Analysis
-
max time kernel
146s -
max time network
128s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
20-10-2021 09:40
Static task
static1
Behavioral task
behavioral1
Sample
B.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
B.exe
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
Build.exe
Resource
win7-en-20211014
Behavioral task
behavioral4
Sample
Build.exe
Resource
win10-en-20210920
Behavioral task
behavioral5
Sample
READ.exe
Resource
win7-en-20211014
Behavioral task
behavioral6
Sample
READ.exe
Resource
win10-en-20210920
Behavioral task
behavioral7
Sample
rb.exe
Resource
win7-en-20211014
Behavioral task
behavioral8
Sample
rb.exe
Resource
win10-en-20210920
General
-
Target
B.exe
-
Size
669KB
-
MD5
c17b2c3980926b02136c0a5fb5dfdaa3
-
SHA1
938eb1b7f1d985d134957443d4c43ad551727b89
-
SHA256
4d2b250eb1691bd116eb0004a6b4526afe62631551d6d31d4da482ab5ec3b021
-
SHA512
f770b1dfd74e58ff9d67f0e91ac070e92251598efc45863acf827098cc52f2868c7e2698fd5b0a3a178ea1d1446d32882dfd0601526dbfb27df1251d76c5881b
Malware Config
Extracted
\??\Z:\Boot\HOW_TO_RECOVER_DATA.html
href="behappy123456@cock.li
">behappy123456@cock.li
href="chinchoppa2299gayspilsss@yopmail.com">chinchoppa2299gayspilsss@yopmail.com</a>
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\svhost.exe family_medusalocker C:\Users\Admin\AppData\Roaming\svhost.exe family_medusalocker -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 884 svhost.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
B.exedescription ioc process File renamed C:\Users\Admin\Pictures\MountDeny.raw => C:\Users\Admin\Pictures\MountDeny.raw.bbuild B.exe File renamed C:\Users\Admin\Pictures\SyncRestore.crw => C:\Users\Admin\Pictures\SyncRestore.crw.bbuild B.exe File renamed C:\Users\Admin\Pictures\UseRevoke.crw => C:\Users\Admin\Pictures\UseRevoke.crw.bbuild B.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
B.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" B.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
B.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2955169046-2371869340-1800780948-1000\desktop.ini B.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
B.exedescription ioc process File opened (read-only) \??\F: B.exe File opened (read-only) \??\N: B.exe File opened (read-only) \??\O: B.exe File opened (read-only) \??\Q: B.exe File opened (read-only) \??\T: B.exe File opened (read-only) \??\U: B.exe File opened (read-only) \??\V: B.exe File opened (read-only) \??\A: B.exe File opened (read-only) \??\I: B.exe File opened (read-only) \??\J: B.exe File opened (read-only) \??\P: B.exe File opened (read-only) \??\S: B.exe File opened (read-only) \??\X: B.exe File opened (read-only) \??\B: B.exe File opened (read-only) \??\E: B.exe File opened (read-only) \??\G: B.exe File opened (read-only) \??\K: B.exe File opened (read-only) \??\W: B.exe File opened (read-only) \??\Y: B.exe File opened (read-only) \??\Z: B.exe File opened (read-only) \??\H: B.exe File opened (read-only) \??\L: B.exe File opened (read-only) \??\M: B.exe File opened (read-only) \??\R: B.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1748 vssadmin.exe 1436 vssadmin.exe 1448 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
B.exepid process 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe 1336 B.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
vssvc.exewmic.exewmic.exewmic.exedescription pid process Token: SeBackupPrivilege 864 vssvc.exe Token: SeRestorePrivilege 864 vssvc.exe Token: SeAuditPrivilege 864 vssvc.exe Token: SeIncreaseQuotaPrivilege 804 wmic.exe Token: SeSecurityPrivilege 804 wmic.exe Token: SeTakeOwnershipPrivilege 804 wmic.exe Token: SeLoadDriverPrivilege 804 wmic.exe Token: SeSystemProfilePrivilege 804 wmic.exe Token: SeSystemtimePrivilege 804 wmic.exe Token: SeProfSingleProcessPrivilege 804 wmic.exe Token: SeIncBasePriorityPrivilege 804 wmic.exe Token: SeCreatePagefilePrivilege 804 wmic.exe Token: SeBackupPrivilege 804 wmic.exe Token: SeRestorePrivilege 804 wmic.exe Token: SeShutdownPrivilege 804 wmic.exe Token: SeDebugPrivilege 804 wmic.exe Token: SeSystemEnvironmentPrivilege 804 wmic.exe Token: SeRemoteShutdownPrivilege 804 wmic.exe Token: SeUndockPrivilege 804 wmic.exe Token: SeManageVolumePrivilege 804 wmic.exe Token: 33 804 wmic.exe Token: 34 804 wmic.exe Token: 35 804 wmic.exe Token: SeIncreaseQuotaPrivilege 960 wmic.exe Token: SeSecurityPrivilege 960 wmic.exe Token: SeTakeOwnershipPrivilege 960 wmic.exe Token: SeLoadDriverPrivilege 960 wmic.exe Token: SeSystemProfilePrivilege 960 wmic.exe Token: SeSystemtimePrivilege 960 wmic.exe Token: SeProfSingleProcessPrivilege 960 wmic.exe Token: SeIncBasePriorityPrivilege 960 wmic.exe Token: SeCreatePagefilePrivilege 960 wmic.exe Token: SeBackupPrivilege 960 wmic.exe Token: SeRestorePrivilege 960 wmic.exe Token: SeShutdownPrivilege 960 wmic.exe Token: SeDebugPrivilege 960 wmic.exe Token: SeSystemEnvironmentPrivilege 960 wmic.exe Token: SeRemoteShutdownPrivilege 960 wmic.exe Token: SeUndockPrivilege 960 wmic.exe Token: SeManageVolumePrivilege 960 wmic.exe Token: 33 960 wmic.exe Token: 34 960 wmic.exe Token: 35 960 wmic.exe Token: SeIncreaseQuotaPrivilege 1064 wmic.exe Token: SeSecurityPrivilege 1064 wmic.exe Token: SeTakeOwnershipPrivilege 1064 wmic.exe Token: SeLoadDriverPrivilege 1064 wmic.exe Token: SeSystemProfilePrivilege 1064 wmic.exe Token: SeSystemtimePrivilege 1064 wmic.exe Token: SeProfSingleProcessPrivilege 1064 wmic.exe Token: SeIncBasePriorityPrivilege 1064 wmic.exe Token: SeCreatePagefilePrivilege 1064 wmic.exe Token: SeBackupPrivilege 1064 wmic.exe Token: SeRestorePrivilege 1064 wmic.exe Token: SeShutdownPrivilege 1064 wmic.exe Token: SeDebugPrivilege 1064 wmic.exe Token: SeSystemEnvironmentPrivilege 1064 wmic.exe Token: SeRemoteShutdownPrivilege 1064 wmic.exe Token: SeUndockPrivilege 1064 wmic.exe Token: SeManageVolumePrivilege 1064 wmic.exe Token: 33 1064 wmic.exe Token: 34 1064 wmic.exe Token: 35 1064 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
B.exetaskeng.exedescription pid process target process PID 1336 wrote to memory of 1748 1336 B.exe vssadmin.exe PID 1336 wrote to memory of 1748 1336 B.exe vssadmin.exe PID 1336 wrote to memory of 1748 1336 B.exe vssadmin.exe PID 1336 wrote to memory of 1748 1336 B.exe vssadmin.exe PID 1336 wrote to memory of 804 1336 B.exe wmic.exe PID 1336 wrote to memory of 804 1336 B.exe wmic.exe PID 1336 wrote to memory of 804 1336 B.exe wmic.exe PID 1336 wrote to memory of 804 1336 B.exe wmic.exe PID 1336 wrote to memory of 1436 1336 B.exe vssadmin.exe PID 1336 wrote to memory of 1436 1336 B.exe vssadmin.exe PID 1336 wrote to memory of 1436 1336 B.exe vssadmin.exe PID 1336 wrote to memory of 1436 1336 B.exe vssadmin.exe PID 1336 wrote to memory of 960 1336 B.exe wmic.exe PID 1336 wrote to memory of 960 1336 B.exe wmic.exe PID 1336 wrote to memory of 960 1336 B.exe wmic.exe PID 1336 wrote to memory of 960 1336 B.exe wmic.exe PID 1336 wrote to memory of 1448 1336 B.exe vssadmin.exe PID 1336 wrote to memory of 1448 1336 B.exe vssadmin.exe PID 1336 wrote to memory of 1448 1336 B.exe vssadmin.exe PID 1336 wrote to memory of 1448 1336 B.exe vssadmin.exe PID 1336 wrote to memory of 1064 1336 B.exe wmic.exe PID 1336 wrote to memory of 1064 1336 B.exe wmic.exe PID 1336 wrote to memory of 1064 1336 B.exe wmic.exe PID 1336 wrote to memory of 1064 1336 B.exe wmic.exe PID 1688 wrote to memory of 884 1688 taskeng.exe svhost.exe PID 1688 wrote to memory of 884 1688 taskeng.exe svhost.exe PID 1688 wrote to memory of 884 1688 taskeng.exe svhost.exe PID 1688 wrote to memory of 884 1688 taskeng.exe svhost.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
B.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" B.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" B.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" B.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\B.exe"C:\Users\Admin\AppData\Local\Temp\B.exe"1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {5E33AC41-F259-40B2-98A8-E1EEE5668A26} S-1-5-21-2955169046-2371869340-1800780948-1000:UKNHJUQT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svhost.exeMD5
c17b2c3980926b02136c0a5fb5dfdaa3
SHA1938eb1b7f1d985d134957443d4c43ad551727b89
SHA2564d2b250eb1691bd116eb0004a6b4526afe62631551d6d31d4da482ab5ec3b021
SHA512f770b1dfd74e58ff9d67f0e91ac070e92251598efc45863acf827098cc52f2868c7e2698fd5b0a3a178ea1d1446d32882dfd0601526dbfb27df1251d76c5881b
-
C:\Users\Admin\AppData\Roaming\svhost.exeMD5
c17b2c3980926b02136c0a5fb5dfdaa3
SHA1938eb1b7f1d985d134957443d4c43ad551727b89
SHA2564d2b250eb1691bd116eb0004a6b4526afe62631551d6d31d4da482ab5ec3b021
SHA512f770b1dfd74e58ff9d67f0e91ac070e92251598efc45863acf827098cc52f2868c7e2698fd5b0a3a178ea1d1446d32882dfd0601526dbfb27df1251d76c5881b
-
memory/804-56-0x0000000000000000-mapping.dmp
-
memory/884-62-0x0000000000000000-mapping.dmp
-
memory/960-58-0x0000000000000000-mapping.dmp
-
memory/1064-60-0x0000000000000000-mapping.dmp
-
memory/1336-54-0x0000000075B71000-0x0000000075B73000-memory.dmpFilesize
8KB
-
memory/1436-57-0x0000000000000000-mapping.dmp
-
memory/1448-59-0x0000000000000000-mapping.dmp
-
memory/1748-55-0x0000000000000000-mapping.dmp