Analysis
-
max time kernel
151s -
max time network
161s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
08-12-2021 14:53
Static task
static1
Behavioral task
behavioral1
Sample
svhost.bin.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
svhost.bin.exe
Resource
win10-en-20211104
General
-
Target
svhost.bin.exe
-
Size
669KB
-
MD5
ed7d859df562c7679dfcb14ee359ff2a
-
SHA1
cde2bfc546f6fc85bcdf5d35bfbd2d17d5c7c91c
-
SHA256
c2a78b419e7d33de9e7418306f30623970a02d4d41c562e99581d0dc3e0bdb08
-
SHA512
730c6940dc83f071cb65ebc3dacde8ddde5147e722cdb027d3feb8fe42bf7b6b0f699ff8b744b7f0dc0ca0fd6762b42acee4b2d67220b637cee0c82ae893bf80
Malware Config
Extracted
C:\Boot\HOW_TO_RECOVER_DATA.html
Signatures
-
LockFile
LockFile is a new ransomware that emerged in July 2021 with ProxyShell vulnerabilties.
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\SwitchGroup.tiff svhost.bin.exe File renamed C:\Users\Admin\Pictures\UnblockConvertFrom.crw => C:\Users\Admin\Pictures\UnblockConvertFrom.crw.lockfile svhost.bin.exe File renamed C:\Users\Admin\Pictures\UnregisterDisable.tiff => C:\Users\Admin\Pictures\UnregisterDisable.tiff.lockfile svhost.bin.exe File renamed C:\Users\Admin\Pictures\WatchWait.tif => C:\Users\Admin\Pictures\WatchWait.tif.lockfile svhost.bin.exe File renamed C:\Users\Admin\Pictures\CompareSwitch.raw => C:\Users\Admin\Pictures\CompareSwitch.raw.lockfile svhost.bin.exe File renamed C:\Users\Admin\Pictures\ExitImport.crw => C:\Users\Admin\Pictures\ExitImport.crw.lockfile svhost.bin.exe File renamed C:\Users\Admin\Pictures\GetSkip.crw => C:\Users\Admin\Pictures\GetSkip.crw.lockfile svhost.bin.exe File renamed C:\Users\Admin\Pictures\SwitchGroup.tiff => C:\Users\Admin\Pictures\SwitchGroup.tiff.lockfile svhost.bin.exe File opened for modification C:\Users\Admin\Pictures\UnregisterDisable.tiff svhost.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svhost.bin.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1042495040-510797905-2613508344-1000\desktop.ini svhost.bin.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: svhost.bin.exe File opened (read-only) \??\F: svhost.bin.exe File opened (read-only) \??\K: svhost.bin.exe File opened (read-only) \??\O: svhost.bin.exe File opened (read-only) \??\P: svhost.bin.exe File opened (read-only) \??\R: svhost.bin.exe File opened (read-only) \??\W: svhost.bin.exe File opened (read-only) \??\B: svhost.bin.exe File opened (read-only) \??\L: svhost.bin.exe File opened (read-only) \??\Q: svhost.bin.exe File opened (read-only) \??\I: svhost.bin.exe File opened (read-only) \??\H: svhost.bin.exe File opened (read-only) \??\J: svhost.bin.exe File opened (read-only) \??\M: svhost.bin.exe File opened (read-only) \??\N: svhost.bin.exe File opened (read-only) \??\S: svhost.bin.exe File opened (read-only) \??\T: svhost.bin.exe File opened (read-only) \??\Z: svhost.bin.exe File opened (read-only) \??\A: svhost.bin.exe File opened (read-only) \??\U: svhost.bin.exe File opened (read-only) \??\V: svhost.bin.exe File opened (read-only) \??\X: svhost.bin.exe File opened (read-only) \??\Y: svhost.bin.exe File opened (read-only) \??\G: svhost.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 592 vssadmin.exe 4084 vssadmin.exe 2804 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe 3836 svhost.bin.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 520 vssvc.exe Token: SeRestorePrivilege 520 vssvc.exe Token: SeAuditPrivilege 520 vssvc.exe Token: SeIncreaseQuotaPrivilege 3168 wmic.exe Token: SeSecurityPrivilege 3168 wmic.exe Token: SeTakeOwnershipPrivilege 3168 wmic.exe Token: SeLoadDriverPrivilege 3168 wmic.exe Token: SeSystemProfilePrivilege 3168 wmic.exe Token: SeSystemtimePrivilege 3168 wmic.exe Token: SeProfSingleProcessPrivilege 3168 wmic.exe Token: SeIncBasePriorityPrivilege 3168 wmic.exe Token: SeCreatePagefilePrivilege 3168 wmic.exe Token: SeBackupPrivilege 3168 wmic.exe Token: SeRestorePrivilege 3168 wmic.exe Token: SeShutdownPrivilege 3168 wmic.exe Token: SeDebugPrivilege 3168 wmic.exe Token: SeSystemEnvironmentPrivilege 3168 wmic.exe Token: SeRemoteShutdownPrivilege 3168 wmic.exe Token: SeUndockPrivilege 3168 wmic.exe Token: SeManageVolumePrivilege 3168 wmic.exe Token: 33 3168 wmic.exe Token: 34 3168 wmic.exe Token: 35 3168 wmic.exe Token: 36 3168 wmic.exe Token: SeIncreaseQuotaPrivilege 4172 wmic.exe Token: SeSecurityPrivilege 4172 wmic.exe Token: SeTakeOwnershipPrivilege 4172 wmic.exe Token: SeLoadDriverPrivilege 4172 wmic.exe Token: SeSystemProfilePrivilege 4172 wmic.exe Token: SeSystemtimePrivilege 4172 wmic.exe Token: SeProfSingleProcessPrivilege 4172 wmic.exe Token: SeIncBasePriorityPrivilege 4172 wmic.exe Token: SeCreatePagefilePrivilege 4172 wmic.exe Token: SeBackupPrivilege 4172 wmic.exe Token: SeRestorePrivilege 4172 wmic.exe Token: SeShutdownPrivilege 4172 wmic.exe Token: SeDebugPrivilege 4172 wmic.exe Token: SeSystemEnvironmentPrivilege 4172 wmic.exe Token: SeRemoteShutdownPrivilege 4172 wmic.exe Token: SeUndockPrivilege 4172 wmic.exe Token: SeManageVolumePrivilege 4172 wmic.exe Token: 33 4172 wmic.exe Token: 34 4172 wmic.exe Token: 35 4172 wmic.exe Token: 36 4172 wmic.exe Token: SeIncreaseQuotaPrivilege 1008 wmic.exe Token: SeSecurityPrivilege 1008 wmic.exe Token: SeTakeOwnershipPrivilege 1008 wmic.exe Token: SeLoadDriverPrivilege 1008 wmic.exe Token: SeSystemProfilePrivilege 1008 wmic.exe Token: SeSystemtimePrivilege 1008 wmic.exe Token: SeProfSingleProcessPrivilege 1008 wmic.exe Token: SeIncBasePriorityPrivilege 1008 wmic.exe Token: SeCreatePagefilePrivilege 1008 wmic.exe Token: SeBackupPrivilege 1008 wmic.exe Token: SeRestorePrivilege 1008 wmic.exe Token: SeShutdownPrivilege 1008 wmic.exe Token: SeDebugPrivilege 1008 wmic.exe Token: SeSystemEnvironmentPrivilege 1008 wmic.exe Token: SeRemoteShutdownPrivilege 1008 wmic.exe Token: SeUndockPrivilege 1008 wmic.exe Token: SeManageVolumePrivilege 1008 wmic.exe Token: 33 1008 wmic.exe Token: 34 1008 wmic.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3836 wrote to memory of 4084 3836 svhost.bin.exe 68 PID 3836 wrote to memory of 4084 3836 svhost.bin.exe 68 PID 3836 wrote to memory of 4084 3836 svhost.bin.exe 68 PID 3836 wrote to memory of 3168 3836 svhost.bin.exe 73 PID 3836 wrote to memory of 3168 3836 svhost.bin.exe 73 PID 3836 wrote to memory of 3168 3836 svhost.bin.exe 73 PID 3836 wrote to memory of 2804 3836 svhost.bin.exe 75 PID 3836 wrote to memory of 2804 3836 svhost.bin.exe 75 PID 3836 wrote to memory of 2804 3836 svhost.bin.exe 75 PID 3836 wrote to memory of 4172 3836 svhost.bin.exe 77 PID 3836 wrote to memory of 4172 3836 svhost.bin.exe 77 PID 3836 wrote to memory of 4172 3836 svhost.bin.exe 77 PID 3836 wrote to memory of 592 3836 svhost.bin.exe 79 PID 3836 wrote to memory of 592 3836 svhost.bin.exe 79 PID 3836 wrote to memory of 592 3836 svhost.bin.exe 79 PID 3836 wrote to memory of 1008 3836 svhost.bin.exe 81 PID 3836 wrote to memory of 1008 3836 svhost.bin.exe 81 PID 3836 wrote to memory of 1008 3836 svhost.bin.exe 81 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svhost.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" svhost.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" svhost.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svhost.bin.exe"C:\Users\Admin\AppData\Local\Temp\svhost.bin.exe"1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3836 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:4084
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3168
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:2804
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4172
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:592
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1008
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:520