medusalocker | d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532

Analysis

max time kernel
129s
max time network
123s
platform
windows7_x64
resource
win7v20210410
submitted
08-08-2021 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
Size

669KB
MD5

45de70c85ece8763c685808eea085df4
SHA1

c9dd5313a661fd17b154ccb17a36e8399fc933a5
SHA256

d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532
SHA512

03a1d922711db1afc0a512151371c9a97a7478578c11591109537b1427aeac8b3ac44aa52c83439afe56e20134fd888bcaee1632f6046ce8edf0d99622fb362d

Score

10^/10

medusalocker evasion ransomware spyware stealer trojan

Malware Config

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker

MedusaLocker Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00040000000130fc-66.dat	family_medusalocker
behavioral1/files/0x00040000000130fc-68.dat	family_medusalocker

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

pid	Process
648	svhost.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\PushDebug.tif => C:\Users\Admin\Pictures\PushDebug.tif.Readinstruction	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File renamed	C:\Users\Admin\Pictures\RepairProtect.png => C:\Users\Admin\Pictures\RepairProtect.png.Readinstruction	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-2513283230-931923277-594887482-1000\desktop.ini	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\Q:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\X:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\Y:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\A:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\B:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\E:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\L:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\W:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\J:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\O:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\R:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\V:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\P:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\S:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\T:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\U:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\F:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\H:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\I:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\K:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\Z:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\G:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\N:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2016	vssadmin.exe
332	vssadmin.exe
328	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeBackupPrivilege	1812	vssvc.exe
Token: SeRestorePrivilege	1812	vssvc.exe
Token: SeAuditPrivilege	1812	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1824	wmic.exe
Token: SeSecurityPrivilege	1824	wmic.exe
Token: SeTakeOwnershipPrivilege	1824	wmic.exe
Token: SeLoadDriverPrivilege	1824	wmic.exe
Token: SeSystemProfilePrivilege	1824	wmic.exe
Token: SeSystemtimePrivilege	1824	wmic.exe
Token: SeProfSingleProcessPrivilege	1824	wmic.exe
Token: SeIncBasePriorityPrivilege	1824	wmic.exe
Token: SeCreatePagefilePrivilege	1824	wmic.exe
Token: SeBackupPrivilege	1824	wmic.exe
Token: SeRestorePrivilege	1824	wmic.exe
Token: SeShutdownPrivilege	1824	wmic.exe
Token: SeDebugPrivilege	1824	wmic.exe
Token: SeSystemEnvironmentPrivilege	1824	wmic.exe
Token: SeRemoteShutdownPrivilege	1824	wmic.exe
Token: SeUndockPrivilege	1824	wmic.exe
Token: SeManageVolumePrivilege	1824	wmic.exe
Token: 33	1824	wmic.exe
Token: 34	1824	wmic.exe
Token: 35	1824	wmic.exe
Token: SeIncreaseQuotaPrivilege	1216	wmic.exe
Token: SeSecurityPrivilege	1216	wmic.exe
Token: SeTakeOwnershipPrivilege	1216	wmic.exe
Token: SeLoadDriverPrivilege	1216	wmic.exe
Token: SeSystemProfilePrivilege	1216	wmic.exe
Token: SeSystemtimePrivilege	1216	wmic.exe
Token: SeProfSingleProcessPrivilege	1216	wmic.exe
Token: SeIncBasePriorityPrivilege	1216	wmic.exe
Token: SeCreatePagefilePrivilege	1216	wmic.exe
Token: SeBackupPrivilege	1216	wmic.exe
Token: SeRestorePrivilege	1216	wmic.exe
Token: SeShutdownPrivilege	1216	wmic.exe
Token: SeDebugPrivilege	1216	wmic.exe
Token: SeSystemEnvironmentPrivilege	1216	wmic.exe
Token: SeRemoteShutdownPrivilege	1216	wmic.exe
Token: SeUndockPrivilege	1216	wmic.exe
Token: SeManageVolumePrivilege	1216	wmic.exe
Token: 33	1216	wmic.exe
Token: 34	1216	wmic.exe
Token: 35	1216	wmic.exe
Token: SeIncreaseQuotaPrivilege	768	wmic.exe
Token: SeSecurityPrivilege	768	wmic.exe
Token: SeTakeOwnershipPrivilege	768	wmic.exe
Token: SeLoadDriverPrivilege	768	wmic.exe
Token: SeSystemProfilePrivilege	768	wmic.exe
Token: SeSystemtimePrivilege	768	wmic.exe
Token: SeProfSingleProcessPrivilege	768	wmic.exe
Token: SeIncBasePriorityPrivilege	768	wmic.exe
Token: SeCreatePagefilePrivilege	768	wmic.exe
Token: SeBackupPrivilege	768	wmic.exe
Token: SeRestorePrivilege	768	wmic.exe
Token: SeShutdownPrivilege	768	wmic.exe
Token: SeDebugPrivilege	768	wmic.exe
Token: SeSystemEnvironmentPrivilege	768	wmic.exe
Token: SeRemoteShutdownPrivilege	768	wmic.exe
Token: SeUndockPrivilege	768	wmic.exe
Token: SeManageVolumePrivilege	768	wmic.exe
Token: 33	768	wmic.exe
Token: 34	768	wmic.exe
Token: 35	768	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 2016	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	26
PID 368 wrote to memory of 2016	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	26
PID 368 wrote to memory of 2016	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	26
PID 368 wrote to memory of 2016	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	26
PID 368 wrote to memory of 1824	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	29
PID 368 wrote to memory of 1824	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	29
PID 368 wrote to memory of 1824	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	29
PID 368 wrote to memory of 1824	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	29
PID 368 wrote to memory of 332	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	32
PID 368 wrote to memory of 332	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	32
PID 368 wrote to memory of 332	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	32
PID 368 wrote to memory of 332	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	32
PID 368 wrote to memory of 1216	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	36
PID 368 wrote to memory of 1216	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	36
PID 368 wrote to memory of 1216	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	36
PID 368 wrote to memory of 1216	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	36
PID 368 wrote to memory of 328	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	38
PID 368 wrote to memory of 328	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	38
PID 368 wrote to memory of 328	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	38
PID 368 wrote to memory of 328	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	38
PID 368 wrote to memory of 768	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	40
PID 368 wrote to memory of 768	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	40
PID 368 wrote to memory of 768	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	40
PID 368 wrote to memory of 768	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	40
PID 1388 wrote to memory of 648	1388	taskeng.exe	45
PID 1388 wrote to memory of 648	1388	taskeng.exe	45
PID 1388 wrote to memory of 648	1388	taskeng.exe	45
PID 1388 wrote to memory of 648	1388	taskeng.exe	45

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

C:\Users\Admin\AppData\Local\Temp\d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
"C:\Users\Admin\AppData\Local\Temp\d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe"
1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:368
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2016
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:332
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:328
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\system32\taskeng.exe
taskeng.exe {C621D963-168A-46A9-88FF-8949DED8D794} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Roaming\svhost.exe
  C:\Users\Admin\AppData\Roaming\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:648