Analysis
-
max time kernel
164s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01/02/2022, 15:53
Static task
static1
Behavioral task
behavioral1
Sample
03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe
-
Size
669KB
-
MD5
c963b021bb8c55cacd4b830c67186232
-
SHA1
58b69e090c23bbb16b656ee750f4e5a9aff246b2
-
SHA256
03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2
-
SHA512
9755275e20b1b43fe62846d29a7df59b3e0ef56c718d43a0091b887ba0d32d9bbf8147054d0ffb75691ac630ec269727b38d233b6cedf3e3492340089f3452b0
Malware Config
Extracted
Path
\??\Z:\Boot\RECOVER_INSTRUCTIONS.html
Ransom Note
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1, user-scalable=yes">
<title>Title</title>
<style>
html, body, div, span, applet, object, iframe,
h1, h2, h3, h4, h5, h6, p, blockquote, pre,
a, abbr, acronym, address, big, cite, code,
del, dfn, em, img, ins, kbd, q, s, samp,
small, strike, strong, sub, sup, tt, var,
b, u, i, center,
dl, dt, dd, ol, ul, li,
fieldset, form, label, legend,
table, caption, tbody, tfoot, thead, tr, th, td,
article, aside, canvas, details, embed,
figure, figcaption, footer, header, hgroup,
menu, nav, output, ruby, section, summary,
time, mark, audio, video {
margin: 0;
padding: 0;
border: 0;
font-size: 100%;
font: inherit;
vertical-align: baseline; }
/* HTML5 display-role reset for older browsers */
article, aside, details, figcaption, figure,
footer, header, hgroup, menu, nav, section {
display: block; }
body {
font-family: Tahoma, Arial;
background: #717798; }
.all {
max-width: 1170px;
margin: auto;
background: #000;
min-height: 100px;
border-radius: 10px; }
.tl {
text-align: center;
color: #e03930;
font-family: Tahoma;
font-size: 28px;
font-weight: 700;
position: relative;
height: 60px;
line-height: 60px;
}
.close {
padding: 15px;
width: 36px;
height: 36px;
position: absolute;
right: 15px;
top:0;
}
.bg {
background: #252a42;
text-align: center;
color: #ffffff;
padding: 25px 15px;
font-size: 18px;
font-weight: 400;
line-height: 20px; }
.bg span {
color: #f25252; }
.bg a {
color: #9676fd;
font-size: 20px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.bg c {
color: #f25252;
font-weight: 500;
font-size: 20px;
line-height: 35px;}
.footer {
padding: 15px 0;}
.tl2 {
text-align: center;
color: #e03930;
font-size: 25px;
font-weight: 500;
line-height: 32px;
text-decoration: underline;
padding-bottom: 15px; }
.text {
min-height: 192px;
color: #ffffff;
font-size: 16px;
font-weight: 500;
line-height: 24px; }
.text div {
padding-right: 50px;
padding-left: 50px; }
@media (max-width: 767px) {
.tl {
height: auto;
padding-right: 50px;
line-height: 1.5;
}
.text div {
padding: 0 15px; }
.footer {
background: none; } }
</style>
</head>
<body>
<div class="all">
<div class="container">
<div class="tl">All your data are encrypted!
<div class="close"></div></div>
<div class="bg">
<c>What happened?</c> <br>
Your files are encrypted, and currently unavailable. <br>
You can check it: all files on you computer has new expansion.<br>
By the way, everything is possible to recover (restore), but you need to buy a unique decryptor. <br>
Otherwise, you never cant return your data.<br>
<br>
<c>For purchasing a decryptor contact us by email: </c><br>
<a href="mailto:[email protected]">[email protected]</a><br>
If you will get no answer within 24 hours contact us by our alternate emails: <br>
<a href="mailto:[email protected]">[email protected]</a> <br>
<br>
<c>What guarantees?</c> <br>
Its just a business. If we do not do our work and liabilities - nobody will not cooperate with us.<br>
To verify the possibility of the recovery of your files we can decrypted 1 file for free. <br>
Attach 1 file to the letter (no more than 10Mb). Indicate your <b>personal ID</b> on the letter:<br>
<span style="width:800px; word-wrap:break-word; display:inline-block; color: #ffffff; font-size: 10px;">F7AAA52D87AC827D2CB44D47467331F8E785E992E9927946D09224571449BFAD5F723DB0BADF8366A4DB2D0052884A6D9FDA83F466EF5464BA9E95C9A571B610<br>F623E7359D886AA65955CAE87E2285970652225F5DDD978BF400DA1A354DC3B07FBAB7DA2E2345DD052CC56F1DCCD0B05A3683D671678DDA269CF4F3BB55<br>41570E76DACE5182F0D3E6212F35F86F14458AC3C7D81B84B359E68814C15317E9940B4F106649E790FBCB03D1C687FFED32509666086510EA552B948AD8<br>3F7786D6DD4F2328C78ADB7B551B889440731AD6B40E4C2559DF83F964D479D8E370E8F4BBC14D1E377EFB82083A5DFB4CAF9FCAD943588DCDC1079502DB<br>78EF45AF629184652C54F1E54A089D6A9D60DEC63E5907757B5FA241B9880720F880EE3BE814F79AAE2E525EEA1E593F7558EA4BB19FCD817F6C8DF4D30E<br>DE1867F5DBFCB161DEC3609DB094CE1C19B81674715E0B50C4AA410F425211F970D7A7D74A98AD7414C04D268B5D615382A8B27A178AE70DEA80BC731A21<br>8D65A54456B0895DACC6E584713BF7680344CC00F75581C124340BEF120E5AB8D80FF4DCFF9A09BE521E7E41305C71D2BD553889B0F2F55697AF6D8C72D2<br>AE48E5BF8879CF7FB57272A8FBCF1D2B29EE23F8997A5DE5DDDC5A06E44942601946753EFA2DF66884343520991B83A079A0A93A9E63190C059CEFF25EBE<br>602B0A63481FF4BC05B8F21F7F07</span>
<br>
</div>
<div class="footer">
<div class="tl2">
Attention!
</div>
<div class="bg2">
<div class="text">
<div>
- Attempts of change files by yourself will result in a loose of data. <br>
- Our e-mail can be blocked over time. Write now, loss of contact with us will result in a loose of data.<br>
- Use any third party software for restoring your data or antivirus solutions will result in a loose of data. <br>
- Decryptors of other users are unique and will not fit your files and use of those will result in a loose of data.<br>
- If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key.
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>
Emails
href="mailto:[email protected]">[email protected]</a><br>
href="mailto:[email protected]">[email protected]</a>
URLs
http-equiv="X-UA-Compatible"
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker Payload 2 IoCs
resource yara_rule behavioral1/files/0x000700000001321e-55.dat family_medusalocker behavioral1/files/0x000700000001321e-56.dat family_medusalocker -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 1712 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3846991908-3261386348-1409841751-1000\desktop.ini 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\I: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\L: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\N: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\V: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\X: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\J: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\K: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\P: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\S: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\Z: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\A: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\B: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\E: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\M: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\Y: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\W: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\G: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\H: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\O: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\Q: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\R: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\T: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\U: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 744 vssadmin.exe 436 vssadmin.exe 1652 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeBackupPrivilege 560 vssvc.exe Token: SeRestorePrivilege 560 vssvc.exe Token: SeAuditPrivilege 560 vssvc.exe Token: SeIncreaseQuotaPrivilege 284 wmic.exe Token: SeSecurityPrivilege 284 wmic.exe Token: SeTakeOwnershipPrivilege 284 wmic.exe Token: SeLoadDriverPrivilege 284 wmic.exe Token: SeSystemProfilePrivilege 284 wmic.exe Token: SeSystemtimePrivilege 284 wmic.exe Token: SeProfSingleProcessPrivilege 284 wmic.exe Token: SeIncBasePriorityPrivilege 284 wmic.exe Token: SeCreatePagefilePrivilege 284 wmic.exe Token: SeBackupPrivilege 284 wmic.exe Token: SeRestorePrivilege 284 wmic.exe Token: SeShutdownPrivilege 284 wmic.exe Token: SeDebugPrivilege 284 wmic.exe Token: SeSystemEnvironmentPrivilege 284 wmic.exe Token: SeRemoteShutdownPrivilege 284 wmic.exe Token: SeUndockPrivilege 284 wmic.exe Token: SeManageVolumePrivilege 284 wmic.exe Token: 33 284 wmic.exe Token: 34 284 wmic.exe Token: 35 284 wmic.exe Token: SeIncreaseQuotaPrivilege 1076 wmic.exe Token: SeSecurityPrivilege 1076 wmic.exe Token: SeTakeOwnershipPrivilege 1076 wmic.exe Token: SeLoadDriverPrivilege 1076 wmic.exe Token: SeSystemProfilePrivilege 1076 wmic.exe Token: SeSystemtimePrivilege 1076 wmic.exe Token: SeProfSingleProcessPrivilege 1076 wmic.exe Token: SeIncBasePriorityPrivilege 1076 wmic.exe Token: SeCreatePagefilePrivilege 1076 wmic.exe Token: SeBackupPrivilege 1076 wmic.exe Token: SeRestorePrivilege 1076 wmic.exe Token: SeShutdownPrivilege 1076 wmic.exe Token: SeDebugPrivilege 1076 wmic.exe Token: SeSystemEnvironmentPrivilege 1076 wmic.exe Token: SeRemoteShutdownPrivilege 1076 wmic.exe Token: SeUndockPrivilege 1076 wmic.exe Token: SeManageVolumePrivilege 1076 wmic.exe Token: 33 1076 wmic.exe Token: 34 1076 wmic.exe Token: 35 1076 wmic.exe Token: SeIncreaseQuotaPrivilege 1840 wmic.exe Token: SeSecurityPrivilege 1840 wmic.exe Token: SeTakeOwnershipPrivilege 1840 wmic.exe Token: SeLoadDriverPrivilege 1840 wmic.exe Token: SeSystemProfilePrivilege 1840 wmic.exe Token: SeSystemtimePrivilege 1840 wmic.exe Token: SeProfSingleProcessPrivilege 1840 wmic.exe Token: SeIncBasePriorityPrivilege 1840 wmic.exe Token: SeCreatePagefilePrivilege 1840 wmic.exe Token: SeBackupPrivilege 1840 wmic.exe Token: SeRestorePrivilege 1840 wmic.exe Token: SeShutdownPrivilege 1840 wmic.exe Token: SeDebugPrivilege 1840 wmic.exe Token: SeSystemEnvironmentPrivilege 1840 wmic.exe Token: SeRemoteShutdownPrivilege 1840 wmic.exe Token: SeUndockPrivilege 1840 wmic.exe Token: SeManageVolumePrivilege 1840 wmic.exe Token: 33 1840 wmic.exe Token: 34 1840 wmic.exe Token: 35 1840 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1564 wrote to memory of 744 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 27 PID 1564 wrote to memory of 744 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 27 PID 1564 wrote to memory of 744 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 27 PID 1564 wrote to memory of 744 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 27 PID 1564 wrote to memory of 284 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 30 PID 1564 wrote to memory of 284 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 30 PID 1564 wrote to memory of 284 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 30 PID 1564 wrote to memory of 284 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 30 PID 1564 wrote to memory of 436 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 32 PID 1564 wrote to memory of 436 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 32 PID 1564 wrote to memory of 436 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 32 PID 1564 wrote to memory of 436 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 32 PID 1564 wrote to memory of 1076 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 34 PID 1564 wrote to memory of 1076 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 34 PID 1564 wrote to memory of 1076 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 34 PID 1564 wrote to memory of 1076 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 34 PID 1564 wrote to memory of 1652 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 36 PID 1564 wrote to memory of 1652 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 36 PID 1564 wrote to memory of 1652 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 36 PID 1564 wrote to memory of 1652 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 36 PID 1564 wrote to memory of 1840 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 38 PID 1564 wrote to memory of 1840 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 38 PID 1564 wrote to memory of 1840 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 38 PID 1564 wrote to memory of 1840 1564 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 38 PID 1796 wrote to memory of 1712 1796 taskeng.exe 43 PID 1796 wrote to memory of 1712 1796 taskeng.exe 43 PID 1796 wrote to memory of 1712 1796 taskeng.exe 43 PID 1796 wrote to memory of 1712 1796 taskeng.exe 43 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe"C:\Users\Admin\AppData\Local\Temp\03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe"1⤵
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1564 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:744
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:284
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:436
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1652
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:560
-
C:\Windows\system32\taskeng.exetaskeng.exe {589E65F4-1A45-4127-9371-DC61C72A51CE} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
PID:1712
-