Analysis
-
max time kernel
174s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
01/02/2022, 15:52
Static task
static1
Behavioral task
behavioral1
Sample
0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe
-
Size
669KB
-
MD5
50cb8959fad4a94b2c6927325e46306d
-
SHA1
1db0f2a6e3415f49681ee56bba524e3ad4a3810e
-
SHA256
0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610
-
SHA512
8cf27998b78ea09acfcc137d92763836841b1cbbf0719c47b59797d8f88962eee74c8f8e5e4e4a77d0af50fc7b056cee270204a61cb39796a87935da0467dc07
Score
10/10
Malware Config
Extracted
Path
C:\RECOVER_INSTRUCTIONS.html
Ransom Note
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1, user-scalable=yes">
<title>Title</title>
<style>
html, body, div, span, applet, object, iframe,
h1, h2, h3, h4, h5, h6, p, blockquote, pre,
a, abbr, acronym, address, big, cite, code,
del, dfn, em, img, ins, kbd, q, s, samp,
small, strike, strong, sub, sup, tt, var,
b, u, i, center,
dl, dt, dd, ol, ul, li,
fieldset, form, label, legend,
table, caption, tbody, tfoot, thead, tr, th, td,
article, aside, canvas, details, embed,
figure, figcaption, footer, header, hgroup,
menu, nav, output, ruby, section, summary,
time, mark, audio, video {
margin: 0;
padding: 0;
border: 0;
font-size: 100%;
font: inherit;
vertical-align: baseline; }
/* HTML5 display-role reset for older browsers */
article, aside, details, figcaption, figure,
footer, header, hgroup, menu, nav, section {
display: block; }
body {
font-family: Tahoma, Arial;
background: #717798; }
.all {
max-width: 1170px;
margin: auto;
background: #000;
min-height: 100px;
border-radius: 10px; }
.tl {
text-align: center;
color: #e03930;
font-family: Tahoma;
font-size: 28px;
font-weight: 700;
position: relative;
height: 60px;
line-height: 60px;
}
.close {
padding: 15px;
width: 36px;
height: 36px;
position: absolute;
right: 15px;
top:0;
}
.bg {
background: #252a42;
text-align: center;
color: #ffffff;
padding: 25px 15px;
font-size: 18px;
font-weight: 400;
line-height: 20px; }
.bg span {
color: #f25252; }
.bg a {
color: #9676fd;
font-size: 20px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.bg c {
color: #f25252;
font-weight: 500;
font-size: 20px;
line-height: 35px;}
.footer {
padding: 15px 0;}
.tl2 {
text-align: center;
color: #e03930;
font-size: 25px;
font-weight: 500;
line-height: 32px;
text-decoration: underline;
padding-bottom: 15px; }
.text {
min-height: 192px;
color: #ffffff;
font-size: 16px;
font-weight: 500;
line-height: 24px; }
.text div {
padding-right: 50px;
padding-left: 50px; }
@media (max-width: 767px) {
.tl {
height: auto;
padding-right: 50px;
line-height: 1.5;
}
.text div {
padding: 0 15px; }
.footer {
background: none; } }
</style>
</head>
<body>
<div class="all">
<div class="container">
<div class="tl">All your data are encrypted!
<div class="close"></div></div>
<div class="bg">
<c>What happened?</c> <br>
Your files are encrypted, and currently unavailable. <br>
You can check it: all files on you computer has new expansion.<br>
By the way, everything is possible to recover (restore), but you need to buy a unique decryptor. <br>
Otherwise, you never cant return your data.<br>
<br>
<c>For purchasing a decryptor contact us by email: </c><br>
<a href="mailto:[email protected]">[email protected]</a><br>
If you will get no answer within 24 hours contact us by our alternate emails: <br>
<a href="mailto:[email protected]">[email protected]</a> <br>
<br>
<c>What guarantees?</c> <br>
Its just a business. If we do not do our work and liabilities - nobody will not cooperate with us.<br>
To verify the possibility of the recovery of your files we can decrypted 1 file for free. <br>
Attach 1 file to the letter (no more than 10Mb). Indicate your <b>personal ID</b> on the letter:<br>
<span style="width:800px; word-wrap:break-word; display:inline-block; color: #ffffff; font-size: 10px;">F2E8160A1D94E1260F23676C3813ED0EE3A0C8C128A4E176CBE642150D12774F24B3EDB7C29ADD59284C4E6754D1C3F97B230E0AFA060AC023F870B500F4E703<br>3343B4A3AD925F12795F26BFDE79A4315BB87C35AC4AED4ADF72E835B48FBAC219128F935B3207CB9CA1C7AEC6D26EEDF3B628C7258D1683300190F71480<br>8C194228369E71BAF28E8D61C746424D1859F8BAEB03090E2C403F65DB97644D972EDBC59753D450565DCF959155B24CA0A0D41EAEEC321F3715B2DD6980<br>5094A38A6B5E66ABCC5AA917F45E6E8C8722910E65A5B792F7C5E6B7D4CAA0A7013B8C7E09C35174291E5D9517CD1DC59F81DD1648A41758F8876B4DDBF3<br>BB8E7C69C2B0546268274F8D65D98FE7498B30F2582593D83E9A0056C3FE778FD30D9AF59F87F1A213287AEE04243DEBE10F8C6F1AB7157DFF3A6C008299<br>591A9B7BBF15714C1F5FB06842DD0426F7B808DA7AF740A11CA8C37687D942607D2851E26033EF596F00AF5112D540001D41ED59EF2E6FC449DD59CCD6FA<br>3F04462087CF2B38D95D51BC8D19F8AEC71FDACB9A3A17644E5FF1FEFC67EFC33AA59607D3BBE19F7618B6A8238621EC09B7E9152E97714AC25F074FFAB8<br>225957B6C95AC2308B2B7A6D22075C3CAC70A69113815CDBF847DAE4485EBACE1CFDF89EE7C9A35910C242D5115A8251373162467BE53FCAD5A5E1C75748<br>7FA56A81860058E9551B34A75794</span>
<br>
</div>
<div class="footer">
<div class="tl2">
Attention!
</div>
<div class="bg2">
<div class="text">
<div>
- Attempts of change files by yourself will result in a loose of data. <br>
- Our e-mail can be blocked over time. Write now, loss of contact with us will result in a loose of data.<br>
- Use any third party software for restoring your data or antivirus solutions will result in a loose of data. <br>
- Decryptors of other users are unique and will not fit your files and use of those will result in a loose of data.<br>
- If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key.
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>
Emails
href="mailto:[email protected]">[email protected]</a><br>
href="mailto:[email protected]">[email protected]</a>
URLs
http-equiv="X-UA-Compatible"
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker Payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000002140f-130.dat family_medusalocker behavioral2/files/0x000500000002140f-131.dat family_medusalocker -
Executes dropped EXE 1 IoCs
pid Process 3588 svhost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-790714498-1549421491-1643397139-1000\desktop.ini 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe File opened (read-only) \??\H: 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe File opened (read-only) \??\N: 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe File opened (read-only) \??\V: 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe File opened (read-only) \??\W: 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe File opened (read-only) \??\F: 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe File opened (read-only) \??\G: 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe File opened (read-only) \??\I: 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe File opened (read-only) \??\X: 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe File opened (read-only) \??\Z: 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe File opened (read-only) \??\T: 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe File opened (read-only) \??\J: 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe File opened (read-only) \??\K: 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe File opened (read-only) \??\M: 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe File opened (read-only) \??\P: 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe File opened (read-only) \??\Q: 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe File opened (read-only) \??\R: 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe File opened (read-only) \??\S: 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe File opened (read-only) \??\A: 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe File opened (read-only) \??\E: 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe File opened (read-only) \??\L: 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe File opened (read-only) \??\O: 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe File opened (read-only) \??\U: 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe File opened (read-only) \??\Y: 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2300 wmic.exe Token: SeSecurityPrivilege 2300 wmic.exe Token: SeTakeOwnershipPrivilege 2300 wmic.exe Token: SeLoadDriverPrivilege 2300 wmic.exe Token: SeSystemProfilePrivilege 2300 wmic.exe Token: SeSystemtimePrivilege 2300 wmic.exe Token: SeProfSingleProcessPrivilege 2300 wmic.exe Token: SeIncBasePriorityPrivilege 2300 wmic.exe Token: SeCreatePagefilePrivilege 2300 wmic.exe Token: SeBackupPrivilege 2300 wmic.exe Token: SeRestorePrivilege 2300 wmic.exe Token: SeShutdownPrivilege 2300 wmic.exe Token: SeDebugPrivilege 2300 wmic.exe Token: SeSystemEnvironmentPrivilege 2300 wmic.exe Token: SeRemoteShutdownPrivilege 2300 wmic.exe Token: SeUndockPrivilege 2300 wmic.exe Token: SeManageVolumePrivilege 2300 wmic.exe Token: 33 2300 wmic.exe Token: 34 2300 wmic.exe Token: 35 2300 wmic.exe Token: 36 2300 wmic.exe Token: SeIncreaseQuotaPrivilege 3564 wmic.exe Token: SeSecurityPrivilege 3564 wmic.exe Token: SeTakeOwnershipPrivilege 3564 wmic.exe Token: SeLoadDriverPrivilege 3564 wmic.exe Token: SeSystemProfilePrivilege 3564 wmic.exe Token: SeSystemtimePrivilege 3564 wmic.exe Token: SeProfSingleProcessPrivilege 3564 wmic.exe Token: SeIncBasePriorityPrivilege 3564 wmic.exe Token: SeCreatePagefilePrivilege 3564 wmic.exe Token: SeBackupPrivilege 3564 wmic.exe Token: SeRestorePrivilege 3564 wmic.exe Token: SeShutdownPrivilege 3564 wmic.exe Token: SeDebugPrivilege 3564 wmic.exe Token: SeSystemEnvironmentPrivilege 3564 wmic.exe Token: SeRemoteShutdownPrivilege 3564 wmic.exe Token: SeUndockPrivilege 3564 wmic.exe Token: SeManageVolumePrivilege 3564 wmic.exe Token: 33 3564 wmic.exe Token: 34 3564 wmic.exe Token: 35 3564 wmic.exe Token: 36 3564 wmic.exe Token: SeIncreaseQuotaPrivilege 432 wmic.exe Token: SeSecurityPrivilege 432 wmic.exe Token: SeTakeOwnershipPrivilege 432 wmic.exe Token: SeLoadDriverPrivilege 432 wmic.exe Token: SeSystemProfilePrivilege 432 wmic.exe Token: SeSystemtimePrivilege 432 wmic.exe Token: SeProfSingleProcessPrivilege 432 wmic.exe Token: SeIncBasePriorityPrivilege 432 wmic.exe Token: SeCreatePagefilePrivilege 432 wmic.exe Token: SeBackupPrivilege 432 wmic.exe Token: SeRestorePrivilege 432 wmic.exe Token: SeShutdownPrivilege 432 wmic.exe Token: SeDebugPrivilege 432 wmic.exe Token: SeSystemEnvironmentPrivilege 432 wmic.exe Token: SeRemoteShutdownPrivilege 432 wmic.exe Token: SeUndockPrivilege 432 wmic.exe Token: SeManageVolumePrivilege 432 wmic.exe Token: 33 432 wmic.exe Token: 34 432 wmic.exe Token: 35 432 wmic.exe Token: 36 432 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3440 wrote to memory of 2300 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 55 PID 3440 wrote to memory of 2300 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 55 PID 3440 wrote to memory of 2300 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 55 PID 3440 wrote to memory of 3564 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 61 PID 3440 wrote to memory of 3564 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 61 PID 3440 wrote to memory of 3564 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 61 PID 3440 wrote to memory of 432 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 63 PID 3440 wrote to memory of 432 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 63 PID 3440 wrote to memory of 432 3440 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe 63 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe"C:\Users\Admin\AppData\Local\Temp\0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610.exe"1⤵
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3440 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3564
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:432
-
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵PID:3660
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe1⤵
- Executes dropped EXE
PID:3588