medusalocker | 124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa

Analysis

max time kernel
164s
max time network
145s
platform
windows7_x64
resource
win7-en-20211208
submitted
01/02/2022, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
Size

667KB
MD5

dbedb905796795de32272ea95c45a36a
SHA1

76354f7b2a20d76f82343e0d01c8710600d01483
SHA256

124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa
SHA512

871def3ab6253a2dfae41b5dc6bf19461bca16e234ff94165e7e25aeee79563c0a074304f0627104f76871961dd7c421dd8fa277f821cf6dfa150d61a4105b4e

Score

10^/10

medusalocker evasion ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Recovery_Instructions.html

Ransom Note

<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=Edge"> <meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1, user-scalable=yes"> <title>Title</title> <style> html, body, div, span, applet, object, iframe, h1, h2, h3, h4, h5, h6, p, blockquote, pre, a, abbr, acronym, address, big, cite, code, del, dfn, em, img, ins, kbd, q, s, samp, small, strike, strong, sub, sup, tt, var, b, u, i, center, dl, dt, dd, ol, ul, li, fieldset, form, label, legend, table, caption, tbody, tfoot, thead, tr, th, td, article, aside, canvas, details, embed, figure, figcaption, footer, header, hgroup, menu, nav, output, ruby, section, summary, time, mark, audio, video { margin: 0; padding: 0; border: 0; font-size: 100%; font: inherit; vertical-align: baseline; } /* HTML5 display-role reset for older browsers */ article, aside, details, figcaption, figure, footer, header, hgroup, menu, nav, section { display: block; } body { font-family: Tahoma, Arial; background: #717798; } .all { max-width: 1170px; margin: auto; background: #000; min-height: 100px; border-radius: 10px; } .tl { text-align: center; color: #e03930; font-family: Tahoma; font-size: 28px; font-weight: 700; position: relative; height: 60px; line-height: 60px; } .close { padding: 15px; width: 36px; height: 36px; position: absolute; right: 15px; top:0; } .bg { background: #252a42; text-align: center; color: #ffffff; padding: 25px 15px; font-size: 18px; font-weight: 400; line-height: 20px; } .bg span { color: #f25252; } .bg a { color: #9676fd; font-size: 20px; font-style: italic; text-decoration: none; line-height: 35px; } .bg c { color: #f25252; font-weight: 500; font-size: 20px; line-height: 35px;} .footer { padding: 15px 0;} .tl2 { text-align: center; color: #e03930; font-size: 25px; font-weight: 500; line-height: 32px; text-decoration: underline; padding-bottom: 15px; } .text { min-height: 192px; color: #ffffff; font-size: 16px; font-weight: 500; line-height: 24px; } .text div { padding-right: 50px; padding-left: 50px; } @media (max-width: 767px) { .tl { height: auto; padding-right: 50px; line-height: 1.5; } .text div { padding: 0 15px; } .footer { background: none; } } </style> </head> <body> <div class="all"> <div class="container"> <div class="tl">All your data are encrypted! <div class="close"></div></div> <div class="bg"> <c>What happened?</c> <br> Your files are encrypted, and currently unavailable. <br> You can check it: all files on you computer has new expansion.<br> By the way, everything is possible to recover (restore), but you need to buy a unique decryptor. <br> Otherwise, you never cant return your data.<br> <br> <c>For purchasing a decryptor contact us by email: </c><br> <a href="mailto:[email protected]">[email protected]</a><br> If you will get no answer within 24 hours contact us by our alternate emails: <br> <a href="mailto:[email protected]">[email protected]</a> <br> <br> <c>What guarantees?</c> <br> Its just a business. If we do not do our work and liabilities - nobody will not cooperate with us.<br> To verify the possibility of the recovery of your files we can decrypted 1 file for free. <br> Attach 1 file to the letter (no more than 10Mb). Indicate your <b>personal ID</b> on the letter:<br> <span style="width:800px; word-wrap:break-word; display:inline-block; color: #ffffff; font-size: 10px;">D42A96F0D11BADED02BB3A58E52D52FC16F048E39E96FE06C35184B1A8E900D04FE9029CE13004338109A5513D8A27549DD0C3C25271FF1C89C05CD9E0B83916<br>122CD8ECE50980DFE3DD6E0F3B94D444DB5532257580AD62F46470CCDF5E28BCBEAF186CFD001B5285C7DBFAB1D5AA338A346CCE15D24E0F0E059BB01D7F<br>2E8B0027E0BF17324CF3BADD817B2E833A612067D4D67FE171795ABD1AC130F8A5843B9AFD09FDE316BD77F31DC360DB9C53FBFFF6F54E92B7BE7D1D3DEC<br>0E892ABE4E230B9B02F5F7FE274A728C2584DB1ECC60F6EC9D10CBC074F00CC7B45450A0F5870A9D430EAEB0CD175A9CC870C7E75315F5F571C339238BE9<br>2897E83D863FB166B97077AAF64BA991A72A62167E5D7263CC2DCE373DE99DF2FFDC119839344AE13380FA4C5F84612FEB368411305DC0196EEDBCB04690<br>C9B08239DE381B202FFEFBCAA6257857BAD52D5E09A54683B9C3D8BD8198CE3143CB7ADE397F85E8395E0D570DED866D9074F870C7E6D88578721147204F<br>729569775F8C42D306C5937F1F9A308C0C4033F1AC5D70438BC5A4A9269C08EF3B4B2F064D398CBE04A1B96AA8BFD8E4A340B76CEC0A2474B688085ECBDA<br>444D5A8054F629BE2CD4B000F7F6E059007B0D9AAB84F49F80ECA21E1AF63727EABA83344BF3FA1F52DFF0BE45A8B4B42F60DC8FDCC8519098575F58472A<br>94060719DDDA9E2B2DC9F1E70225</span> <br> </div> <div class="footer"> <div class="tl2"> Attention! </div> <div class="bg2"> <div class="text"> <div> - Attempts of change files by yourself will result in a loose of data. <br> - Our e-mail can be blocked over time. Write now, loss of contact with us will result in a loose of data.<br> - Use any third party software for restoring your data or antivirus solutions will result in a loose of data. <br> - Decryptors of other users are unique and will not fit your files and use of those will result in a loose of data.<br> - If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. </div> </div> </div> </div> </div> </div> </body> </html>

Emails

href="mailto:[email protected]">[email protected]</a><br>

href="mailto:[email protected]">[email protected]</a>

URLs

http-equiv="X-UA-Compatible"

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker

MedusaLocker Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000014073-55.dat	family_medusalocker
behavioral1/files/0x0006000000014073-56.dat	family_medusalocker

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

pid	Process
884	svhost.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ExpandGet.png => C:\Users\Admin\Pictures\ExpandGet.png.ReadInstructions	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
File renamed	C:\Users\Admin\Pictures\MountGrant.raw => C:\Users\Admin\Pictures\MountGrant.raw.ReadInstructions	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-3846991908-3261386348-1409841751-1000\desktop.ini	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
File opened (read-only)	\??\A:	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
File opened (read-only)	\??\F:	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
File opened (read-only)	\??\G:	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
File opened (read-only)	\??\O:	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
File opened (read-only)	\??\P:	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
File opened (read-only)	\??\Q:	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
File opened (read-only)	\??\I:	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
File opened (read-only)	\??\N:	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
File opened (read-only)	\??\T:	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
File opened (read-only)	\??\V:	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
File opened (read-only)	\??\W:	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
File opened (read-only)	\??\X:	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
File opened (read-only)	\??\E:	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
File opened (read-only)	\??\J:	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
File opened (read-only)	\??\K:	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
File opened (read-only)	\??\S:	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
File opened (read-only)	\??\U:	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
File opened (read-only)	\??\B:	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
File opened (read-only)	\??\H:	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
File opened (read-only)	\??\L:	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
File opened (read-only)	\??\M:	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
File opened (read-only)	\??\R:	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
File opened (read-only)	\??\Y:	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
472	vssadmin.exe
1124	vssadmin.exe
1912	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeBackupPrivilege	788	vssvc.exe
Token: SeRestorePrivilege	788	vssvc.exe
Token: SeAuditPrivilege	788	vssvc.exe
Token: SeIncreaseQuotaPrivilege	784	wmic.exe
Token: SeSecurityPrivilege	784	wmic.exe
Token: SeTakeOwnershipPrivilege	784	wmic.exe
Token: SeLoadDriverPrivilege	784	wmic.exe
Token: SeSystemProfilePrivilege	784	wmic.exe
Token: SeSystemtimePrivilege	784	wmic.exe
Token: SeProfSingleProcessPrivilege	784	wmic.exe
Token: SeIncBasePriorityPrivilege	784	wmic.exe
Token: SeCreatePagefilePrivilege	784	wmic.exe
Token: SeBackupPrivilege	784	wmic.exe
Token: SeRestorePrivilege	784	wmic.exe
Token: SeShutdownPrivilege	784	wmic.exe
Token: SeDebugPrivilege	784	wmic.exe
Token: SeSystemEnvironmentPrivilege	784	wmic.exe
Token: SeRemoteShutdownPrivilege	784	wmic.exe
Token: SeUndockPrivilege	784	wmic.exe
Token: SeManageVolumePrivilege	784	wmic.exe
Token: 33	784	wmic.exe
Token: 34	784	wmic.exe
Token: 35	784	wmic.exe
Token: SeIncreaseQuotaPrivilege	1048	wmic.exe
Token: SeSecurityPrivilege	1048	wmic.exe
Token: SeTakeOwnershipPrivilege	1048	wmic.exe
Token: SeLoadDriverPrivilege	1048	wmic.exe
Token: SeSystemProfilePrivilege	1048	wmic.exe
Token: SeSystemtimePrivilege	1048	wmic.exe
Token: SeProfSingleProcessPrivilege	1048	wmic.exe
Token: SeIncBasePriorityPrivilege	1048	wmic.exe
Token: SeCreatePagefilePrivilege	1048	wmic.exe
Token: SeBackupPrivilege	1048	wmic.exe
Token: SeRestorePrivilege	1048	wmic.exe
Token: SeShutdownPrivilege	1048	wmic.exe
Token: SeDebugPrivilege	1048	wmic.exe
Token: SeSystemEnvironmentPrivilege	1048	wmic.exe
Token: SeRemoteShutdownPrivilege	1048	wmic.exe
Token: SeUndockPrivilege	1048	wmic.exe
Token: SeManageVolumePrivilege	1048	wmic.exe
Token: 33	1048	wmic.exe
Token: 34	1048	wmic.exe
Token: 35	1048	wmic.exe
Token: SeIncreaseQuotaPrivilege	1548	wmic.exe
Token: SeSecurityPrivilege	1548	wmic.exe
Token: SeTakeOwnershipPrivilege	1548	wmic.exe
Token: SeLoadDriverPrivilege	1548	wmic.exe
Token: SeSystemProfilePrivilege	1548	wmic.exe
Token: SeSystemtimePrivilege	1548	wmic.exe
Token: SeProfSingleProcessPrivilege	1548	wmic.exe
Token: SeIncBasePriorityPrivilege	1548	wmic.exe
Token: SeCreatePagefilePrivilege	1548	wmic.exe
Token: SeBackupPrivilege	1548	wmic.exe
Token: SeRestorePrivilege	1548	wmic.exe
Token: SeShutdownPrivilege	1548	wmic.exe
Token: SeDebugPrivilege	1548	wmic.exe
Token: SeSystemEnvironmentPrivilege	1548	wmic.exe
Token: SeRemoteShutdownPrivilege	1548	wmic.exe
Token: SeUndockPrivilege	1548	wmic.exe
Token: SeManageVolumePrivilege	1548	wmic.exe
Token: 33	1548	wmic.exe
Token: 34	1548	wmic.exe
Token: 35	1548	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 472	1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe	27
PID 1504 wrote to memory of 472	1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe	27
PID 1504 wrote to memory of 472	1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe	27
PID 1504 wrote to memory of 472	1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe	27
PID 1504 wrote to memory of 784	1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe	30
PID 1504 wrote to memory of 784	1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe	30
PID 1504 wrote to memory of 784	1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe	30
PID 1504 wrote to memory of 784	1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe	30
PID 1504 wrote to memory of 1124	1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe	32
PID 1504 wrote to memory of 1124	1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe	32
PID 1504 wrote to memory of 1124	1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe	32
PID 1504 wrote to memory of 1124	1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe	32
PID 1504 wrote to memory of 1048	1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe	34
PID 1504 wrote to memory of 1048	1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe	34
PID 1504 wrote to memory of 1048	1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe	34
PID 1504 wrote to memory of 1048	1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe	34
PID 1504 wrote to memory of 1912	1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe	36
PID 1504 wrote to memory of 1912	1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe	36
PID 1504 wrote to memory of 1912	1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe	36
PID 1504 wrote to memory of 1912	1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe	36
PID 1504 wrote to memory of 1548	1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe	38
PID 1504 wrote to memory of 1548	1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe	38
PID 1504 wrote to memory of 1548	1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe	38
PID 1504 wrote to memory of 1548	1504	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe	38
PID 676 wrote to memory of 884	676	taskeng.exe	43
PID 676 wrote to memory of 884	676	taskeng.exe	43
PID 676 wrote to memory of 884	676	taskeng.exe	43
PID 676 wrote to memory of 884	676	taskeng.exe	43

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe

C:\Users\Admin\AppData\Local\Temp\124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe
"C:\Users\Admin\AppData\Local\Temp\124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa.exe"
1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1504
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:472
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:784
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1124
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1912
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1548

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\system32\taskeng.exe
taskeng.exe {F13C6E6E-0FDF-4020-B3DF-7ED2DC2E578B} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:676
- C:\Users\Admin\AppData\Roaming\svhost.exe
  C:\Users\Admin\AppData\Roaming\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:884