Analysis
-
max time kernel
158s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01/02/2022, 15:52
Static task
static1
Behavioral task
behavioral1
Sample
09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
Resource
win10v2004-en-20220113
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
-
Size
678KB
-
MD5
0d2a9990e815349c4e6fa8573ccf5bda
-
SHA1
52326d4bff0d80a045006f1a44de0e3a8f942557
-
SHA256
09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26
-
SHA512
56dec3ccd64c0a0e5bddcec166e3cafa83580146de3753ad24ce536a5cea5e55cfe1e9a1880c2030704cf8e4f2a6a1f92a62f951d479f810cea2b587e2e57f51
Malware Config
Extracted
Path
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Recovery_Instructions.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">974112226C0AF6DC25F8792B7820834D7FEAAE81304ED22EB8800EE93B6E35EFDCE60EFA5E18286B393356ACEFA1C26F31500F70474E630E232341D5296A4F63<br>E567CA95135E0D0CE02DD40B5570BDF8D6DFEE9E7D952F64243E00D56F7540E9B112F85EAE75280CD2E80B2653565EB687C931F9710906FAE630302CEC2B<br>9A6A23C7B1885191E49752AABDAA2EC11F334DAD46772D53321ADE5E362A125E29A4031229815583D1A03070788525763EB3100DE6395B666CDD85E339BC<br>3B856ECAC4FCA767AFE08FA76DE10619C82E264310A3754E7B927F1F6F73CE57A4B5829E695D05F5AC73855DA6DD66FE10C0AFCA7CA4A70E6316D786B39A<br>6133470BD6045A74572D2F151DAE99C55865D7A594BE37ED6A9741D5D6172CDA28DD08C6DCAF4AF9C46ED667AE33BF38DF7044F9C50F7C9457517D3A4071<br>6E9B997CE5D23FD17364BC2BC92A5AA7A55285C156BBC6431E73502EE7FFC000D6BD9E8D3723AA3F6544F8FDBF4AE67147766DCA78BCC99BA8F58E2E491E<br>820423E2E272E800166C8E5A0DA71778B13B39C92DDC9D44ADBE658AD496F2B71DDBF01C64FD16B3BFC4F726C9A876EC1111B9BE74DC58BCB2CA60048BE4<br>D140F2874BCA67E306E508E425AE702902F83C76D9B7E09D1FFCAB826FF5F0C2342BF05DCD67228400CC183657BB265AF93E520F9A48668F30E6A0C3AB62<br>4BDD44F4936FBF389F43F2647B32</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>http://gvlay6u4g53rxdi5.onion/21-Oy6lEoptAYe8F4uaolVnfb7egHPjE6PR-1j9KFJ7dAQ1Pk09HARZcdIWMQ6bysIw0</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open "{{URL}}". <br>
4. Start a chat and follow the further instructions. <br><br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected]">[email protected]</a>
<br><a href="[email protected]">[email protected]</a>
<br>
<b>* To contact us, create a new mail on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr>
<b>Make contact as soon as possible. Your private key (decryption key) <br>
is only stored temporarily.<br><br>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker Payload 2 IoCs
resource yara_rule behavioral1/files/0x000800000001225c-55.dat family_medusalocker behavioral1/files/0x000800000001225c-56.dat family_medusalocker -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 972 svhost.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\TestPing.tiff => C:\Users\Admin\Pictures\TestPing.tiff.itlock 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File renamed C:\Users\Admin\Pictures\PingShow.png => C:\Users\Admin\Pictures\PingShow.png.itlock 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened for modification C:\Users\Admin\Pictures\RepairEdit.tiff 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File renamed C:\Users\Admin\Pictures\RepairEdit.tiff => C:\Users\Admin\Pictures\RepairEdit.tiff.itlock 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File renamed C:\Users\Admin\Pictures\RestoreSwitch.png => C:\Users\Admin\Pictures\RestoreSwitch.png.itlock 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File renamed C:\Users\Admin\Pictures\StopSync.crw => C:\Users\Admin\Pictures\StopSync.crw.itlock 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened for modification C:\Users\Admin\Pictures\TestPing.tiff 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3846991908-3261386348-1409841751-1000\desktop.ini 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened (read-only) \??\Q: 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened (read-only) \??\U: 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened (read-only) \??\B: 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened (read-only) \??\G: 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened (read-only) \??\H: 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened (read-only) \??\I: 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened (read-only) \??\M: 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened (read-only) \??\Y: 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened (read-only) \??\X: 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened (read-only) \??\A: 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened (read-only) \??\K: 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened (read-only) \??\N: 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened (read-only) \??\O: 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened (read-only) \??\P: 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened (read-only) \??\S: 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened (read-only) \??\T: 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened (read-only) \??\F: 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened (read-only) \??\J: 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened (read-only) \??\L: 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened (read-only) \??\R: 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened (read-only) \??\V: 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened (read-only) \??\W: 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe File opened (read-only) \??\Z: 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 332 vssadmin.exe 976 vssadmin.exe 1716 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeBackupPrivilege 1372 vssvc.exe Token: SeRestorePrivilege 1372 vssvc.exe Token: SeAuditPrivilege 1372 vssvc.exe Token: SeIncreaseQuotaPrivilege 1620 wmic.exe Token: SeSecurityPrivilege 1620 wmic.exe Token: SeTakeOwnershipPrivilege 1620 wmic.exe Token: SeLoadDriverPrivilege 1620 wmic.exe Token: SeSystemProfilePrivilege 1620 wmic.exe Token: SeSystemtimePrivilege 1620 wmic.exe Token: SeProfSingleProcessPrivilege 1620 wmic.exe Token: SeIncBasePriorityPrivilege 1620 wmic.exe Token: SeCreatePagefilePrivilege 1620 wmic.exe Token: SeBackupPrivilege 1620 wmic.exe Token: SeRestorePrivilege 1620 wmic.exe Token: SeShutdownPrivilege 1620 wmic.exe Token: SeDebugPrivilege 1620 wmic.exe Token: SeSystemEnvironmentPrivilege 1620 wmic.exe Token: SeRemoteShutdownPrivilege 1620 wmic.exe Token: SeUndockPrivilege 1620 wmic.exe Token: SeManageVolumePrivilege 1620 wmic.exe Token: 33 1620 wmic.exe Token: 34 1620 wmic.exe Token: 35 1620 wmic.exe Token: SeIncreaseQuotaPrivilege 1044 wmic.exe Token: SeSecurityPrivilege 1044 wmic.exe Token: SeTakeOwnershipPrivilege 1044 wmic.exe Token: SeLoadDriverPrivilege 1044 wmic.exe Token: SeSystemProfilePrivilege 1044 wmic.exe Token: SeSystemtimePrivilege 1044 wmic.exe Token: SeProfSingleProcessPrivilege 1044 wmic.exe Token: SeIncBasePriorityPrivilege 1044 wmic.exe Token: SeCreatePagefilePrivilege 1044 wmic.exe Token: SeBackupPrivilege 1044 wmic.exe Token: SeRestorePrivilege 1044 wmic.exe Token: SeShutdownPrivilege 1044 wmic.exe Token: SeDebugPrivilege 1044 wmic.exe Token: SeSystemEnvironmentPrivilege 1044 wmic.exe Token: SeRemoteShutdownPrivilege 1044 wmic.exe Token: SeUndockPrivilege 1044 wmic.exe Token: SeManageVolumePrivilege 1044 wmic.exe Token: 33 1044 wmic.exe Token: 34 1044 wmic.exe Token: 35 1044 wmic.exe Token: SeIncreaseQuotaPrivilege 1624 wmic.exe Token: SeSecurityPrivilege 1624 wmic.exe Token: SeTakeOwnershipPrivilege 1624 wmic.exe Token: SeLoadDriverPrivilege 1624 wmic.exe Token: SeSystemProfilePrivilege 1624 wmic.exe Token: SeSystemtimePrivilege 1624 wmic.exe Token: SeProfSingleProcessPrivilege 1624 wmic.exe Token: SeIncBasePriorityPrivilege 1624 wmic.exe Token: SeCreatePagefilePrivilege 1624 wmic.exe Token: SeBackupPrivilege 1624 wmic.exe Token: SeRestorePrivilege 1624 wmic.exe Token: SeShutdownPrivilege 1624 wmic.exe Token: SeDebugPrivilege 1624 wmic.exe Token: SeSystemEnvironmentPrivilege 1624 wmic.exe Token: SeRemoteShutdownPrivilege 1624 wmic.exe Token: SeUndockPrivilege 1624 wmic.exe Token: SeManageVolumePrivilege 1624 wmic.exe Token: 33 1624 wmic.exe Token: 34 1624 wmic.exe Token: 35 1624 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1848 wrote to memory of 332 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 27 PID 1848 wrote to memory of 332 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 27 PID 1848 wrote to memory of 332 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 27 PID 1848 wrote to memory of 332 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 27 PID 1848 wrote to memory of 1620 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 30 PID 1848 wrote to memory of 1620 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 30 PID 1848 wrote to memory of 1620 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 30 PID 1848 wrote to memory of 1620 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 30 PID 1848 wrote to memory of 976 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 32 PID 1848 wrote to memory of 976 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 32 PID 1848 wrote to memory of 976 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 32 PID 1848 wrote to memory of 976 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 32 PID 1848 wrote to memory of 1044 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 34 PID 1848 wrote to memory of 1044 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 34 PID 1848 wrote to memory of 1044 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 34 PID 1848 wrote to memory of 1044 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 34 PID 1848 wrote to memory of 1716 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 36 PID 1848 wrote to memory of 1716 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 36 PID 1848 wrote to memory of 1716 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 36 PID 1848 wrote to memory of 1716 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 36 PID 1848 wrote to memory of 1624 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 38 PID 1848 wrote to memory of 1624 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 38 PID 1848 wrote to memory of 1624 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 38 PID 1848 wrote to memory of 1624 1848 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe 38 PID 1120 wrote to memory of 972 1120 taskeng.exe 43 PID 1120 wrote to memory of 972 1120 taskeng.exe 43 PID 1120 wrote to memory of 972 1120 taskeng.exe 43 PID 1120 wrote to memory of 972 1120 taskeng.exe 43 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe"C:\Users\Admin\AppData\Local\Temp\09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe"1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1848 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:332
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:976
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1716
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1372
-
C:\Windows\system32\taskeng.exetaskeng.exe {562195B0-4F06-4234-BADB-1CEE8FF03B95} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
PID:972
-