022728f678d8dcc6cba20147595ed4099e9c98be0582c0f67518d5664e3b8523

Analysis

max time kernel
59s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240226-uk
resource tags

arch:x64arch:x86image:win10v2004-20240226-uklocale:uk-uaos:windows10-2004-x64systemwindows
submitted
03-03-2024 13:53

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Ransomware/RedBoot.exe
Size

1.2MB
MD5

e0340f456f76993fc047bc715dfdae6a
SHA1

d47f6f7e553c4bc44a2fe88c2054de901390b2d7
SHA256

1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887
SHA512

cac10c675d81630eefca49b2ac4cc83f3eb29115ee28a560db4d6c33f70bf24980e48bb48ce20375349736e3e6b23a1ca504b9367917328853fffc5539626bbc
SSDEEP

24576:/4GHnhIzOasqUgEOr69/BRH7dCibu+XoAX0eOTva49ttrSpt81ekHPyWe:AshdasJgEOrGBRxCihH7OO49rveMG

Score

9^/10

bootkit persistence ransomware upx

Malware Config

Signatures

Renames multiple (149) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 3 IoCs

Processes:

protect.exeassembler.exeoverwrite.exe

pid process

2828 protect.exe
452 assembler.exe
4852 overwrite.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral25/memory/3688-0-0x0000000000BE0000-0x0000000000E6E000-memory.dmp	upx
behavioral25/memory/3688-187-0x0000000000BE0000-0x0000000000E6E000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

overwrite.exe

description ioc process

File opened for modification \??\PhysicalDrive0 overwrite.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	overwrite.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\43629156\protect.exe	autoit_exe
behavioral25/memory/3688-187-0x0000000000BE0000-0x0000000000E6E000-memory.dmp	autoit_exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "30"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

protect.exe

pid	process
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe
2828	protect.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

RedBoot.exe

pid process

3688 RedBoot.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RedBoot.exe

description pid process

Token: SeShutdownPrivilege 3688 RedBoot.exe
Token: 9799864678180940919 3688 RedBoot.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

1684 LogonUI.exe

pid	process
3688	RedBoot.exe

description	pid	process
Token: SeShutdownPrivilege	3688	RedBoot.exe
Token: 9799864678180940919	3688	RedBoot.exe

pid	process
1684	LogonUI.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

RedBoot.exe

description	pid	process	target process
PID 3688 wrote to memory of 2828	3688	RedBoot.exe	protect.exe
PID 3688 wrote to memory of 2828	3688	RedBoot.exe	protect.exe
PID 3688 wrote to memory of 2828	3688	RedBoot.exe	protect.exe
PID 3688 wrote to memory of 452	3688	RedBoot.exe	assembler.exe
PID 3688 wrote to memory of 452	3688	RedBoot.exe	assembler.exe
PID 3688 wrote to memory of 452	3688	RedBoot.exe	assembler.exe
PID 3688 wrote to memory of 4852	3688	RedBoot.exe	overwrite.exe
PID 3688 wrote to memory of 4852	3688	RedBoot.exe	overwrite.exe
PID 3688 wrote to memory of 4852	3688	RedBoot.exe	overwrite.exe

C:\Users\Admin\AppData\Local\Temp\Ransomware\RedBoot.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\RedBoot.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688

C:\Users\Admin\43629156\protect.exe
"C:\Users\Admin\43629156\protect.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2828

C:\Users\Admin\43629156\assembler.exe
"C:\Users\Admin\43629156\assembler.exe" -f bin "C:\Users\Admin\43629156\boot.asm" -o "C:\Users\Admin\43629156\boot.bin"
2⤵
- Executes dropped EXE
PID:452

C:\Users\Admin\43629156\overwrite.exe
"C:\Users\Admin\43629156\overwrite.exe" "C:\Users\Admin\43629156\boot.bin"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4852

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3984055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\43629156\assembler.exe
Filesize
589KB

MD5
7e3cea1f686207563c8369f64ea28e5b

SHA1
a1736fd61555841396b0406d5c9ca55c4b6cdf41

SHA256
2a5305369edb9c2d7354b2f210e91129e4b8c546b0adf883951ea7bf7ee0f2b2

SHA512
4629bc32094bdb030e6c9be247068e7295599203284cb95921c98fcbe3ac60286670be7e5ee9f0374a4017286c7af9db211bd831e3ea871d31a509d7bbc1d6a3

Download Submit
C:\Users\Admin\43629156\boot.asm
Filesize
825B

MD5
def1219cfb1c0a899e5c4ea32fe29f70

SHA1
88aedde59832576480dfc7cd3ee6f54a132588a8

SHA256
91e74c438099172b057bedf693d877bd08677d5f2173763986be4974c0970581

SHA512
1e735d588cb1bb42324eaff1b9190ec6a8254f419d1ba4a13d03716ff5c102a335532b573a5befb08da90586e5670617066564ef9872f8c415b9a480836df423

Download Submit
C:\Users\Admin\43629156\boot.bin
Filesize
512B

MD5
90053233e561c8bf7a7b14eda0fa0e84

SHA1
16a7138387f7a3366b7da350c598f71de3e1cde2

SHA256
a760d8bc77ad8c0c839d4ef162ce44d5897af6fa84e0cc05ecc0747759ea76c2

SHA512
63fda509cd02fd9d1374435f95515bc74f1ca8a9650b87d2299f8eee3a1c5a41b1cb8a4e1360c75f876f1dae193fdf4a96eba244683308f34d64d7ce37af2bb4

Download Submit
C:\Users\Admin\43629156\overwrite.exe
Filesize
288KB

MD5
bc160318a6e8dadb664408fb539cd04b

SHA1
4b5eb324eebe3f84e623179a8e2c3743ccf32763

SHA256
f2bc5886b0f189976a367a69da8745bf66842f9bba89f8d208790db3dad0c7d2

SHA512
51bc090f2821c57d94cfe4399b1f372a68d2811ea0b87d1ac1d6cf8ae39b167038ac21c471b168f1d19c6b213762024abb7e9e5ca311b246b46af0888289e46c

Download Submit
C:\Users\Admin\43629156\protect.exe
Filesize
837KB

MD5
fd414666a5b2122c3d9e3e380cf225ed

SHA1
de139747b42a807efa8a2dcc1a8304f9a29b862d

SHA256
e61a8382f7293e40cb993ddcbcaa53a4e5f07a3d6b6a1bfe5377a1a74a8dcac6

SHA512
9ab2163d7deff29c202ed88dba36d5b28f6c67e647a0cadb3d03cc725796e19e5f298c04b1c8523d1d1ee4307e1a5d6f8156fa4021627d6ca1bbd0830695ae05

Download Submit
memory/452-32-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3688-0-0x0000000000BE0000-0x0000000000E6E000-memory.dmp

Filesize
2.6MB

Download
memory/3688-187-0x0000000000BE0000-0x0000000000E6E000-memory.dmp

Filesize
2.6MB

Download
memory/4852-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads