medusalocker | c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6

General

Target

c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
Size

669KB
MD5

2120cf93b6be39884f951ee2a31c5999
SHA1

317b695da0ece90979f0400c2c7800e50bec8bb9
SHA256

c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6
SHA512

3038b27dcc263675a642f77d9dbaaff921c3a56f160051df44619dbafcd5d108db1c6caeacb70179c511e284035d329f29c34dd19500d2bd4006d2f86ee1dc33

Score

10^/10

medusalocker evasion ransomware spyware stealer trojan

Malware Config

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker

MedusaLocker Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\svhost.exe	family_medusalocker
C:\Users\Admin\AppData\Roaming\svhost.exe	family_medusalocker

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

1528 svhost.exe

pid	process
1528	svhost.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\MergeShow.tif => C:\Users\Admin\Pictures\MergeShow.tif.L16	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File renamed	C:\Users\Admin\Pictures\SplitInstall.crw => C:\Users\Admin\Pictures\SplitInstall.crw.L16	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromExport.raw => C:\Users\Admin\Pictures\ConvertFromExport.raw.L16	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File renamed	C:\Users\Admin\Pictures\FormatHide.raw => C:\Users\Admin\Pictures\FormatHide.raw.L16	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

description	ioc	process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-2513283230-931923277-594887482-1000\desktop.ini	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

description	ioc	process
File opened (read-only)	\??\E:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\J:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\N:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\Q:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\X:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\W:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\B:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\F:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\G:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\K:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\M:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\R:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\U:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\A:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\L:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\S:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\T:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\V:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\Y:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\Z:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\H:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\I:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\O:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\P:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

1140 vssadmin.exe
1596 vssadmin.exe
1084 vssadmin.exe

pid	process
1140	vssadmin.exe
1596	vssadmin.exe
1084	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

pid	process
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

vssvc.exewmic.exewmic.exewmic.exe

description	pid	process
Token: SeBackupPrivilege	1944	vssvc.exe
Token: SeRestorePrivilege	1944	vssvc.exe
Token: SeAuditPrivilege	1944	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1708	wmic.exe
Token: SeSecurityPrivilege	1708	wmic.exe
Token: SeTakeOwnershipPrivilege	1708	wmic.exe
Token: SeLoadDriverPrivilege	1708	wmic.exe
Token: SeSystemProfilePrivilege	1708	wmic.exe
Token: SeSystemtimePrivilege	1708	wmic.exe
Token: SeProfSingleProcessPrivilege	1708	wmic.exe
Token: SeIncBasePriorityPrivilege	1708	wmic.exe
Token: SeCreatePagefilePrivilege	1708	wmic.exe
Token: SeBackupPrivilege	1708	wmic.exe
Token: SeRestorePrivilege	1708	wmic.exe
Token: SeShutdownPrivilege	1708	wmic.exe
Token: SeDebugPrivilege	1708	wmic.exe
Token: SeSystemEnvironmentPrivilege	1708	wmic.exe
Token: SeRemoteShutdownPrivilege	1708	wmic.exe
Token: SeUndockPrivilege	1708	wmic.exe
Token: SeManageVolumePrivilege	1708	wmic.exe
Token: 33	1708	wmic.exe
Token: 34	1708	wmic.exe
Token: 35	1708	wmic.exe
Token: SeIncreaseQuotaPrivilege	1440	wmic.exe
Token: SeSecurityPrivilege	1440	wmic.exe
Token: SeTakeOwnershipPrivilege	1440	wmic.exe
Token: SeLoadDriverPrivilege	1440	wmic.exe
Token: SeSystemProfilePrivilege	1440	wmic.exe
Token: SeSystemtimePrivilege	1440	wmic.exe
Token: SeProfSingleProcessPrivilege	1440	wmic.exe
Token: SeIncBasePriorityPrivilege	1440	wmic.exe
Token: SeCreatePagefilePrivilege	1440	wmic.exe
Token: SeBackupPrivilege	1440	wmic.exe
Token: SeRestorePrivilege	1440	wmic.exe
Token: SeShutdownPrivilege	1440	wmic.exe
Token: SeDebugPrivilege	1440	wmic.exe
Token: SeSystemEnvironmentPrivilege	1440	wmic.exe
Token: SeRemoteShutdownPrivilege	1440	wmic.exe
Token: SeUndockPrivilege	1440	wmic.exe
Token: SeManageVolumePrivilege	1440	wmic.exe
Token: 33	1440	wmic.exe
Token: 34	1440	wmic.exe
Token: 35	1440	wmic.exe
Token: SeIncreaseQuotaPrivilege	1272	wmic.exe
Token: SeSecurityPrivilege	1272	wmic.exe
Token: SeTakeOwnershipPrivilege	1272	wmic.exe
Token: SeLoadDriverPrivilege	1272	wmic.exe
Token: SeSystemProfilePrivilege	1272	wmic.exe
Token: SeSystemtimePrivilege	1272	wmic.exe
Token: SeProfSingleProcessPrivilege	1272	wmic.exe
Token: SeIncBasePriorityPrivilege	1272	wmic.exe
Token: SeCreatePagefilePrivilege	1272	wmic.exe
Token: SeBackupPrivilege	1272	wmic.exe
Token: SeRestorePrivilege	1272	wmic.exe
Token: SeShutdownPrivilege	1272	wmic.exe
Token: SeDebugPrivilege	1272	wmic.exe
Token: SeSystemEnvironmentPrivilege	1272	wmic.exe
Token: SeRemoteShutdownPrivilege	1272	wmic.exe
Token: SeUndockPrivilege	1272	wmic.exe
Token: SeManageVolumePrivilege	1272	wmic.exe
Token: 33	1272	wmic.exe
Token: 34	1272	wmic.exe
Token: 35	1272	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exetaskeng.exe

description	pid	process	target process
PID 1656 wrote to memory of 1140	1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	vssadmin.exe
PID 1656 wrote to memory of 1140	1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	vssadmin.exe
PID 1656 wrote to memory of 1140	1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	vssadmin.exe
PID 1656 wrote to memory of 1140	1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	vssadmin.exe
PID 1656 wrote to memory of 1708	1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	wmic.exe
PID 1656 wrote to memory of 1708	1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	wmic.exe
PID 1656 wrote to memory of 1708	1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	wmic.exe
PID 1656 wrote to memory of 1708	1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	wmic.exe
PID 1656 wrote to memory of 1596	1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	vssadmin.exe
PID 1656 wrote to memory of 1596	1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	vssadmin.exe
PID 1656 wrote to memory of 1596	1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	vssadmin.exe
PID 1656 wrote to memory of 1596	1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	vssadmin.exe
PID 1656 wrote to memory of 1440	1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	wmic.exe
PID 1656 wrote to memory of 1440	1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	wmic.exe
PID 1656 wrote to memory of 1440	1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	wmic.exe
PID 1656 wrote to memory of 1440	1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	wmic.exe
PID 1656 wrote to memory of 1084	1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	vssadmin.exe
PID 1656 wrote to memory of 1084	1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	vssadmin.exe
PID 1656 wrote to memory of 1084	1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	vssadmin.exe
PID 1656 wrote to memory of 1084	1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	vssadmin.exe
PID 1656 wrote to memory of 1272	1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	wmic.exe
PID 1656 wrote to memory of 1272	1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	wmic.exe
PID 1656 wrote to memory of 1272	1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	wmic.exe
PID 1656 wrote to memory of 1272	1656	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	wmic.exe
PID 1120 wrote to memory of 1528	1120	taskeng.exe	svhost.exe
PID 1120 wrote to memory of 1528	1120	taskeng.exe	svhost.exe
PID 1120 wrote to memory of 1528	1120	taskeng.exe	svhost.exe
PID 1120 wrote to memory of 1528	1120	taskeng.exe	svhost.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

C:\Users\Admin\AppData\Local\Temp\c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
"C:\Users\Admin\AppData\Local\Temp\c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe"
1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1656

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:1140

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:1596

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:1084

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\system32\taskeng.exe
taskeng.exe {F9DB72D7-9870-46A0-8819-C9359C2B8CCF} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
2⤵
- Executes dropped EXE
PID:1528

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

3

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svhost.exe
MD5
2120cf93b6be39884f951ee2a31c5999

SHA1
317b695da0ece90979f0400c2c7800e50bec8bb9

SHA256
c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6

SHA512
3038b27dcc263675a642f77d9dbaaff921c3a56f160051df44619dbafcd5d108db1c6caeacb70179c511e284035d329f29c34dd19500d2bd4006d2f86ee1dc33

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe
MD5
2120cf93b6be39884f951ee2a31c5999

SHA1
317b695da0ece90979f0400c2c7800e50bec8bb9

SHA256
c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6

SHA512
3038b27dcc263675a642f77d9dbaaff921c3a56f160051df44619dbafcd5d108db1c6caeacb70179c511e284035d329f29c34dd19500d2bd4006d2f86ee1dc33

Download Submit
memory/1084-64-0x0000000000000000-mapping.dmp

Download
memory/1140-60-0x0000000000000000-mapping.dmp

Download
memory/1272-65-0x0000000000000000-mapping.dmp

Download
memory/1440-63-0x0000000000000000-mapping.dmp

Download
memory/1528-67-0x0000000000000000-mapping.dmp

Download
memory/1596-62-0x0000000000000000-mapping.dmp

Download
memory/1656-59-0x00000000757D1000-0x00000000757D3000-memory.dmp

Filesize
8KB

Download
memory/1708-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads