTSIGNING ON
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:240
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe -set TESTSIGNING ON
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4260
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe -set TESTSIGNING ON
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3496
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe -set TESTSIGNING ON
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4952
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe -set TESTSIGNING ON
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3740
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe -set TESTSIGNING ON
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4300
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe -set TESTSIGNING ON
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1708
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe -set TESTSIGNING ON
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3880
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe -set TESTSIGNING ON
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4692
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe -set TESTSIGNING ON
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3476

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39f4855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\{FFE2EB21-7672-6C16-EAEE-313CC9069E47}\syshost.exe

Filesize
345KB

MD5
6c6056a7353a8cf8744fe608cea84730

SHA1
6734e499e0de7fe55b3959d4cab063c6da33ca21

SHA256
028e483bed0c1b82058abb6106b1c5fbcbc1d373b22ba4fa051108eaf7080f91

SHA512
48e6858ada8f549ba59d6125f71f8f401599581565b86777fe65de7c9af37a492176438fdd6cdd3ec63cbdb95e311bb3cd8d3a58981b5296a3281286896fe051

Download Submit
C:\Windows\Installer\{FFE2EB21-7672-6C16-EAEE-313CC9069E47}\syshost.exe

Filesize
345KB

MD5
6c6056a7353a8cf8744fe608cea84730

SHA1
6734e499e0de7fe55b3959d4cab063c6da33ca21

SHA256
028e483bed0c1b82058abb6106b1c5fbcbc1d373b22ba4fa051108eaf7080f91

SHA512
48e6858ada8f549ba59d6125f71f8f401599581565b86777fe65de7c9af37a492176438fdd6cdd3ec63cbdb95e311bb3cd8d3a58981b5296a3281286896fe051

Download Submit
memory/240-139-0x0000000000000000-mapping.dmp

Download
memory/1236-152-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1236-153-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/1236-140-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1236-145-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/1236-142-0x0000000000FF0000-0x000000000104C000-memory.dmp

Filesize
368KB

Download
memory/1376-137-0x0000000002460000-0x00000000024BC000-memory.dmp

Filesize
368KB

Download
memory/1376-138-0x0000000000540000-0x0000000000546000-memory.dmp

Filesize
24KB

Download
memory/1376-136-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1376-132-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1708-149-0x0000000000000000-mapping.dmp

Download
memory/3476-151-0x0000000000000000-mapping.dmp

Download
memory/3496-146-0x0000000000000000-mapping.dmp

Download
memory/3740-147-0x0000000000000000-mapping.dmp

Download
memory/3880-143-0x0000000000000000-mapping.dmp

Download
memory/4260-141-0x0000000000000000-mapping.dmp

Download
memory/4300-148-0x0000000000000000-mapping.dmp

Download
memory/4692-150-0x0000000000000000-mapping.dmp

Download
memory/4920-135-0x0000000000000000-mapping.dmp

Download
memory/4952-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing