36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068

Reason

Machine shutdown

General

Target

file.ps1
Size

1B
MD5

7215ee9c7d9dc229d2921a40e899ec5f
SHA1

b858cb282617fb0956d960215c8e84d1ccf909c6
SHA256

36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068
SHA512

f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768

Score

5^/10

execution

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

Processes:

bootim.exe

description ioc process

File opened for modification C:\Windows\system32\Recovery\ReAgent.xml bootim.exe

description	ioc	process
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	bootim.exe

Drops file in Windows directory 4 IoCs

Processes:

bootim.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	bootim.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4292 powershell.exe

pid	process
4292	powershell.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4292 powershell.exe
4292 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

bootim.exe

pid process

4320 bootim.exe

pid	process
4292	powershell.exe
4292	powershell.exe

pid	process
4320	bootim.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exevssvc.exebootim.exe

description	pid	process
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeBackupPrivilege	1684	vssvc.exe
Token: SeRestorePrivilege	1684	vssvc.exe
Token: SeAuditPrivilege	1684	vssvc.exe
Token: SeSystemEnvironmentPrivilege	4320	bootim.exe
Token: SeTakeOwnershipPrivilege	4320	bootim.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

SystemSettingsAdminFlows.exeLogonUI.exe

pid process

3640 SystemSettingsAdminFlows.exe
3664 LogonUI.exe
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

pid	process
3640	SystemSettingsAdminFlows.exe
3664	LogonUI.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\System32\BitLockerWizardElev.exe
"C:\Windows\System32\BitLockerWizardElev.exe" C:\ T
1⤵
PID:4184

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
1⤵
PID:4924

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
1⤵
PID:5064

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOnDeveloperFeatures DeveloperUnlock
1⤵
- Suspicious use of SetWindowsHookEx
PID:3640

C:\Windows\System32\FodHelper.exe
C:\Windows\System32\FodHelper.exe -Embedding
1⤵
PID:780

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3936055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
1⤵
PID:4952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\system32\bootim.exe
bootim.exe /startpage:1
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4320

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2b4utqgd.umq.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\Recovery\ReAgent.xml
Filesize
1KB

MD5
3e9e6664250d6b8b7e3a91f502536b04

SHA1
3dd49f7f3661f4cd4a5a92917685c224f886cbe3

SHA256
dbe63a5ddb28ab6a191c83408063eef409b50da5b14bccc515f37d5d0f7877ba

SHA512
293c345d4ccfad336a26020b66ba2653331d78489d94bb898c29fefb6c2653622fc6463a33c07e976f10e268cf4a638efa9941bb0784feeab4ad57bda57e3e88

Download Submit
memory/4292-0-0x00007FFBED9F3000-0x00007FFBED9F5000-memory.dmp

Filesize
8KB

Download
memory/4292-6-0x00000218CA910000-0x00000218CA932000-memory.dmp

Filesize
136KB

Download
memory/4292-11-0x00007FFBED9F0000-0x00007FFBEE4B1000-memory.dmp

Filesize
10.8MB

Download
memory/4292-12-0x00007FFBED9F0000-0x00007FFBEE4B1000-memory.dmp

Filesize
10.8MB

Download
memory/4292-15-0x00007FFBED9F0000-0x00007FFBEE4B1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads