medusalocker | 09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26

Analysis

max time kernel
174s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
01/02/2022, 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
Size

678KB
MD5

0d2a9990e815349c4e6fa8573ccf5bda
SHA1

52326d4bff0d80a045006f1a44de0e3a8f942557
SHA256

09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26
SHA512

56dec3ccd64c0a0e5bddcec166e3cafa83580146de3753ad24ce536a5cea5e55cfe1e9a1880c2030704cf8e4f2a6a1f92a62f951d479f810cea2b587e2e57f51

Score

10^/10

medusalocker evasion persistence ransomware trojan

Malware Config

Extracted

Path

C:\Recovery_Instructions.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">78C5230B2F4F93EBDC0110F1BD906E3CB51866D71E5EDD9B31C4E65F76D0134FEA5F180F02E224C92517CE2FDDEC9F11090D8F001CFF61B7E3875F6CEC7305CF<br>32E5B7F52938C8F46367A5689478551962653FAE29DE09453B3D648D53F2CF5DF3EC60D243EDCD78E97EB167DB1329F69DF72E3B459C90F3C5EDD1E2A976<br>7DB14A6390DCB1C98B60769C4B266E85CD05926ABEFC86A939F0AA72D8F0B993FC24ECC0AA48A3DC1B48A04FBA639F6F85C811EC9C1AFF8C0036F5BD2026<br>F4244AC3AD6460F4B99A1AD460C8046E4559F4B961E47825BED18919C6FA7F2E7D9C9F8F38075E5469D2D1E9618C889C84218DF0D1C684E4C2DFF42401ED<br>1AB0DB4F0A87622FAD8F59C9CAEFA8B554629F98C1E36A83640D37D2F7D06E507D671431BA42F3F184CC132C1B32F2FDA904735A9AD9BE84B3E519418EF1<br>A8F71FE67D16A2FDE8F974E141169396E52B254E95421D7DBCB8DCD57EF4E9D4FA272FEFFAEAB62285C372B0F77C813C2DBB0B0AE9B333CEAA63615AB6B7<br>29A816478FC3928BFB2AFA68D61A8F109AA3ED4F5E269CCDE09AC2F22FDA35761B8B7363CDE3633D32EFCCD3E921C3208A92CB0310EBBDD002848ACF5DD7<br>EEE103464A68CE9ABEA7308374769A0E70B0B1B748EF224690A0C5375B94760D12EB11E7C43D9CC4CAF5C7B634AFE734BFF4E4B1DF023152D1570CAC910F<br>49625B517D95BDC0E648AB9AEA4E</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>http://gvlay6u4g53rxdi5.onion/21-Oy6lEoptAYe8F4uaolVnfb7egHPjE6PR-eS9TcQ3xHKu4VvNx1yinadMuFs1pB27b</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open "{{URL}}". <br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected]">[email protected]</a> <br><a href="[email protected]">[email protected]</a> <br> <b>* To contact us, create a new mail on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b>Make contact as soon as possible. Your private key (decryption key) <br> is only stored temporarily.<br><br> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]">[email protected]</a>

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker

MedusaLocker Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000f00000001e86d-130.dat	family_medusalocker
behavioral2/files/0x000f00000001e86d-131.dat	family_medusalocker

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
1468	svhost.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
File opened (read-only)	\??\S:	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
File opened (read-only)	\??\A:	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
File opened (read-only)	\??\M:	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
File opened (read-only)	\??\Z:	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
File opened (read-only)	\??\P:	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
File opened (read-only)	\??\V:	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
File opened (read-only)	\??\J:	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
File opened (read-only)	\??\L:	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
File opened (read-only)	\??\F:	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
File opened (read-only)	\??\G:	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
File opened (read-only)	\??\H:	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
File opened (read-only)	\??\I:	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
File opened (read-only)	\??\K:	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
File opened (read-only)	\??\N:	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
File opened (read-only)	\??\B:	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
File opened (read-only)	\??\E:	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
File opened (read-only)	\??\T:	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
File opened (read-only)	\??\U:	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
File opened (read-only)	\??\W:	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
File opened (read-only)	\??\X:	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
File opened (read-only)	\??\Y:	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
File opened (read-only)	\??\O:	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
File opened (read-only)	\??\Q:	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4108	wmic.exe
Token: SeSecurityPrivilege	4108	wmic.exe
Token: SeTakeOwnershipPrivilege	4108	wmic.exe
Token: SeLoadDriverPrivilege	4108	wmic.exe
Token: SeSystemProfilePrivilege	4108	wmic.exe
Token: SeSystemtimePrivilege	4108	wmic.exe
Token: SeProfSingleProcessPrivilege	4108	wmic.exe
Token: SeIncBasePriorityPrivilege	4108	wmic.exe
Token: SeCreatePagefilePrivilege	4108	wmic.exe
Token: SeBackupPrivilege	4108	wmic.exe
Token: SeRestorePrivilege	4108	wmic.exe
Token: SeShutdownPrivilege	4108	wmic.exe
Token: SeDebugPrivilege	4108	wmic.exe
Token: SeSystemEnvironmentPrivilege	4108	wmic.exe
Token: SeRemoteShutdownPrivilege	4108	wmic.exe
Token: SeUndockPrivilege	4108	wmic.exe
Token: SeManageVolumePrivilege	4108	wmic.exe
Token: 33	4108	wmic.exe
Token: 34	4108	wmic.exe
Token: 35	4108	wmic.exe
Token: 36	4108	wmic.exe
Token: SeIncreaseQuotaPrivilege	4696	wmic.exe
Token: SeSecurityPrivilege	4696	wmic.exe
Token: SeTakeOwnershipPrivilege	4696	wmic.exe
Token: SeLoadDriverPrivilege	4696	wmic.exe
Token: SeSystemProfilePrivilege	4696	wmic.exe
Token: SeSystemtimePrivilege	4696	wmic.exe
Token: SeProfSingleProcessPrivilege	4696	wmic.exe
Token: SeIncBasePriorityPrivilege	4696	wmic.exe
Token: SeCreatePagefilePrivilege	4696	wmic.exe
Token: SeBackupPrivilege	4696	wmic.exe
Token: SeRestorePrivilege	4696	wmic.exe
Token: SeShutdownPrivilege	4696	wmic.exe
Token: SeDebugPrivilege	4696	wmic.exe
Token: SeSystemEnvironmentPrivilege	4696	wmic.exe
Token: SeRemoteShutdownPrivilege	4696	wmic.exe
Token: SeUndockPrivilege	4696	wmic.exe
Token: SeManageVolumePrivilege	4696	wmic.exe
Token: 33	4696	wmic.exe
Token: 34	4696	wmic.exe
Token: 35	4696	wmic.exe
Token: 36	4696	wmic.exe
Token: SeIncreaseQuotaPrivilege	3432	wmic.exe
Token: SeSecurityPrivilege	3432	wmic.exe
Token: SeTakeOwnershipPrivilege	3432	wmic.exe
Token: SeLoadDriverPrivilege	3432	wmic.exe
Token: SeSystemProfilePrivilege	3432	wmic.exe
Token: SeSystemtimePrivilege	3432	wmic.exe
Token: SeProfSingleProcessPrivilege	3432	wmic.exe
Token: SeIncBasePriorityPrivilege	3432	wmic.exe
Token: SeCreatePagefilePrivilege	3432	wmic.exe
Token: SeBackupPrivilege	3432	wmic.exe
Token: SeRestorePrivilege	3432	wmic.exe
Token: SeShutdownPrivilege	3432	wmic.exe
Token: SeDebugPrivilege	3432	wmic.exe
Token: SeSystemEnvironmentPrivilege	3432	wmic.exe
Token: SeRemoteShutdownPrivilege	3432	wmic.exe
Token: SeUndockPrivilege	3432	wmic.exe
Token: SeManageVolumePrivilege	3432	wmic.exe
Token: 33	3432	wmic.exe
Token: 34	3432	wmic.exe
Token: 35	3432	wmic.exe
Token: 36	3432	wmic.exe
Token: SeShutdownPrivilege	652	svchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 4108	3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe	86
PID 3344 wrote to memory of 4108	3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe	86
PID 3344 wrote to memory of 4108	3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe	86
PID 3344 wrote to memory of 4696	3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe	89
PID 3344 wrote to memory of 4696	3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe	89
PID 3344 wrote to memory of 4696	3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe	89
PID 3344 wrote to memory of 3432	3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe	91
PID 3344 wrote to memory of 3432	3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe	91
PID 3344 wrote to memory of 3432	3344	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe	91

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe

C:\Users\Admin\AppData\Local\Temp\09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe
"C:\Users\Admin\AppData\Local\Temp\09198fa8250aef54bdc416ee2e223cc20bfcd88c5bec4aa29f815425e1744f26.exe"
1⤵
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3344
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4108
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4696
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3432

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
1⤵
- Executes dropped EXE
PID:1468

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 365769f42f4adb0417de6f99efece6a8 5VhbnCHOS0C+IgDKNOxwzw.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:4932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:652