45fb58dd7ab0b71d04c6ba566dbabd5a134f8fbb4ba0df6ecb5c7bc3bc1198c6

Reason

Machine shutdown

General

Target

Windows Loader.exe
Size

3.8MB
MD5

323c0fd51071400b51eedb1be90a8188
SHA1

0efc35935957c25193bbe9a83ab6caa25a487ada
SHA256

2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94
SHA512

4c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e
SSDEEP

49152:cEYCFEvlmOmTgtFM3uK5m3imrHuiff+puWV355FXw/+zuWV355FXw/+DuWV355FP:cEYzEFTgtFM3ukm3imPnt

Score

8^/10

discovery exploit upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

bootsect.exe

pid process

828 bootsect.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1392 takeown.exe
1284 icacls.exe
1676 takeown.exe
1716 icacls.exe

pid	process
828	bootsect.exe

pid	process
1392	takeown.exe
1284	icacls.exe
1676	takeown.exe
1716	icacls.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1368-118-0x0000000000400000-0x0000000000623000-memory.dmp	upx
behavioral1/memory/1368-120-0x0000000000400000-0x0000000000623000-memory.dmp	upx
behavioral1/memory/1368-149-0x0000000000400000-0x0000000000623000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Windows Loader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Windows Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Windows Loader.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1392 takeown.exe
1284 icacls.exe
1676 takeown.exe
1716 icacls.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1392	takeown.exe
1284	icacls.exe
1676	takeown.exe
1716	icacls.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Windows Loader.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Windows Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Windows Loader.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Windows Loader.exe

pid process

1368 Windows Loader.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Windows Loader.exe

pid process

1368 Windows Loader.exe

pid	process
1368	Windows Loader.exe

pid	process
1368	Windows Loader.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

Windows Loader.exetakeown.exeshutdown.exeAUDIODG.EXE

description	pid	process
Token: 33	1368	Windows Loader.exe
Token: SeIncBasePriorityPrivilege	1368	Windows Loader.exe
Token: 33	1368	Windows Loader.exe
Token: SeIncBasePriorityPrivilege	1368	Windows Loader.exe
Token: SeTakeOwnershipPrivilege	1676	takeown.exe
Token: SeShutdownPrivilege	764	shutdown.exe
Token: SeRemoteShutdownPrivilege	764	shutdown.exe
Token: 33	816	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	816	AUDIODG.EXE
Token: 33	816	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	816	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Windows Loader.exe

pid process

1368 Windows Loader.exe

pid	process
1368	Windows Loader.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Windows Loader.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1368 wrote to memory of 1684	1368	Windows Loader.exe	cmd.exe
PID 1368 wrote to memory of 1684	1368	Windows Loader.exe	cmd.exe
PID 1368 wrote to memory of 1684	1368	Windows Loader.exe	cmd.exe
PID 1368 wrote to memory of 1684	1368	Windows Loader.exe	cmd.exe
PID 1684 wrote to memory of 2040	1684	cmd.exe	cmd.exe
PID 1684 wrote to memory of 2040	1684	cmd.exe	cmd.exe
PID 1684 wrote to memory of 2040	1684	cmd.exe	cmd.exe
PID 1684 wrote to memory of 2040	1684	cmd.exe	cmd.exe
PID 2040 wrote to memory of 1392	2040	cmd.exe	takeown.exe
PID 2040 wrote to memory of 1392	2040	cmd.exe	takeown.exe
PID 2040 wrote to memory of 1392	2040	cmd.exe	takeown.exe
PID 2040 wrote to memory of 1392	2040	cmd.exe	takeown.exe
PID 1368 wrote to memory of 592	1368	Windows Loader.exe	cmd.exe
PID 1368 wrote to memory of 592	1368	Windows Loader.exe	cmd.exe
PID 1368 wrote to memory of 592	1368	Windows Loader.exe	cmd.exe
PID 1368 wrote to memory of 592	1368	Windows Loader.exe	cmd.exe
PID 592 wrote to memory of 1284	592	cmd.exe	icacls.exe
PID 592 wrote to memory of 1284	592	cmd.exe	icacls.exe
PID 592 wrote to memory of 1284	592	cmd.exe	icacls.exe
PID 592 wrote to memory of 1284	592	cmd.exe	icacls.exe
PID 1368 wrote to memory of 1660	1368	Windows Loader.exe	cmd.exe
PID 1368 wrote to memory of 1660	1368	Windows Loader.exe	cmd.exe
PID 1368 wrote to memory of 1660	1368	Windows Loader.exe	cmd.exe
PID 1368 wrote to memory of 1660	1368	Windows Loader.exe	cmd.exe
PID 1660 wrote to memory of 680	1660	cmd.exe	cmd.exe
PID 1660 wrote to memory of 680	1660	cmd.exe	cmd.exe
PID 1660 wrote to memory of 680	1660	cmd.exe	cmd.exe
PID 1660 wrote to memory of 680	1660	cmd.exe	cmd.exe
PID 680 wrote to memory of 1676	680	cmd.exe	takeown.exe
PID 680 wrote to memory of 1676	680	cmd.exe	takeown.exe
PID 680 wrote to memory of 1676	680	cmd.exe	takeown.exe
PID 680 wrote to memory of 1676	680	cmd.exe	takeown.exe
PID 1368 wrote to memory of 1764	1368	Windows Loader.exe	cmd.exe
PID 1368 wrote to memory of 1764	1368	Windows Loader.exe	cmd.exe
PID 1368 wrote to memory of 1764	1368	Windows Loader.exe	cmd.exe
PID 1368 wrote to memory of 1764	1368	Windows Loader.exe	cmd.exe
PID 1764 wrote to memory of 1716	1764	cmd.exe	icacls.exe
PID 1764 wrote to memory of 1716	1764	cmd.exe	icacls.exe
PID 1764 wrote to memory of 1716	1764	cmd.exe	icacls.exe
PID 1764 wrote to memory of 1716	1764	cmd.exe	icacls.exe
PID 1368 wrote to memory of 816	1368	Windows Loader.exe	cmd.exe
PID 1368 wrote to memory of 816	1368	Windows Loader.exe	cmd.exe
PID 1368 wrote to memory of 816	1368	Windows Loader.exe	cmd.exe
PID 1368 wrote to memory of 816	1368	Windows Loader.exe	cmd.exe
PID 816 wrote to memory of 644	816	cmd.exe	cscript.exe
PID 816 wrote to memory of 644	816	cmd.exe	cscript.exe
PID 816 wrote to memory of 644	816	cmd.exe	cscript.exe
PID 1368 wrote to memory of 1980	1368	Windows Loader.exe	cmd.exe
PID 1368 wrote to memory of 1980	1368	Windows Loader.exe	cmd.exe
PID 1368 wrote to memory of 1980	1368	Windows Loader.exe	cmd.exe
PID 1368 wrote to memory of 1980	1368	Windows Loader.exe	cmd.exe
PID 1980 wrote to memory of 1244	1980	cmd.exe	cscript.exe
PID 1980 wrote to memory of 1244	1980	cmd.exe	cscript.exe
PID 1980 wrote to memory of 1244	1980	cmd.exe	cscript.exe
PID 1368 wrote to memory of 1224	1368	Windows Loader.exe	cmd.exe
PID 1368 wrote to memory of 1224	1368	Windows Loader.exe	cmd.exe
PID 1368 wrote to memory of 1224	1368	Windows Loader.exe	cmd.exe
PID 1368 wrote to memory of 1224	1368	Windows Loader.exe	cmd.exe
PID 1224 wrote to memory of 844	1224	cmd.exe	compact.exe
PID 1224 wrote to memory of 844	1224	cmd.exe	compact.exe
PID 1224 wrote to memory of 844	1224	cmd.exe	compact.exe
PID 1224 wrote to memory of 844	1224	cmd.exe	compact.exe
PID 1368 wrote to memory of 1756	1368	Windows Loader.exe	cmd.exe
PID 1368 wrote to memory of 1756	1368	Windows Loader.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe"
1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
2⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\ldrscan\bootwin
3⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\ldrscan\bootwin
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1392

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
2⤵
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\SysWOW64\icacls.exe
icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1284

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
2⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\ldrscan\bootwin
3⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\ldrscan\bootwin
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
2⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\icacls.exe
icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1716

C:\Windows\system32\cmd.exe
cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""
2⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"
3⤵
PID:644

C:\Windows\system32\cmd.exe
cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"
2⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2
3⤵
PID:1244

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "compact /u \\?\Volume{dae07ae3-2a34-11ed-86c6-806e6f6e6963}\APWIS"
2⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\SysWOW64\compact.exe
compact /u \\?\Volume{dae07ae3-2a34-11ed-86c6-806e6f6e6963}\APWIS
3⤵
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"
2⤵
PID:1756

C:\bootsect.exe
C:\bootsect.exe /nt60 SYS /force
3⤵
- Executes dropped EXE
PID:828

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "shutdown -r -t 0"
2⤵
PID:1660

C:\Windows\SysWOW64\shutdown.exe
shutdown -r -t 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:304

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x438
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Acer.XRM-MS

Filesize
2KB

MD5
f25832af6a684360950dbb15589de34a

SHA1
17ff1d21005c1695ae3dcbdc3435017c895fff5d

SHA256
266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f

SHA512
e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f

Download Submit
C:\bootsect.exe

Filesize
95KB

MD5
8920d03c78e58450c4c8949dcc5e4a59

SHA1
7aa1b8a7017647082f0968d37d6615ece1c296c0

SHA256
fc88dc6e6024ae339f8950010c2c39aabc10e36d492abaff415d609ddbd187d9

SHA512
e4719ca699ad41b61da4616dd99798b5c5b543da81704746c1d1a4bfa718fe60c5223bd7947ccc4567e1d4e0a3b90111e4ca739f8dab2417e766b4c772fb9792

Download Submit
C:\bootsect.exe

Filesize
95KB

MD5
8920d03c78e58450c4c8949dcc5e4a59

SHA1
7aa1b8a7017647082f0968d37d6615ece1c296c0

SHA256
fc88dc6e6024ae339f8950010c2c39aabc10e36d492abaff415d609ddbd187d9

SHA512
e4719ca699ad41b61da4616dd99798b5c5b543da81704746c1d1a4bfa718fe60c5223bd7947ccc4567e1d4e0a3b90111e4ca739f8dab2417e766b4c772fb9792

Download Submit
\??\Volume{dae07ae3-2a34-11ed-86c6-806e6f6e6963}\APWIS

Filesize
352KB

MD5
1a6fccf1bfc589ae6985ecfa37c265bb

SHA1
50879d5641474a5e9557c2e02102f00bbeb07468

SHA256
a166c3a423812ab655c7aefdd28e64a25c1e251820287519786e1044ca3cacee

SHA512
42cc0f22115daa2074dd48d72de646a5a11b657b79c32732d5bb7b79f76c0cb9e8b6b5de10233b5fa566b08ac03d42a8e2d12ce4acfdd70c48b2710443251e94

Download Submit
memory/592-125-0x0000000000000000-mapping.dmp

Download
memory/644-133-0x0000000000000000-mapping.dmp

Download
memory/680-128-0x0000000000000000-mapping.dmp

Download
memory/764-147-0x0000000000000000-mapping.dmp

Download
memory/816-132-0x0000000000000000-mapping.dmp

Download
memory/828-143-0x0000000000000000-mapping.dmp

Download
memory/844-138-0x0000000000000000-mapping.dmp

Download
memory/1224-137-0x0000000000000000-mapping.dmp

Download
memory/1244-136-0x0000000000000000-mapping.dmp

Download
memory/1284-126-0x0000000000000000-mapping.dmp

Download
memory/1368-116-0x0000000074301000-0x0000000074303000-memory.dmp

Filesize
8KB

Download
memory/1368-84-0x00000000002E0000-0x00000000002F1000-memory.dmp

Filesize
68KB

Download
memory/1368-149-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/1368-55-0x00000000002A0000-0x00000000002B3000-memory.dmp

Filesize
76KB

Download
memory/1368-63-0x0000000000210000-0x0000000000220000-memory.dmp

Filesize
64KB

Download
memory/1368-120-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/1368-68-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1368-76-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1368-92-0x00000000007A0000-0x00000000007B0000-memory.dmp

Filesize
64KB

Download
memory/1368-118-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/1368-119-0x00000000023C0000-0x0000000002563000-memory.dmp

Filesize
1.6MB

Download
memory/1368-54-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1368-100-0x0000000001FC0000-0x0000000001FD0000-memory.dmp

Filesize
64KB

Download
memory/1368-108-0x0000000001FD0000-0x0000000001FF0000-memory.dmp

Filesize
128KB

Download
memory/1392-124-0x0000000000000000-mapping.dmp

Download
memory/1660-127-0x0000000000000000-mapping.dmp

Download
memory/1660-146-0x0000000000000000-mapping.dmp

Download
memory/1676-129-0x0000000000000000-mapping.dmp

Download
memory/1684-122-0x0000000000000000-mapping.dmp

Download
memory/1716-131-0x0000000000000000-mapping.dmp

Download
memory/1756-141-0x0000000000000000-mapping.dmp

Download
memory/1764-130-0x0000000000000000-mapping.dmp

Download
memory/1980-135-0x0000000000000000-mapping.dmp

Download
memory/2040-123-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads