medusalocker | c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6

General

Target

c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
Size

669KB
MD5

2120cf93b6be39884f951ee2a31c5999
SHA1

317b695da0ece90979f0400c2c7800e50bec8bb9
SHA256

c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6
SHA512

3038b27dcc263675a642f77d9dbaaff921c3a56f160051df44619dbafcd5d108db1c6caeacb70179c511e284035d329f29c34dd19500d2bd4006d2f86ee1dc33

Score

10^/10

medusalocker evasion ransomware spyware stealer trojan

Malware Config

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ExitDebug.crw => C:\Users\Admin\Pictures\ExitDebug.crw.L16	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened for modification	C:\Users\Admin\Pictures\MergeCompare.tiff	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File renamed	C:\Users\Admin\Pictures\MergeCompare.tiff => C:\Users\Admin\Pictures\MergeCompare.tiff.L16	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File renamed	C:\Users\Admin\Pictures\MountDismount.tif => C:\Users\Admin\Pictures\MountDismount.tif.L16	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File renamed	C:\Users\Admin\Pictures\RemoveRegister.raw => C:\Users\Admin\Pictures\RemoveRegister.raw.L16	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File renamed	C:\Users\Admin\Pictures\ConvertToSend.crw => C:\Users\Admin\Pictures\ConvertToSend.crw.L16	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File renamed	C:\Users\Admin\Pictures\DenyReset.tif => C:\Users\Admin\Pictures\DenyReset.tif.L16	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File renamed	C:\Users\Admin\Pictures\DismountSplit.raw => C:\Users\Admin\Pictures\DismountSplit.raw.L16	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

description	ioc	process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

description	ioc	process
File opened (read-only)	\??\V:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\X:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\F:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\I:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\O:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\P:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\T:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\A:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\B:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\K:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\R:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\W:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\Q:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\S:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\Z:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\E:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\H:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\L:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\M:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\N:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\G:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\J:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\U:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
File opened (read-only)	\??\Y:	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

3620 vssadmin.exe
3396 vssadmin.exe
492 vssadmin.exe

pid	process
3620	vssadmin.exe
3396	vssadmin.exe
492	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

pid	process
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exewmic.exewmic.exewmic.exe

description	pid	process
Token: SeBackupPrivilege	200	vssvc.exe
Token: SeRestorePrivilege	200	vssvc.exe
Token: SeAuditPrivilege	200	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3000	wmic.exe
Token: SeSecurityPrivilege	3000	wmic.exe
Token: SeTakeOwnershipPrivilege	3000	wmic.exe
Token: SeLoadDriverPrivilege	3000	wmic.exe
Token: SeSystemProfilePrivilege	3000	wmic.exe
Token: SeSystemtimePrivilege	3000	wmic.exe
Token: SeProfSingleProcessPrivilege	3000	wmic.exe
Token: SeIncBasePriorityPrivilege	3000	wmic.exe
Token: SeCreatePagefilePrivilege	3000	wmic.exe
Token: SeBackupPrivilege	3000	wmic.exe
Token: SeRestorePrivilege	3000	wmic.exe
Token: SeShutdownPrivilege	3000	wmic.exe
Token: SeDebugPrivilege	3000	wmic.exe
Token: SeSystemEnvironmentPrivilege	3000	wmic.exe
Token: SeRemoteShutdownPrivilege	3000	wmic.exe
Token: SeUndockPrivilege	3000	wmic.exe
Token: SeManageVolumePrivilege	3000	wmic.exe
Token: 33	3000	wmic.exe
Token: 34	3000	wmic.exe
Token: 35	3000	wmic.exe
Token: 36	3000	wmic.exe
Token: SeIncreaseQuotaPrivilege	1348	wmic.exe
Token: SeSecurityPrivilege	1348	wmic.exe
Token: SeTakeOwnershipPrivilege	1348	wmic.exe
Token: SeLoadDriverPrivilege	1348	wmic.exe
Token: SeSystemProfilePrivilege	1348	wmic.exe
Token: SeSystemtimePrivilege	1348	wmic.exe
Token: SeProfSingleProcessPrivilege	1348	wmic.exe
Token: SeIncBasePriorityPrivilege	1348	wmic.exe
Token: SeCreatePagefilePrivilege	1348	wmic.exe
Token: SeBackupPrivilege	1348	wmic.exe
Token: SeRestorePrivilege	1348	wmic.exe
Token: SeShutdownPrivilege	1348	wmic.exe
Token: SeDebugPrivilege	1348	wmic.exe
Token: SeSystemEnvironmentPrivilege	1348	wmic.exe
Token: SeRemoteShutdownPrivilege	1348	wmic.exe
Token: SeUndockPrivilege	1348	wmic.exe
Token: SeManageVolumePrivilege	1348	wmic.exe
Token: 33	1348	wmic.exe
Token: 34	1348	wmic.exe
Token: 35	1348	wmic.exe
Token: 36	1348	wmic.exe
Token: SeIncreaseQuotaPrivilege	3808	wmic.exe
Token: SeSecurityPrivilege	3808	wmic.exe
Token: SeTakeOwnershipPrivilege	3808	wmic.exe
Token: SeLoadDriverPrivilege	3808	wmic.exe
Token: SeSystemProfilePrivilege	3808	wmic.exe
Token: SeSystemtimePrivilege	3808	wmic.exe
Token: SeProfSingleProcessPrivilege	3808	wmic.exe
Token: SeIncBasePriorityPrivilege	3808	wmic.exe
Token: SeCreatePagefilePrivilege	3808	wmic.exe
Token: SeBackupPrivilege	3808	wmic.exe
Token: SeRestorePrivilege	3808	wmic.exe
Token: SeShutdownPrivilege	3808	wmic.exe
Token: SeDebugPrivilege	3808	wmic.exe
Token: SeSystemEnvironmentPrivilege	3808	wmic.exe
Token: SeRemoteShutdownPrivilege	3808	wmic.exe
Token: SeUndockPrivilege	3808	wmic.exe
Token: SeManageVolumePrivilege	3808	wmic.exe
Token: 33	3808	wmic.exe
Token: 34	3808	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

description	pid	process	target process
PID 1096 wrote to memory of 3620	1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	vssadmin.exe
PID 1096 wrote to memory of 3620	1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	vssadmin.exe
PID 1096 wrote to memory of 3620	1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	vssadmin.exe
PID 1096 wrote to memory of 3000	1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	wmic.exe
PID 1096 wrote to memory of 3000	1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	wmic.exe
PID 1096 wrote to memory of 3000	1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	wmic.exe
PID 1096 wrote to memory of 3396	1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	vssadmin.exe
PID 1096 wrote to memory of 3396	1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	vssadmin.exe
PID 1096 wrote to memory of 3396	1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	vssadmin.exe
PID 1096 wrote to memory of 1348	1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	wmic.exe
PID 1096 wrote to memory of 1348	1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	wmic.exe
PID 1096 wrote to memory of 1348	1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	wmic.exe
PID 1096 wrote to memory of 492	1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	vssadmin.exe
PID 1096 wrote to memory of 492	1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	vssadmin.exe
PID 1096 wrote to memory of 492	1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	vssadmin.exe
PID 1096 wrote to memory of 3808	1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	wmic.exe
PID 1096 wrote to memory of 3808	1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	wmic.exe
PID 1096 wrote to memory of 3808	1096	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe	wmic.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe

C:\Users\Admin\AppData\Local\Temp\c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe
"C:\Users\Admin\AppData\Local\Temp\c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6.bin.exe"
1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1096