medusalocker | d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532

General

Target

d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
Size

669KB
MD5

45de70c85ece8763c685808eea085df4
SHA1

c9dd5313a661fd17b154ccb17a36e8399fc933a5
SHA256

d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532
SHA512

03a1d922711db1afc0a512151371c9a97a7478578c11591109537b1427aeac8b3ac44aa52c83439afe56e20134fd888bcaee1632f6046ce8edf0d99622fb362d

Score

10^/10

medusalocker evasion ransomware spyware stealer trojan

Malware Config

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\PopConvert.raw => C:\Users\Admin\Pictures\PopConvert.raw.Readinstruction	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File renamed	C:\Users\Admin\Pictures\ResumeWrite.crw => C:\Users\Admin\Pictures\ResumeWrite.crw.Readinstruction	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File renamed	C:\Users\Admin\Pictures\WriteSave.crw => C:\Users\Admin\Pictures\WriteSave.crw.Readinstruction	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File renamed	C:\Users\Admin\Pictures\DebugMeasure.png => C:\Users\Admin\Pictures\DebugMeasure.png.Readinstruction	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File renamed	C:\Users\Admin\Pictures\ExpandComplete.png => C:\Users\Admin\Pictures\ExpandComplete.png.Readinstruction	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File renamed	C:\Users\Admin\Pictures\InitializeResolve.raw => C:\Users\Admin\Pictures\InitializeResolve.raw.Readinstruction	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File renamed	C:\Users\Admin\Pictures\OutLimit.tif => C:\Users\Admin\Pictures\OutLimit.tif.Readinstruction	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

description	ioc	process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

description	ioc	process
File opened (read-only)	\??\E:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\I:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\O:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\P:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\Z:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\B:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\K:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\Q:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\X:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\A:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\F:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\G:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\L:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\V:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\S:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\T:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\U:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\H:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\J:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\M:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\N:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\R:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\W:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
File opened (read-only)	\??\Y:	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

2784 vssadmin.exe
4092 vssadmin.exe
3876 vssadmin.exe

pid	process
2784	vssadmin.exe
4092	vssadmin.exe
3876	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

pid	process
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exewmic.exewmic.exewmic.exe

description	pid	process
Token: SeBackupPrivilege	2536	vssvc.exe
Token: SeRestorePrivilege	2536	vssvc.exe
Token: SeAuditPrivilege	2536	vssvc.exe
Token: SeIncreaseQuotaPrivilege	212	wmic.exe
Token: SeSecurityPrivilege	212	wmic.exe
Token: SeTakeOwnershipPrivilege	212	wmic.exe
Token: SeLoadDriverPrivilege	212	wmic.exe
Token: SeSystemProfilePrivilege	212	wmic.exe
Token: SeSystemtimePrivilege	212	wmic.exe
Token: SeProfSingleProcessPrivilege	212	wmic.exe
Token: SeIncBasePriorityPrivilege	212	wmic.exe
Token: SeCreatePagefilePrivilege	212	wmic.exe
Token: SeBackupPrivilege	212	wmic.exe
Token: SeRestorePrivilege	212	wmic.exe
Token: SeShutdownPrivilege	212	wmic.exe
Token: SeDebugPrivilege	212	wmic.exe
Token: SeSystemEnvironmentPrivilege	212	wmic.exe
Token: SeRemoteShutdownPrivilege	212	wmic.exe
Token: SeUndockPrivilege	212	wmic.exe
Token: SeManageVolumePrivilege	212	wmic.exe
Token: 33	212	wmic.exe
Token: 34	212	wmic.exe
Token: 35	212	wmic.exe
Token: 36	212	wmic.exe
Token: SeIncreaseQuotaPrivilege	3680	wmic.exe
Token: SeSecurityPrivilege	3680	wmic.exe
Token: SeTakeOwnershipPrivilege	3680	wmic.exe
Token: SeLoadDriverPrivilege	3680	wmic.exe
Token: SeSystemProfilePrivilege	3680	wmic.exe
Token: SeSystemtimePrivilege	3680	wmic.exe
Token: SeProfSingleProcessPrivilege	3680	wmic.exe
Token: SeIncBasePriorityPrivilege	3680	wmic.exe
Token: SeCreatePagefilePrivilege	3680	wmic.exe
Token: SeBackupPrivilege	3680	wmic.exe
Token: SeRestorePrivilege	3680	wmic.exe
Token: SeShutdownPrivilege	3680	wmic.exe
Token: SeDebugPrivilege	3680	wmic.exe
Token: SeSystemEnvironmentPrivilege	3680	wmic.exe
Token: SeRemoteShutdownPrivilege	3680	wmic.exe
Token: SeUndockPrivilege	3680	wmic.exe
Token: SeManageVolumePrivilege	3680	wmic.exe
Token: 33	3680	wmic.exe
Token: 34	3680	wmic.exe
Token: 35	3680	wmic.exe
Token: 36	3680	wmic.exe
Token: SeIncreaseQuotaPrivilege	3872	wmic.exe
Token: SeSecurityPrivilege	3872	wmic.exe
Token: SeTakeOwnershipPrivilege	3872	wmic.exe
Token: SeLoadDriverPrivilege	3872	wmic.exe
Token: SeSystemProfilePrivilege	3872	wmic.exe
Token: SeSystemtimePrivilege	3872	wmic.exe
Token: SeProfSingleProcessPrivilege	3872	wmic.exe
Token: SeIncBasePriorityPrivilege	3872	wmic.exe
Token: SeCreatePagefilePrivilege	3872	wmic.exe
Token: SeBackupPrivilege	3872	wmic.exe
Token: SeRestorePrivilege	3872	wmic.exe
Token: SeShutdownPrivilege	3872	wmic.exe
Token: SeDebugPrivilege	3872	wmic.exe
Token: SeSystemEnvironmentPrivilege	3872	wmic.exe
Token: SeRemoteShutdownPrivilege	3872	wmic.exe
Token: SeUndockPrivilege	3872	wmic.exe
Token: SeManageVolumePrivilege	3872	wmic.exe
Token: 33	3872	wmic.exe
Token: 34	3872	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

description	pid	process	target process
PID 652 wrote to memory of 2784	652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	vssadmin.exe
PID 652 wrote to memory of 2784	652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	vssadmin.exe
PID 652 wrote to memory of 2784	652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	vssadmin.exe
PID 652 wrote to memory of 212	652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	wmic.exe
PID 652 wrote to memory of 212	652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	wmic.exe
PID 652 wrote to memory of 212	652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	wmic.exe
PID 652 wrote to memory of 4092	652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	vssadmin.exe
PID 652 wrote to memory of 4092	652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	vssadmin.exe
PID 652 wrote to memory of 4092	652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	vssadmin.exe
PID 652 wrote to memory of 3680	652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	wmic.exe
PID 652 wrote to memory of 3680	652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	wmic.exe
PID 652 wrote to memory of 3680	652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	wmic.exe
PID 652 wrote to memory of 3876	652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	vssadmin.exe
PID 652 wrote to memory of 3876	652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	vssadmin.exe
PID 652 wrote to memory of 3876	652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	vssadmin.exe
PID 652 wrote to memory of 3872	652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	wmic.exe
PID 652 wrote to memory of 3872	652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	wmic.exe
PID 652 wrote to memory of 3872	652	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe	wmic.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe

C:\Users\Admin\AppData\Local\Temp\d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe
"C:\Users\Admin\AppData\Local\Temp\d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532.bin.exe"
1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:652
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2784
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:212
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:4092
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3680
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:3876
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3872