Windows Shutdown Event

From ema
Jump to: navigation, search
EMA ID: ema-1073
Description: In Windows, the shutdown event triggered by WinLogon can be registered by an application to allow a malicious DLL a chance to execute every time a machine shuts down.
Associated Behavior: persist after system reboot
Privilege Level: Kernel
Supporting Details:
When the machine is shutdown the malware is loaded into memory. Then it downloads the primary malware and reinfects the machine. The malware will also lie dormant during incident reporting processes.
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify

If the subkey doesn't exist you are in good shape. If a subkey with any name exists and it has a "shutdown" value then the dll in the "DLLName" key will be launched during the shutdown process.


Inherited Attributes:

applicable platform: Windows (unknown version), Windows 10, Windows 7, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2003, Windows Server 2003 SP1, Windows Server 2003 SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 R2 SP1, Windows Server 2008 SP1, Windows Server 2008 SP2, Windows Server 2012, Windows Server 2012 R2, Windows Vista, Windows Vista SP1, Windows Vista SP2, Windows XP, Windows XP SP1, Windows XP SP2, Windows XP SP3
References:
Date Malware Family URL
March 22, 2013 MM Notify CallBack https://isc.sans.edu/diary/Wipe+the+drive!++Stealthy+Malware+Persistence+-+Part+4/15460