0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb

Reason

Reading agent response: read tcp 10.127.0.1:36834->10.127.0.28:8000: read: connection reset by peer

General

Target

0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb.exe
Size

4.0MB
MD5

29738dd9b52dcd61cd791b6d805929c1
SHA1

b226a60f03c7036f6bcbce400ad40ebe7f527925
SHA256

0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb
SHA512

fcf8b789a36f90414034a131c6ba872a547d03025fd29aaf48779ea154aee02def7234f4c17dcec5b0f9bcd26cdce34b257979872c0b44d1c4bcafa9a42ac65b
SSDEEP

49152:1gZNP3LGVfMmq1d1MRGM8Fvg9fR5xMXF9WzHrAbluBUMNk+cqG2UtBpStPvC/9fu:1gXDMfql+929+B+tBpEPvCF

Score

9^/10

evasion ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exe

pid process

912 bcdedit.exe

pid	process
912	bcdedit.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

shutdown.exeshutdown.exeshutdown.exeshutdown.exe

description	pid	process
Token: SeShutdownPrivilege	1684	shutdown.exe
Token: SeRemoteShutdownPrivilege	1684	shutdown.exe
Token: SeShutdownPrivilege	1504	shutdown.exe
Token: SeRemoteShutdownPrivilege	1504	shutdown.exe
Token: SeShutdownPrivilege	1052	shutdown.exe
Token: SeRemoteShutdownPrivilege	1052	shutdown.exe
Token: SeShutdownPrivilege	976	shutdown.exe
Token: SeRemoteShutdownPrivilege	976	shutdown.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb.exe

description	pid	process	target process
PID 1700 wrote to memory of 912	1700	0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb.exe	bcdedit.exe
PID 1700 wrote to memory of 912	1700	0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb.exe	bcdedit.exe
PID 1700 wrote to memory of 912	1700	0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb.exe	bcdedit.exe
PID 1700 wrote to memory of 912	1700	0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb.exe	bcdedit.exe
PID 1700 wrote to memory of 1504	1700	0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb.exe	shutdown.exe
PID 1700 wrote to memory of 1504	1700	0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb.exe	shutdown.exe
PID 1700 wrote to memory of 1504	1700	0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb.exe	shutdown.exe
PID 1700 wrote to memory of 1504	1700	0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb.exe	shutdown.exe
PID 1700 wrote to memory of 1684	1700	0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb.exe	shutdown.exe
PID 1700 wrote to memory of 1684	1700	0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb.exe	shutdown.exe
PID 1700 wrote to memory of 1684	1700	0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb.exe	shutdown.exe
PID 1700 wrote to memory of 1684	1700	0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb.exe	shutdown.exe
PID 1700 wrote to memory of 1052	1700	0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb.exe	shutdown.exe
PID 1700 wrote to memory of 1052	1700	0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb.exe	shutdown.exe
PID 1700 wrote to memory of 1052	1700	0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb.exe	shutdown.exe
PID 1700 wrote to memory of 1052	1700	0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb.exe	shutdown.exe
PID 1700 wrote to memory of 976	1700	0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb.exe	shutdown.exe
PID 1700 wrote to memory of 976	1700	0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb.exe	shutdown.exe
PID 1700 wrote to memory of 976	1700	0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb.exe	shutdown.exe
PID 1700 wrote to memory of 976	1700	0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb.exe	shutdown.exe

C:\Users\Admin\AppData\Local\Temp\0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb.exe
"C:\Users\Admin\AppData\Local\Temp\0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1700
- \??\c:\windows\system32\bcdedit.exe
  c:\windows\Sysnative\bcdedit.exe /set {current} safeboot minimal
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:912
- C:\Windows\SysWOW64\shutdown.exe
  shutdown /r /f /t 00
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- \??\c:\windows\SysWOW64\shutdown.exe
  c:\windows\SysWOW64\shutdown.exe /r /f /t 00
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- \??\c:\windows\SysWOW64\shutdown.exe
  c:\windows\System32\shutdown.exe /r /f /t 00
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- \??\c:\windows\system32\shutdown.exe
  c:\windows\Sysnative\shutdown.exe /r /f /t 00
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:976

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads