Analysis
-
max time kernel
169s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
01-02-2022 15:53
Static task
static1
Behavioral task
behavioral1
Sample
03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe
-
Size
669KB
-
MD5
c963b021bb8c55cacd4b830c67186232
-
SHA1
58b69e090c23bbb16b656ee750f4e5a9aff246b2
-
SHA256
03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2
-
SHA512
9755275e20b1b43fe62846d29a7df59b3e0ef56c718d43a0091b887ba0d32d9bbf8147054d0ffb75691ac630ec269727b38d233b6cedf3e3492340089f3452b0
Score
10/10
Malware Config
Extracted
Path
C:\RECOVER_INSTRUCTIONS.html
Ransom Note
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1, user-scalable=yes">
<title>Title</title>
<style>
html, body, div, span, applet, object, iframe,
h1, h2, h3, h4, h5, h6, p, blockquote, pre,
a, abbr, acronym, address, big, cite, code,
del, dfn, em, img, ins, kbd, q, s, samp,
small, strike, strong, sub, sup, tt, var,
b, u, i, center,
dl, dt, dd, ol, ul, li,
fieldset, form, label, legend,
table, caption, tbody, tfoot, thead, tr, th, td,
article, aside, canvas, details, embed,
figure, figcaption, footer, header, hgroup,
menu, nav, output, ruby, section, summary,
time, mark, audio, video {
margin: 0;
padding: 0;
border: 0;
font-size: 100%;
font: inherit;
vertical-align: baseline; }
/* HTML5 display-role reset for older browsers */
article, aside, details, figcaption, figure,
footer, header, hgroup, menu, nav, section {
display: block; }
body {
font-family: Tahoma, Arial;
background: #717798; }
.all {
max-width: 1170px;
margin: auto;
background: #000;
min-height: 100px;
border-radius: 10px; }
.tl {
text-align: center;
color: #e03930;
font-family: Tahoma;
font-size: 28px;
font-weight: 700;
position: relative;
height: 60px;
line-height: 60px;
}
.close {
padding: 15px;
width: 36px;
height: 36px;
position: absolute;
right: 15px;
top:0;
}
.bg {
background: #252a42;
text-align: center;
color: #ffffff;
padding: 25px 15px;
font-size: 18px;
font-weight: 400;
line-height: 20px; }
.bg span {
color: #f25252; }
.bg a {
color: #9676fd;
font-size: 20px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.bg c {
color: #f25252;
font-weight: 500;
font-size: 20px;
line-height: 35px;}
.footer {
padding: 15px 0;}
.tl2 {
text-align: center;
color: #e03930;
font-size: 25px;
font-weight: 500;
line-height: 32px;
text-decoration: underline;
padding-bottom: 15px; }
.text {
min-height: 192px;
color: #ffffff;
font-size: 16px;
font-weight: 500;
line-height: 24px; }
.text div {
padding-right: 50px;
padding-left: 50px; }
@media (max-width: 767px) {
.tl {
height: auto;
padding-right: 50px;
line-height: 1.5;
}
.text div {
padding: 0 15px; }
.footer {
background: none; } }
</style>
</head>
<body>
<div class="all">
<div class="container">
<div class="tl">All your data are encrypted!
<div class="close"></div></div>
<div class="bg">
<c>What happened?</c> <br>
Your files are encrypted, and currently unavailable. <br>
You can check it: all files on you computer has new expansion.<br>
By the way, everything is possible to recover (restore), but you need to buy a unique decryptor. <br>
Otherwise, you never cant return your data.<br>
<br>
<c>For purchasing a decryptor contact us by email: </c><br>
<a href="mailto:[email protected]">[email protected]</a><br>
If you will get no answer within 24 hours contact us by our alternate emails: <br>
<a href="mailto:[email protected]">[email protected]</a> <br>
<br>
<c>What guarantees?</c> <br>
Its just a business. If we do not do our work and liabilities - nobody will not cooperate with us.<br>
To verify the possibility of the recovery of your files we can decrypted 1 file for free. <br>
Attach 1 file to the letter (no more than 10Mb). Indicate your <b>personal ID</b> on the letter:<br>
<span style="width:800px; word-wrap:break-word; display:inline-block; color: #ffffff; font-size: 10px;">2F7E7942554143CE14E370343E6B4DD771B19978FE7C17E63693A272CF2F497E8935D76AD17EECE4E825A0BF7CC573EE8BA95B2FA395CED8DB581B78DD50CE9F<br>753A5CE4B6EE11E89948EDDFA8059992B73B1A9BBA49390E1517CC32745BBDF3B8EE0BBB3AFA1E608AA883366CFC25FEA099C74DC58E1C9D63A944EDC7A5<br>12157F1035DDC7EDA4B536F0647CDD5BBE114BF9FFA6E4035C562DD3CA4A3EAE4B00085B5DD7A775BF5C36C9C9E200989CBC09D3DE485880008DAB549FDF<br>6ADF8FB796ED8F9E03BB0EB1B84B38CE70DC0302118FA78B28706098C03F4D82E293695E11FAAF67190F177AB0599409088FE85E2AE7393C73982F0DF53D<br>89143F6F6C2B2859D5AD5FCACE331EAA9F721E17E543E675AFC91AE85200E150B201B4A7B3FCCE0B60E3B9FC545538112FC5CE00CB88BB4FF2FEDFDFD0B3<br>7BB8C2802A97D96B9EB5B5E76E913EC78B3B0BC7C978E53EA8BC06E0C5B6EB8A50500D6122A342BD326D67BF9505F8653F92D25F5D073A7F3DAC3CE33C17<br>07D541528DAE0943C339A58DC7B45D5EF7DA2B78C4C56774096E8305E3617C95CEB37B78E8B392F87A191892E75B8413C25764DA514A53491E60684217C6<br>841F7C6A23D70429983585C31A55F16962D139AFAC5FCAEB6D780A61A3D2DB4559E7163DDCDD2726BB4704A12FA8C2B1197FD70BEBC4E47CDB130927E767<br>F21165AD4DA7C86BDBB4DB98AEA8</span>
<br>
</div>
<div class="footer">
<div class="tl2">
Attention!
</div>
<div class="bg2">
<div class="text">
<div>
- Attempts of change files by yourself will result in a loose of data. <br>
- Our e-mail can be blocked over time. Write now, loss of contact with us will result in a loose of data.<br>
- Use any third party software for restoring your data or antivirus solutions will result in a loose of data. <br>
- Decryptors of other users are unique and will not fit your files and use of those will result in a loose of data.<br>
- If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key.
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>
Emails
href="mailto:[email protected]">[email protected]</a><br>
href="mailto:[email protected]">[email protected]</a>
URLs
http-equiv="X-UA-Compatible"
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker Payload 2 IoCs
Processes:
resource yara_rule behavioral2/files/0x000b000000021e12-130.dat family_medusalocker behavioral2/files/0x000b000000021e12-131.dat family_medusalocker -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid Process 1232 svhost.exe -
Processes:
03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exedescription ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-790714498-1549421491-1643397139-1000\desktop.ini 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exedescription ioc Process File opened (read-only) \??\P: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\U: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\B: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\E: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\L: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\M: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\O: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\F: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\K: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\X: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\V: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\W: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\Y: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\J: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\N: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\Q: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\S: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\T: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\Z: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\A: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\G: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\H: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\I: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe File opened (read-only) \??\R: 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exepid Process 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
wmic.exewmic.exewmic.exedescription pid Process Token: SeIncreaseQuotaPrivilege 1912 wmic.exe Token: SeSecurityPrivilege 1912 wmic.exe Token: SeTakeOwnershipPrivilege 1912 wmic.exe Token: SeLoadDriverPrivilege 1912 wmic.exe Token: SeSystemProfilePrivilege 1912 wmic.exe Token: SeSystemtimePrivilege 1912 wmic.exe Token: SeProfSingleProcessPrivilege 1912 wmic.exe Token: SeIncBasePriorityPrivilege 1912 wmic.exe Token: SeCreatePagefilePrivilege 1912 wmic.exe Token: SeBackupPrivilege 1912 wmic.exe Token: SeRestorePrivilege 1912 wmic.exe Token: SeShutdownPrivilege 1912 wmic.exe Token: SeDebugPrivilege 1912 wmic.exe Token: SeSystemEnvironmentPrivilege 1912 wmic.exe Token: SeRemoteShutdownPrivilege 1912 wmic.exe Token: SeUndockPrivilege 1912 wmic.exe Token: SeManageVolumePrivilege 1912 wmic.exe Token: 33 1912 wmic.exe Token: 34 1912 wmic.exe Token: 35 1912 wmic.exe Token: 36 1912 wmic.exe Token: SeIncreaseQuotaPrivilege 2360 wmic.exe Token: SeSecurityPrivilege 2360 wmic.exe Token: SeTakeOwnershipPrivilege 2360 wmic.exe Token: SeLoadDriverPrivilege 2360 wmic.exe Token: SeSystemProfilePrivilege 2360 wmic.exe Token: SeSystemtimePrivilege 2360 wmic.exe Token: SeProfSingleProcessPrivilege 2360 wmic.exe Token: SeIncBasePriorityPrivilege 2360 wmic.exe Token: SeCreatePagefilePrivilege 2360 wmic.exe Token: SeBackupPrivilege 2360 wmic.exe Token: SeRestorePrivilege 2360 wmic.exe Token: SeShutdownPrivilege 2360 wmic.exe Token: SeDebugPrivilege 2360 wmic.exe Token: SeSystemEnvironmentPrivilege 2360 wmic.exe Token: SeRemoteShutdownPrivilege 2360 wmic.exe Token: SeUndockPrivilege 2360 wmic.exe Token: SeManageVolumePrivilege 2360 wmic.exe Token: 33 2360 wmic.exe Token: 34 2360 wmic.exe Token: 35 2360 wmic.exe Token: 36 2360 wmic.exe Token: SeIncreaseQuotaPrivilege 3952 wmic.exe Token: SeSecurityPrivilege 3952 wmic.exe Token: SeTakeOwnershipPrivilege 3952 wmic.exe Token: SeLoadDriverPrivilege 3952 wmic.exe Token: SeSystemProfilePrivilege 3952 wmic.exe Token: SeSystemtimePrivilege 3952 wmic.exe Token: SeProfSingleProcessPrivilege 3952 wmic.exe Token: SeIncBasePriorityPrivilege 3952 wmic.exe Token: SeCreatePagefilePrivilege 3952 wmic.exe Token: SeBackupPrivilege 3952 wmic.exe Token: SeRestorePrivilege 3952 wmic.exe Token: SeShutdownPrivilege 3952 wmic.exe Token: SeDebugPrivilege 3952 wmic.exe Token: SeSystemEnvironmentPrivilege 3952 wmic.exe Token: SeRemoteShutdownPrivilege 3952 wmic.exe Token: SeUndockPrivilege 3952 wmic.exe Token: SeManageVolumePrivilege 3952 wmic.exe Token: 33 3952 wmic.exe Token: 34 3952 wmic.exe Token: 35 3952 wmic.exe Token: 36 3952 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exedescription pid Process procid_target PID 3532 wrote to memory of 1912 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 58 PID 3532 wrote to memory of 1912 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 58 PID 3532 wrote to memory of 1912 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 58 PID 3532 wrote to memory of 2360 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 63 PID 3532 wrote to memory of 2360 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 63 PID 3532 wrote to memory of 2360 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 63 PID 3532 wrote to memory of 3952 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 65 PID 3532 wrote to memory of 3952 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 65 PID 3532 wrote to memory of 3952 3532 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe 65 -
System policy modification 1 TTPs 3 IoCs
Processes:
03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe"C:\Users\Admin\AppData\Local\Temp\03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2.exe"1⤵
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3532 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3952
-
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:772
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵PID:1392
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe1⤵
- Executes dropped EXE
PID:1232
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c963b021bb8c55cacd4b830c67186232
SHA158b69e090c23bbb16b656ee750f4e5a9aff246b2
SHA25603ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2
SHA5129755275e20b1b43fe62846d29a7df59b3e0ef56c718d43a0091b887ba0d32d9bbf8147054d0ffb75691ac630ec269727b38d233b6cedf3e3492340089f3452b0
-
MD5
c963b021bb8c55cacd4b830c67186232
SHA158b69e090c23bbb16b656ee750f4e5a9aff246b2
SHA25603ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2
SHA5129755275e20b1b43fe62846d29a7df59b3e0ef56c718d43a0091b887ba0d32d9bbf8147054d0ffb75691ac630ec269727b38d233b6cedf3e3492340089f3452b0