d1bf365dc4132fb562fb99e01e3613ed2a3548d5af74a810debacb7da8bf4e28

Reason

Machine shutdown

General

Target

67b78d68337844c4ce0c585851b633e2.exe
Size

39KB
MD5

67b78d68337844c4ce0c585851b633e2
SHA1

e356526d53a8f1bef9587544c46af4035d31d7f8
SHA256

d1bf365dc4132fb562fb99e01e3613ed2a3548d5af74a810debacb7da8bf4e28
SHA512

0b4ce217d00d6f1f76700a15aeae9cbf91a88f3e4ec96806e4f45b04480f19b734151fd74934921d8cf08ea702b49c4f88682df446d8330c6486e9169e8ec0be
SSDEEP

384:bZk4nwCxOnBpWP0Gre5dHMvjNk4UIgeOdCAH2N7gt/V5bd2ChRl9mmu1ZPeic:bZhwCepW1re5arXAHr/Lbd2Pmbi

Score

8^/10

evasion

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	svchost.exe

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

2984 svchost.exe
Executes dropped EXE 1 IoCs

Processes:

826ED114329F6C4F5F40.exe

pid process

1420 826ED114329F6C4F5F40.exe

pid	process
2984	svchost.exe

pid	process
1420	826ED114329F6C4F5F40.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000da362e54a03ebf190000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000da362e540000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900da362e54000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dda362e54000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000da362e5400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "248"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exevssvc.exeshutdown.exe

description	pid	process
Token: SeSystemProfilePrivilege	2984	svchost.exe
Token: SeBackupPrivilege	1892	vssvc.exe
Token: SeRestorePrivilege	1892	vssvc.exe
Token: SeAuditPrivilege	1892	vssvc.exe
Token: SeShutdownPrivilege	2652	shutdown.exe
Token: SeRemoteShutdownPrivilege	2652	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4576 LogonUI.exe

pid	process
4576	LogonUI.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

67b78d68337844c4ce0c585851b633e2.exesvchost.exe826ED114329F6C4F5F40.exe

description	pid	process	target process
PID 456 wrote to memory of 2984	456	67b78d68337844c4ce0c585851b633e2.exe	svchost.exe
PID 456 wrote to memory of 2984	456	67b78d68337844c4ce0c585851b633e2.exe	svchost.exe
PID 456 wrote to memory of 2984	456	67b78d68337844c4ce0c585851b633e2.exe	svchost.exe
PID 456 wrote to memory of 2984	456	67b78d68337844c4ce0c585851b633e2.exe	svchost.exe
PID 2984 wrote to memory of 1424	2984	svchost.exe	reg.exe
PID 2984 wrote to memory of 1424	2984	svchost.exe	reg.exe
PID 2984 wrote to memory of 1424	2984	svchost.exe	reg.exe
PID 2984 wrote to memory of 2652	2984	svchost.exe	shutdown.exe
PID 2984 wrote to memory of 2652	2984	svchost.exe	shutdown.exe
PID 2984 wrote to memory of 2652	2984	svchost.exe	shutdown.exe
PID 2984 wrote to memory of 1420	2984	svchost.exe	826ED114329F6C4F5F40.exe
PID 2984 wrote to memory of 1420	2984	svchost.exe	826ED114329F6C4F5F40.exe
PID 2984 wrote to memory of 1420	2984	svchost.exe	826ED114329F6C4F5F40.exe
PID 1420 wrote to memory of 4772	1420	826ED114329F6C4F5F40.exe	svchost.exe
PID 1420 wrote to memory of 4772	1420	826ED114329F6C4F5F40.exe	svchost.exe
PID 1420 wrote to memory of 4772	1420	826ED114329F6C4F5F40.exe	svchost.exe
PID 1420 wrote to memory of 4772	1420	826ED114329F6C4F5F40.exe	svchost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\67b78d68337844c4ce0c585851b633e2.exe
"C:\Users\Admin\AppData\Local\Temp\67b78d68337844c4ce0c585851b633e2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Disables RegEdit via registry modification
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
3⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\826ED114329F6C4F5F40.exe
C:\Users\Admin\AppData\Local\Temp\826ED114329F6C4F5F40.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:4772

C:\Windows\SysWOW64\shutdown.exe
shutdown.exe -r -f -t 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:2132

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3952855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4576

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\826ED114329F6C4F5F40.exe
Filesize
39KB

MD5
67b78d68337844c4ce0c585851b633e2

SHA1
e356526d53a8f1bef9587544c46af4035d31d7f8

SHA256
d1bf365dc4132fb562fb99e01e3613ed2a3548d5af74a810debacb7da8bf4e28

SHA512
0b4ce217d00d6f1f76700a15aeae9cbf91a88f3e4ec96806e4f45b04480f19b734151fd74934921d8cf08ea702b49c4f88682df446d8330c6486e9169e8ec0be

Download Submit
memory/456-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/456-0-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/1420-10-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2984-2-0x000000007F590000-0x000000007F59E000-memory.dmp

Filesize
56KB

Download
memory/2984-12-0x000000007F590000-0x000000007F59E000-memory.dmp

Filesize
56KB

Download
memory/4772-9-0x000000007FF80000-0x000000007FF8E000-memory.dmp

Filesize
56KB

Download
memory/4772-15-0x000000007FF80000-0x000000007FF8E000-memory.dmp

Filesize
56KB

Download
memory/4772-17-0x000000007FF80000-0x000000007FF8E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads