medusalocker | d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532

General

Target

d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
Size

669KB
MD5

45de70c85ece8763c685808eea085df4
SHA1

c9dd5313a661fd17b154ccb17a36e8399fc933a5
SHA256

d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532
SHA512

03a1d922711db1afc0a512151371c9a97a7478578c11591109537b1427aeac8b3ac44aa52c83439afe56e20134fd888bcaee1632f6046ce8edf0d99622fb362d

Score

10^/10

medusalocker evasion ransomware spyware stealer trojan

Malware Config

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker

MedusaLocker Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\svhost.exe	family_medusalocker
C:\Users\Admin\AppData\Roaming\svhost.exe	family_medusalocker

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

648 svhost.exe

pid	process
648	svhost.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\PushDebug.tif => C:\Users\Admin\Pictures\PushDebug.tif.Readinstruction	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File renamed	C:\Users\Admin\Pictures\RepairProtect.png => C:\Users\Admin\Pictures\RepairProtect.png.Readinstruction	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

description	ioc	process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-2513283230-931923277-594887482-1000\desktop.ini	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

description	ioc	process
File opened (read-only)	\??\M:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\Q:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\X:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\Y:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\A:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\B:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\E:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\L:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\W:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\J:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\O:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\R:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\V:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\P:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\S:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\T:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\U:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\F:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\H:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\I:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\K:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\Z:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\G:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\N:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

2016 vssadmin.exe
332 vssadmin.exe
328 vssadmin.exe

pid	process
2016	vssadmin.exe
332	vssadmin.exe
328	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

pid	process
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

vssvc.exewmic.exewmic.exewmic.exe

description	pid	process
Token: SeBackupPrivilege	1812	vssvc.exe
Token: SeRestorePrivilege	1812	vssvc.exe
Token: SeAuditPrivilege	1812	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1824	wmic.exe
Token: SeSecurityPrivilege	1824	wmic.exe
Token: SeTakeOwnershipPrivilege	1824	wmic.exe
Token: SeLoadDriverPrivilege	1824	wmic.exe
Token: SeSystemProfilePrivilege	1824	wmic.exe
Token: SeSystemtimePrivilege	1824	wmic.exe
Token: SeProfSingleProcessPrivilege	1824	wmic.exe
Token: SeIncBasePriorityPrivilege	1824	wmic.exe
Token: SeCreatePagefilePrivilege	1824	wmic.exe
Token: SeBackupPrivilege	1824	wmic.exe
Token: SeRestorePrivilege	1824	wmic.exe
Token: SeShutdownPrivilege	1824	wmic.exe
Token: SeDebugPrivilege	1824	wmic.exe
Token: SeSystemEnvironmentPrivilege	1824	wmic.exe
Token: SeRemoteShutdownPrivilege	1824	wmic.exe
Token: SeUndockPrivilege	1824	wmic.exe
Token: SeManageVolumePrivilege	1824	wmic.exe
Token: 33	1824	wmic.exe
Token: 34	1824	wmic.exe
Token: 35	1824	wmic.exe
Token: SeIncreaseQuotaPrivilege	1216	wmic.exe
Token: SeSecurityPrivilege	1216	wmic.exe
Token: SeTakeOwnershipPrivilege	1216	wmic.exe
Token: SeLoadDriverPrivilege	1216	wmic.exe
Token: SeSystemProfilePrivilege	1216	wmic.exe
Token: SeSystemtimePrivilege	1216	wmic.exe
Token: SeProfSingleProcessPrivilege	1216	wmic.exe
Token: SeIncBasePriorityPrivilege	1216	wmic.exe
Token: SeCreatePagefilePrivilege	1216	wmic.exe
Token: SeBackupPrivilege	1216	wmic.exe
Token: SeRestorePrivilege	1216	wmic.exe
Token: SeShutdownPrivilege	1216	wmic.exe
Token: SeDebugPrivilege	1216	wmic.exe
Token: SeSystemEnvironmentPrivilege	1216	wmic.exe
Token: SeRemoteShutdownPrivilege	1216	wmic.exe
Token: SeUndockPrivilege	1216	wmic.exe
Token: SeManageVolumePrivilege	1216	wmic.exe
Token: 33	1216	wmic.exe
Token: 34	1216	wmic.exe
Token: 35	1216	wmic.exe
Token: SeIncreaseQuotaPrivilege	768	wmic.exe
Token: SeSecurityPrivilege	768	wmic.exe
Token: SeTakeOwnershipPrivilege	768	wmic.exe
Token: SeLoadDriverPrivilege	768	wmic.exe
Token: SeSystemProfilePrivilege	768	wmic.exe
Token: SeSystemtimePrivilege	768	wmic.exe
Token: SeProfSingleProcessPrivilege	768	wmic.exe
Token: SeIncBasePriorityPrivilege	768	wmic.exe
Token: SeCreatePagefilePrivilege	768	wmic.exe
Token: SeBackupPrivilege	768	wmic.exe
Token: SeRestorePrivilege	768	wmic.exe
Token: SeShutdownPrivilege	768	wmic.exe
Token: SeDebugPrivilege	768	wmic.exe
Token: SeSystemEnvironmentPrivilege	768	wmic.exe
Token: SeRemoteShutdownPrivilege	768	wmic.exe
Token: SeUndockPrivilege	768	wmic.exe
Token: SeManageVolumePrivilege	768	wmic.exe
Token: 33	768	wmic.exe
Token: 34	768	wmic.exe
Token: 35	768	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exetaskeng.exe

description	pid	process	target process
PID 368 wrote to memory of 2016	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	vssadmin.exe
PID 368 wrote to memory of 2016	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	vssadmin.exe
PID 368 wrote to memory of 2016	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	vssadmin.exe
PID 368 wrote to memory of 2016	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	vssadmin.exe
PID 368 wrote to memory of 1824	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	wmic.exe
PID 368 wrote to memory of 1824	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	wmic.exe
PID 368 wrote to memory of 1824	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	wmic.exe
PID 368 wrote to memory of 1824	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	wmic.exe
PID 368 wrote to memory of 332	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	vssadmin.exe
PID 368 wrote to memory of 332	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	vssadmin.exe
PID 368 wrote to memory of 332	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	vssadmin.exe
PID 368 wrote to memory of 332	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	vssadmin.exe
PID 368 wrote to memory of 1216	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	wmic.exe
PID 368 wrote to memory of 1216	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	wmic.exe
PID 368 wrote to memory of 1216	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	wmic.exe
PID 368 wrote to memory of 1216	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	wmic.exe
PID 368 wrote to memory of 328	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	vssadmin.exe
PID 368 wrote to memory of 328	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	vssadmin.exe
PID 368 wrote to memory of 328	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	vssadmin.exe
PID 368 wrote to memory of 328	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	vssadmin.exe
PID 368 wrote to memory of 768	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	wmic.exe
PID 368 wrote to memory of 768	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	wmic.exe
PID 368 wrote to memory of 768	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	wmic.exe
PID 368 wrote to memory of 768	368	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	wmic.exe
PID 1388 wrote to memory of 648	1388	taskeng.exe	svhost.exe
PID 1388 wrote to memory of 648	1388	taskeng.exe	svhost.exe
PID 1388 wrote to memory of 648	1388	taskeng.exe	svhost.exe
PID 1388 wrote to memory of 648	1388	taskeng.exe	svhost.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

C:\Users\Admin\AppData\Local\Temp\d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
"C:\Users\Admin\AppData\Local\Temp\d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe"
1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:368

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:2016

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:332

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:328

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\system32\taskeng.exe
taskeng.exe {C621D963-168A-46A9-88FF-8949DED8D794} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
2⤵
- Executes dropped EXE
PID:648

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

3

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svhost.exe
MD5
45de70c85ece8763c685808eea085df4

SHA1
c9dd5313a661fd17b154ccb17a36e8399fc933a5

SHA256
d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532

SHA512
03a1d922711db1afc0a512151371c9a97a7478578c11591109537b1427aeac8b3ac44aa52c83439afe56e20134fd888bcaee1632f6046ce8edf0d99622fb362d

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe
MD5
45de70c85ece8763c685808eea085df4

SHA1
c9dd5313a661fd17b154ccb17a36e8399fc933a5

SHA256
d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532

SHA512
03a1d922711db1afc0a512151371c9a97a7478578c11591109537b1427aeac8b3ac44aa52c83439afe56e20134fd888bcaee1632f6046ce8edf0d99622fb362d

Download Submit
memory/328-64-0x0000000000000000-mapping.dmp

Download
memory/332-62-0x0000000000000000-mapping.dmp

Download
memory/368-59-0x0000000076661000-0x0000000076663000-memory.dmp

Filesize
8KB

Download
memory/648-67-0x0000000000000000-mapping.dmp

Download
memory/768-65-0x0000000000000000-mapping.dmp

Download
memory/1216-63-0x0000000000000000-mapping.dmp

Download
memory/1824-61-0x0000000000000000-mapping.dmp

Download
memory/2016-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads