Analysis
-
max time kernel
154s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
01-02-2022 15:20
Static task
static1
Behavioral task
behavioral1
Sample
fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe
-
Size
669KB
-
MD5
74393d9335e16594b3f40c8b86d9e9fc
-
SHA1
02b1e97437d21e7e8999b12d51113df1b968cf4c
-
SHA256
fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7
-
SHA512
4b6d65c9ce1173438989688947aec91ee00ea71391a1ad1516da319b377dd3b97bc95f020894df19576592f6d10f91ea9719bbec1f0a49b51f48ae9ff1700952
Malware Config
Extracted
Path
C:\HOW_TO_RECOVER_DATA.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">61B93145AD1A00617987EA9970FF3B6856F7ED95237D4434EC27E82F13792817E78E26252001CB11DD517E7EF1BD94DAEE1E169454C0D353998EC582ABD6C263<br>D739E163FC8528BB134617BE03AA43E320088577D1142266C9FE07E81924ADEB236002C824C475721E62A561ED2E6E1E923958E24BC2192E0DA299895133<br>95E4CFA619B3EAE8F8A9D945FF29A29A8A2F48BE6A19DD3B7792ADC53F2FF3498390FF9E9432C6FFCE8AC75DAF2288E45CF28130FBE382CA64B76AF5BDE7<br>6A89AA86D71D75B2FF06701D55C4065A08C60BA13CB5BF685CB2655199D2713A9EC94ECF4BE95C8908F9FEF6AFFFBEF950EEC3E3D599A4439AF41CE17FC1<br>6CE8752C58382C77C906E228DAEAF0696B1F3D6CD77D8957B0581AEEF8933245635FBEDEA9FB8FA79EF41A6D63A5CAA3D91DA3F3BADD28850091B5961F60<br>148C11E60E239568215A0EB626A02B894EC4B76A0B90435B6D68FC280ADD401DB2FA47780A1527FAA4811D3F28813BCC37AC30B53820F396704BDED99564<br>67A6C2E32F3C50D0B283A7E93C3F93C3E918CD2212299976B293A99118935FF9DBA0CD95ECC0A216094B63198CBCFE568C05C891CB90A98B452C7C4FE955<br>2FE41C254B64DD6D1658249B42D3005C9386E585DF5231CC5473DCE71870BF31815478A4537473E4F82BB5513227CA544A2A677B423EC30D924E881C0DAA<br>EC29E1EB9B3A9594BD3882FDC440</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
</a><br>
4. Start a chat and follow the further instructions. <br><br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a>
<br><a href=" [email protected]"> [email protected]</a>
<br>
<b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker Payload 2 IoCs
Processes:
resource yara_rule behavioral2/files/0x0005000000021428-130.dat family_medusalocker behavioral2/files/0x0005000000021428-131.dat family_medusalocker -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid Process 876 svhost.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exedescription ioc Process File renamed C:\Users\Admin\Pictures\ResetStart.crw => C:\Users\Admin\Pictures\ResetStart.crw.marlock22 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File renamed C:\Users\Admin\Pictures\TraceGet.crw => C:\Users\Admin\Pictures\TraceGet.crw.marlock22 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File opened for modification C:\Users\Admin\Pictures\WatchExport.tiff fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File renamed C:\Users\Admin\Pictures\WatchExport.tiff => C:\Users\Admin\Pictures\WatchExport.tiff.marlock22 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File renamed C:\Users\Admin\Pictures\CompressBackup.crw => C:\Users\Admin\Pictures\CompressBackup.crw.marlock22 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File renamed C:\Users\Admin\Pictures\InitializeOut.tif => C:\Users\Admin\Pictures\InitializeOut.tif.marlock22 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File renamed C:\Users\Admin\Pictures\RequestSuspend.crw => C:\Users\Admin\Pictures\RequestSuspend.crw.marlock22 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exedescription ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-790714498-1549421491-1643397139-1000\desktop.ini fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exedescription ioc Process File opened (read-only) \??\K: fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File opened (read-only) \??\L: fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File opened (read-only) \??\S: fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File opened (read-only) \??\V: fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File opened (read-only) \??\E: fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File opened (read-only) \??\F: fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File opened (read-only) \??\J: fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File opened (read-only) \??\O: fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File opened (read-only) \??\P: fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File opened (read-only) \??\W: fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File opened (read-only) \??\X: fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File opened (read-only) \??\A: fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File opened (read-only) \??\G: fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File opened (read-only) \??\N: fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File opened (read-only) \??\Y: fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File opened (read-only) \??\B: fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File opened (read-only) \??\I: fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File opened (read-only) \??\Q: fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File opened (read-only) \??\R: fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File opened (read-only) \??\T: fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File opened (read-only) \??\U: fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File opened (read-only) \??\Z: fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File opened (read-only) \??\H: fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe File opened (read-only) \??\M: fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exepid Process 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
wmic.exewmic.exewmic.exedescription pid Process Token: SeIncreaseQuotaPrivilege 1684 wmic.exe Token: SeSecurityPrivilege 1684 wmic.exe Token: SeTakeOwnershipPrivilege 1684 wmic.exe Token: SeLoadDriverPrivilege 1684 wmic.exe Token: SeSystemProfilePrivilege 1684 wmic.exe Token: SeSystemtimePrivilege 1684 wmic.exe Token: SeProfSingleProcessPrivilege 1684 wmic.exe Token: SeIncBasePriorityPrivilege 1684 wmic.exe Token: SeCreatePagefilePrivilege 1684 wmic.exe Token: SeBackupPrivilege 1684 wmic.exe Token: SeRestorePrivilege 1684 wmic.exe Token: SeShutdownPrivilege 1684 wmic.exe Token: SeDebugPrivilege 1684 wmic.exe Token: SeSystemEnvironmentPrivilege 1684 wmic.exe Token: SeRemoteShutdownPrivilege 1684 wmic.exe Token: SeUndockPrivilege 1684 wmic.exe Token: SeManageVolumePrivilege 1684 wmic.exe Token: 33 1684 wmic.exe Token: 34 1684 wmic.exe Token: 35 1684 wmic.exe Token: 36 1684 wmic.exe Token: SeIncreaseQuotaPrivilege 2452 wmic.exe Token: SeSecurityPrivilege 2452 wmic.exe Token: SeTakeOwnershipPrivilege 2452 wmic.exe Token: SeLoadDriverPrivilege 2452 wmic.exe Token: SeSystemProfilePrivilege 2452 wmic.exe Token: SeSystemtimePrivilege 2452 wmic.exe Token: SeProfSingleProcessPrivilege 2452 wmic.exe Token: SeIncBasePriorityPrivilege 2452 wmic.exe Token: SeCreatePagefilePrivilege 2452 wmic.exe Token: SeBackupPrivilege 2452 wmic.exe Token: SeRestorePrivilege 2452 wmic.exe Token: SeShutdownPrivilege 2452 wmic.exe Token: SeDebugPrivilege 2452 wmic.exe Token: SeSystemEnvironmentPrivilege 2452 wmic.exe Token: SeRemoteShutdownPrivilege 2452 wmic.exe Token: SeUndockPrivilege 2452 wmic.exe Token: SeManageVolumePrivilege 2452 wmic.exe Token: 33 2452 wmic.exe Token: 34 2452 wmic.exe Token: 35 2452 wmic.exe Token: 36 2452 wmic.exe Token: SeIncreaseQuotaPrivilege 2652 wmic.exe Token: SeSecurityPrivilege 2652 wmic.exe Token: SeTakeOwnershipPrivilege 2652 wmic.exe Token: SeLoadDriverPrivilege 2652 wmic.exe Token: SeSystemProfilePrivilege 2652 wmic.exe Token: SeSystemtimePrivilege 2652 wmic.exe Token: SeProfSingleProcessPrivilege 2652 wmic.exe Token: SeIncBasePriorityPrivilege 2652 wmic.exe Token: SeCreatePagefilePrivilege 2652 wmic.exe Token: SeBackupPrivilege 2652 wmic.exe Token: SeRestorePrivilege 2652 wmic.exe Token: SeShutdownPrivilege 2652 wmic.exe Token: SeDebugPrivilege 2652 wmic.exe Token: SeSystemEnvironmentPrivilege 2652 wmic.exe Token: SeRemoteShutdownPrivilege 2652 wmic.exe Token: SeUndockPrivilege 2652 wmic.exe Token: SeManageVolumePrivilege 2652 wmic.exe Token: 33 2652 wmic.exe Token: 34 2652 wmic.exe Token: 35 2652 wmic.exe Token: 36 2652 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exedescription pid Process procid_target PID 3704 wrote to memory of 1684 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 54 PID 3704 wrote to memory of 1684 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 54 PID 3704 wrote to memory of 1684 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 54 PID 3704 wrote to memory of 2452 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 58 PID 3704 wrote to memory of 2452 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 58 PID 3704 wrote to memory of 2452 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 58 PID 3704 wrote to memory of 2652 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 60 PID 3704 wrote to memory of 2652 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 60 PID 3704 wrote to memory of 2652 3704 fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe 60 -
System policy modification 1 TTPs 3 IoCs
Processes:
fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe"C:\Users\Admin\AppData\Local\Temp\fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7.exe"1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3704 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe1⤵
- Executes dropped EXE
PID:876
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
74393d9335e16594b3f40c8b86d9e9fc
SHA102b1e97437d21e7e8999b12d51113df1b968cf4c
SHA256fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7
SHA5124b6d65c9ce1173438989688947aec91ee00ea71391a1ad1516da319b377dd3b97bc95f020894df19576592f6d10f91ea9719bbec1f0a49b51f48ae9ff1700952
-
MD5
74393d9335e16594b3f40c8b86d9e9fc
SHA102b1e97437d21e7e8999b12d51113df1b968cf4c
SHA256fe81214e1c83415f949d3389e7f6c6ed9508db2c6d38f34d5386fc49c4ada9c7
SHA5124b6d65c9ce1173438989688947aec91ee00ea71391a1ad1516da319b377dd3b97bc95f020894df19576592f6d10f91ea9719bbec1f0a49b51f48ae9ff1700952