medusalocker | 461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078

General

Target

461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
Size

669KB
MD5

6da9c76a6e319c17f1d39e0ae2eaf2af
SHA1

d8743d22c816de1b1807a64d2bdde6baea838cd0
SHA256

461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078
SHA512

70c3e123f887556ac42bb58d730b59d8d2df1cca4d3e895f79fb6cfa5c1a63a64d46bc6fdc23c711be7b966aaf80d2fb7e83f52bdf4c096cbc946f5a6c976db0

Score

10^/10

medusalocker evasion ransomware spyware stealer trojan

Malware Config

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker

MedusaLocker Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\svhost.exe	family_medusalocker
C:\Users\Admin\AppData\Roaming\svhost.exe	family_medusalocker

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

1064 svhost.exe

pid	process
1064	svhost.exe

Modifies extensions of user files 15 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ExpandSuspend.crw => C:\Users\Admin\Pictures\ExpandSuspend.crw.L54	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File renamed	C:\Users\Admin\Pictures\FindDebug.crw => C:\Users\Admin\Pictures\FindDebug.crw.L54	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SubmitSuspend.tiff	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File renamed	C:\Users\Admin\Pictures\UseFind.raw => C:\Users\Admin\Pictures\UseFind.raw.L54	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File renamed	C:\Users\Admin\Pictures\AssertPush.png => C:\Users\Admin\Pictures\AssertPush.png.L54	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File renamed	C:\Users\Admin\Pictures\BackupEdit.tiff => C:\Users\Admin\Pictures\BackupEdit.tiff.L54	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File renamed	C:\Users\Admin\Pictures\CheckpointRestart.crw => C:\Users\Admin\Pictures\CheckpointRestart.crw.L54	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File renamed	C:\Users\Admin\Pictures\CompleteRemove.tif => C:\Users\Admin\Pictures\CompleteRemove.tif.L54	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File renamed	C:\Users\Admin\Pictures\DisableSuspend.tif => C:\Users\Admin\Pictures\DisableSuspend.tif.L54	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File renamed	C:\Users\Admin\Pictures\InstallStop.crw => C:\Users\Admin\Pictures\InstallStop.crw.L54	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File renamed	C:\Users\Admin\Pictures\SubmitSuspend.tiff => C:\Users\Admin\Pictures\SubmitSuspend.tiff.L54	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened for modification	C:\Users\Admin\Pictures\BackupEdit.tiff	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File renamed	C:\Users\Admin\Pictures\CloseUnblock.raw => C:\Users\Admin\Pictures\CloseUnblock.raw.L54	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File renamed	C:\Users\Admin\Pictures\EnterRevoke.crw => C:\Users\Admin\Pictures\EnterRevoke.crw.L54	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File renamed	C:\Users\Admin\Pictures\StartUse.tif => C:\Users\Admin\Pictures\StartUse.tif.L54	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe

description	ioc	process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe

description	ioc	process
File opened (read-only)	\??\M:	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened (read-only)	\??\S:	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened (read-only)	\??\B:	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened (read-only)	\??\L:	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened (read-only)	\??\I:	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened (read-only)	\??\Z:	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened (read-only)	\??\A:	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened (read-only)	\??\F:	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened (read-only)	\??\J:	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened (read-only)	\??\K:	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened (read-only)	\??\N:	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened (read-only)	\??\O:	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened (read-only)	\??\U:	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened (read-only)	\??\W:	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened (read-only)	\??\G:	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened (read-only)	\??\H:	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened (read-only)	\??\Q:	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened (read-only)	\??\R:	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened (read-only)	\??\T:	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened (read-only)	\??\V:	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened (read-only)	\??\X:	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened (read-only)	\??\Y:	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened (read-only)	\??\E:	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
File opened (read-only)	\??\P:	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

1344 vssadmin.exe
1084 vssadmin.exe
1268 vssadmin.exe

pid	process
1344	vssadmin.exe
1084	vssadmin.exe
1268	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe

pid	process
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

vssvc.exewmic.exewmic.exewmic.exe

description	pid	process
Token: SeBackupPrivilege	1704	vssvc.exe
Token: SeRestorePrivilege	1704	vssvc.exe
Token: SeAuditPrivilege	1704	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1732	wmic.exe
Token: SeSecurityPrivilege	1732	wmic.exe
Token: SeTakeOwnershipPrivilege	1732	wmic.exe
Token: SeLoadDriverPrivilege	1732	wmic.exe
Token: SeSystemProfilePrivilege	1732	wmic.exe
Token: SeSystemtimePrivilege	1732	wmic.exe
Token: SeProfSingleProcessPrivilege	1732	wmic.exe
Token: SeIncBasePriorityPrivilege	1732	wmic.exe
Token: SeCreatePagefilePrivilege	1732	wmic.exe
Token: SeBackupPrivilege	1732	wmic.exe
Token: SeRestorePrivilege	1732	wmic.exe
Token: SeShutdownPrivilege	1732	wmic.exe
Token: SeDebugPrivilege	1732	wmic.exe
Token: SeSystemEnvironmentPrivilege	1732	wmic.exe
Token: SeRemoteShutdownPrivilege	1732	wmic.exe
Token: SeUndockPrivilege	1732	wmic.exe
Token: SeManageVolumePrivilege	1732	wmic.exe
Token: 33	1732	wmic.exe
Token: 34	1732	wmic.exe
Token: 35	1732	wmic.exe
Token: SeIncreaseQuotaPrivilege	1880	wmic.exe
Token: SeSecurityPrivilege	1880	wmic.exe
Token: SeTakeOwnershipPrivilege	1880	wmic.exe
Token: SeLoadDriverPrivilege	1880	wmic.exe
Token: SeSystemProfilePrivilege	1880	wmic.exe
Token: SeSystemtimePrivilege	1880	wmic.exe
Token: SeProfSingleProcessPrivilege	1880	wmic.exe
Token: SeIncBasePriorityPrivilege	1880	wmic.exe
Token: SeCreatePagefilePrivilege	1880	wmic.exe
Token: SeBackupPrivilege	1880	wmic.exe
Token: SeRestorePrivilege	1880	wmic.exe
Token: SeShutdownPrivilege	1880	wmic.exe
Token: SeDebugPrivilege	1880	wmic.exe
Token: SeSystemEnvironmentPrivilege	1880	wmic.exe
Token: SeRemoteShutdownPrivilege	1880	wmic.exe
Token: SeUndockPrivilege	1880	wmic.exe
Token: SeManageVolumePrivilege	1880	wmic.exe
Token: 33	1880	wmic.exe
Token: 34	1880	wmic.exe
Token: 35	1880	wmic.exe
Token: SeIncreaseQuotaPrivilege	1144	wmic.exe
Token: SeSecurityPrivilege	1144	wmic.exe
Token: SeTakeOwnershipPrivilege	1144	wmic.exe
Token: SeLoadDriverPrivilege	1144	wmic.exe
Token: SeSystemProfilePrivilege	1144	wmic.exe
Token: SeSystemtimePrivilege	1144	wmic.exe
Token: SeProfSingleProcessPrivilege	1144	wmic.exe
Token: SeIncBasePriorityPrivilege	1144	wmic.exe
Token: SeCreatePagefilePrivilege	1144	wmic.exe
Token: SeBackupPrivilege	1144	wmic.exe
Token: SeRestorePrivilege	1144	wmic.exe
Token: SeShutdownPrivilege	1144	wmic.exe
Token: SeDebugPrivilege	1144	wmic.exe
Token: SeSystemEnvironmentPrivilege	1144	wmic.exe
Token: SeRemoteShutdownPrivilege	1144	wmic.exe
Token: SeUndockPrivilege	1144	wmic.exe
Token: SeManageVolumePrivilege	1144	wmic.exe
Token: 33	1144	wmic.exe
Token: 34	1144	wmic.exe
Token: 35	1144	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exetaskeng.exe

description	pid	process	target process
PID 1100 wrote to memory of 1344	1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe	vssadmin.exe
PID 1100 wrote to memory of 1344	1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe	vssadmin.exe
PID 1100 wrote to memory of 1344	1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe	vssadmin.exe
PID 1100 wrote to memory of 1344	1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe	vssadmin.exe
PID 1100 wrote to memory of 1732	1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe	wmic.exe
PID 1100 wrote to memory of 1732	1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe	wmic.exe
PID 1100 wrote to memory of 1732	1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe	wmic.exe
PID 1100 wrote to memory of 1732	1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe	wmic.exe
PID 1100 wrote to memory of 1084	1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe	vssadmin.exe
PID 1100 wrote to memory of 1084	1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe	vssadmin.exe
PID 1100 wrote to memory of 1084	1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe	vssadmin.exe
PID 1100 wrote to memory of 1084	1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe	vssadmin.exe
PID 1100 wrote to memory of 1880	1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe	wmic.exe
PID 1100 wrote to memory of 1880	1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe	wmic.exe
PID 1100 wrote to memory of 1880	1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe	wmic.exe
PID 1100 wrote to memory of 1880	1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe	wmic.exe
PID 1100 wrote to memory of 1268	1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe	vssadmin.exe
PID 1100 wrote to memory of 1268	1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe	vssadmin.exe
PID 1100 wrote to memory of 1268	1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe	vssadmin.exe
PID 1100 wrote to memory of 1268	1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe	vssadmin.exe
PID 1100 wrote to memory of 1144	1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe	wmic.exe
PID 1100 wrote to memory of 1144	1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe	wmic.exe
PID 1100 wrote to memory of 1144	1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe	wmic.exe
PID 1100 wrote to memory of 1144	1100	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe	wmic.exe
PID 1400 wrote to memory of 1064	1400	taskeng.exe	svhost.exe
PID 1400 wrote to memory of 1064	1400	taskeng.exe	svhost.exe
PID 1400 wrote to memory of 1064	1400	taskeng.exe	svhost.exe
PID 1400 wrote to memory of 1064	1400	taskeng.exe	svhost.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe

C:\Users\Admin\AppData\Local\Temp\461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe
"C:\Users\Admin\AppData\Local\Temp\461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078.bin.exe"
1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1100

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:1344

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:1084

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:1268

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\taskeng.exe
taskeng.exe {B35D30AF-A1F2-4DDC-A049-CD41CDAB0E2B} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
2⤵
- Executes dropped EXE
PID:1064

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

3

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svhost.exe
MD5
6da9c76a6e319c17f1d39e0ae2eaf2af

SHA1
d8743d22c816de1b1807a64d2bdde6baea838cd0

SHA256
461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078

SHA512
70c3e123f887556ac42bb58d730b59d8d2df1cca4d3e895f79fb6cfa5c1a63a64d46bc6fdc23c711be7b966aaf80d2fb7e83f52bdf4c096cbc946f5a6c976db0

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe
MD5
6da9c76a6e319c17f1d39e0ae2eaf2af

SHA1
d8743d22c816de1b1807a64d2bdde6baea838cd0

SHA256
461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078

SHA512
70c3e123f887556ac42bb58d730b59d8d2df1cca4d3e895f79fb6cfa5c1a63a64d46bc6fdc23c711be7b966aaf80d2fb7e83f52bdf4c096cbc946f5a6c976db0

Download Submit
memory/1064-68-0x0000000000000000-mapping.dmp

Download
memory/1084-63-0x0000000000000000-mapping.dmp

Download
memory/1100-60-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/1144-66-0x0000000000000000-mapping.dmp

Download
memory/1268-65-0x0000000000000000-mapping.dmp

Download
memory/1344-61-0x0000000000000000-mapping.dmp

Download
memory/1732-62-0x0000000000000000-mapping.dmp

Download
memory/1880-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads