Analysis
-
max time kernel
160s -
max time network
137s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01/02/2022, 15:53
Static task
static1
Behavioral task
behavioral1
Sample
03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe
-
Size
669KB
-
MD5
87c5c72a57a08ca2f3bfac5485eb0fe6
-
SHA1
4d38a9aaa50bc35439054610bb45eb2298458404
-
SHA256
03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c
-
SHA512
b1715fcd1cd80ec857dbc11f5d9a4933c18029d4f18720deb6036ca30ac1b34f3efda5e436dfadc64a7391184c21356bb99b93aee3c3c8f0a78f08dd1e4e2aeb
Malware Config
Extracted
Path
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RECOVER_INSTRUCTIONS.html
Ransom Note
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1, user-scalable=yes">
<title>Title</title>
<style>
html, body, div, span, applet, object, iframe,
h1, h2, h3, h4, h5, h6, p, blockquote, pre,
a, abbr, acronym, address, big, cite, code,
del, dfn, em, img, ins, kbd, q, s, samp,
small, strike, strong, sub, sup, tt, var,
b, u, i, center,
dl, dt, dd, ol, ul, li,
fieldset, form, label, legend,
table, caption, tbody, tfoot, thead, tr, th, td,
article, aside, canvas, details, embed,
figure, figcaption, footer, header, hgroup,
menu, nav, output, ruby, section, summary,
time, mark, audio, video {
margin: 0;
padding: 0;
border: 0;
font-size: 100%;
font: inherit;
vertical-align: baseline; }
/* HTML5 display-role reset for older browsers */
article, aside, details, figcaption, figure,
footer, header, hgroup, menu, nav, section {
display: block; }
body {
font-family: Tahoma, Arial;
background: #717798; }
.all {
max-width: 1170px;
margin: auto;
background: #000;
min-height: 100px;
border-radius: 10px; }
.tl {
text-align: center;
color: #e03930;
font-family: Tahoma;
font-size: 28px;
font-weight: 700;
position: relative;
height: 60px;
line-height: 60px;
}
.close {
padding: 15px;
width: 36px;
height: 36px;
position: absolute;
right: 15px;
top:0;
}
.bg {
background: #252a42;
text-align: center;
color: #ffffff;
padding: 25px 15px;
font-size: 18px;
font-weight: 400;
line-height: 20px; }
.bg span {
color: #f25252; }
.bg a {
color: #9676fd;
font-size: 20px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.bg c {
color: #f25252;
font-weight: 500;
font-size: 20px;
line-height: 35px;}
.footer {
padding: 15px 0;}
.tl2 {
text-align: center;
color: #e03930;
font-size: 25px;
font-weight: 500;
line-height: 32px;
text-decoration: underline;
padding-bottom: 15px; }
.text {
min-height: 192px;
color: #ffffff;
font-size: 16px;
font-weight: 500;
line-height: 24px; }
.text div {
padding-right: 50px;
padding-left: 50px; }
@media (max-width: 767px) {
.tl {
height: auto;
padding-right: 50px;
line-height: 1.5;
}
.text div {
padding: 0 15px; }
.footer {
background: none; } }
</style>
</head>
<body>
<div class="all">
<div class="container">
<div class="tl">All your data are encrypted!
<div class="close"></div></div>
<div class="bg">
<c>What happened?</c> <br>
Your files are encrypted, and currently unavailable. <br>
You can check it: all files on you computer has new expansion.<br>
By the way, everything is possible to recover (restore), but you need to buy a unique decryptor. <br>
Otherwise, you never cant return your data.<br>
<br>
<c>For purchasing a decryptor contact us by email: </c><br>
<a href="mailto:[email protected]">[email protected]</a><br>
If you will get no answer within 24 hours contact us by our alternate emails: <br>
<a href="mailto:[email protected]">[email protected]</a> <br>
<br>
<c>What guarantees?</c> <br>
Its just a business. If we do not do our work and liabilities - nobody will not cooperate with us.<br>
To verify the possibility of the recovery of your files we can decrypted 1 file for free. <br>
Attach 1 file to the letter (no more than 10Mb). Indicate your <b>personal ID</b> on the letter:<br>
<span style="width:800px; word-wrap:break-word; display:inline-block; color: #ffffff; font-size: 10px;">415232788CDB7D69986F1146A8BAE980440B12CB3CA2AB93FD94B853BB9FBEB209F0626892CBA1574FD639FF88C86291CE131B11857DE36F2D131CFD376269D7<br>FB2EAF8C60726990DE24A4AF706F89E81AB78B3DB8F6B26F3880CBEA8C28809F5AF6731CA3B1F632D94836DEC3576C4AE138F2C8A2EC97EAEAD338212168<br>816F9341C0D98EC1719CBE6C5152E38A9BE1ED804622ECE3C98F89D52078F5C78D24398D378C7314658CBB53A5AC92015236E2EB19382BFCCA8B5EBE1BDD<br>567D2F7D9AFD61598F4EFBAE69CA24F6BFE3071C2E265F2DB5637C0A0CFC43CE6608ED38C5EA616F7F68B1752D1CC236EFE84E72CDC463C5742D00CEF4F2<br>FE2D7F58112E8607F364047DF434B433E87F0A8E6CAB0A38ED887C8744C40FA1E1B7F7EA10A86E4EC9ADB214366D5B315489D50D42606C6AE50EA7B3C494<br>C2A23C1227A2394A297AA1C58EC55AA9B07D4C7A8413D2DC67F0E8D1BF5B0993F2B8644890B79349770AD85CF60BBDD5543688ADC8A70CB2CBA861B0CD14<br>2A8CA6F529F088AD90068655DD5872D5022E4921B3D521F99769886AA2D22E6A72A15A36880480C73CD23B45AD11C82233D2BDDB0790FD03DC8B3193101A<br>B58AFCC21FB1306287B6AD00D4380068D4383DF47354C96966647E4CAE84E490F466FA070A83481F91A7503272283DA094903A65A43EAE864A1C246A4D2B<br>916ACDFA54C4C28D6D07DD5B7746</span>
<br>
</div>
<div class="footer">
<div class="tl2">
Attention!
</div>
<div class="bg2">
<div class="text">
<div>
- Attempts of change files by yourself will result in a loose of data. <br>
- Our e-mail can be blocked over time. Write now, loss of contact with us will result in a loose of data.<br>
- Use any third party software for restoring your data or antivirus solutions will result in a loose of data. <br>
- Decryptors of other users are unique and will not fit your files and use of those will result in a loose of data.<br>
- If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key.
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>
Emails
href="mailto:[email protected]">[email protected]</a><br>
href="mailto:[email protected]">[email protected]</a>
URLs
http-equiv="X-UA-Compatible"
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker Payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000013413-55.dat family_medusalocker behavioral1/files/0x0007000000013413-56.dat family_medusalocker -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 1696 svhost.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\SelectSearch.tif => C:\Users\Admin\Pictures\SelectSearch.tif.READINSTRUCTIONS 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File renamed C:\Users\Admin\Pictures\WaitExit.raw => C:\Users\Admin\Pictures\WaitExit.raw.READINSTRUCTIONS 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File renamed C:\Users\Admin\Pictures\ExitTrace.png => C:\Users\Admin\Pictures\ExitTrace.png.READINSTRUCTIONS 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened for modification C:\Users\Admin\Pictures\ExportSearch.tiff 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File renamed C:\Users\Admin\Pictures\ExportSearch.tiff => C:\Users\Admin\Pictures\ExportSearch.tiff.READINSTRUCTIONS 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened for modification C:\Users\Admin\Pictures\InstallUnregister.tiff 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File renamed C:\Users\Admin\Pictures\InstallUnregister.tiff => C:\Users\Admin\Pictures\InstallUnregister.tiff.READINSTRUCTIONS 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3846991908-3261386348-1409841751-1000\desktop.ini 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened (read-only) \??\I: 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened (read-only) \??\Z: 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened (read-only) \??\E: 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened (read-only) \??\H: 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened (read-only) \??\K: 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened (read-only) \??\L: 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened (read-only) \??\M: 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened (read-only) \??\S: 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened (read-only) \??\V: 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened (read-only) \??\Y: 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened (read-only) \??\B: 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened (read-only) \??\N: 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened (read-only) \??\O: 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened (read-only) \??\R: 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened (read-only) \??\T: 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened (read-only) \??\U: 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened (read-only) \??\X: 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened (read-only) \??\F: 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened (read-only) \??\J: 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened (read-only) \??\P: 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened (read-only) \??\Q: 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened (read-only) \??\W: 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe File opened (read-only) \??\A: 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 828 vssadmin.exe 1388 vssadmin.exe 1944 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeBackupPrivilege 268 vssvc.exe Token: SeRestorePrivilege 268 vssvc.exe Token: SeAuditPrivilege 268 vssvc.exe Token: SeIncreaseQuotaPrivilege 996 wmic.exe Token: SeSecurityPrivilege 996 wmic.exe Token: SeTakeOwnershipPrivilege 996 wmic.exe Token: SeLoadDriverPrivilege 996 wmic.exe Token: SeSystemProfilePrivilege 996 wmic.exe Token: SeSystemtimePrivilege 996 wmic.exe Token: SeProfSingleProcessPrivilege 996 wmic.exe Token: SeIncBasePriorityPrivilege 996 wmic.exe Token: SeCreatePagefilePrivilege 996 wmic.exe Token: SeBackupPrivilege 996 wmic.exe Token: SeRestorePrivilege 996 wmic.exe Token: SeShutdownPrivilege 996 wmic.exe Token: SeDebugPrivilege 996 wmic.exe Token: SeSystemEnvironmentPrivilege 996 wmic.exe Token: SeRemoteShutdownPrivilege 996 wmic.exe Token: SeUndockPrivilege 996 wmic.exe Token: SeManageVolumePrivilege 996 wmic.exe Token: 33 996 wmic.exe Token: 34 996 wmic.exe Token: 35 996 wmic.exe Token: SeIncreaseQuotaPrivilege 1092 wmic.exe Token: SeSecurityPrivilege 1092 wmic.exe Token: SeTakeOwnershipPrivilege 1092 wmic.exe Token: SeLoadDriverPrivilege 1092 wmic.exe Token: SeSystemProfilePrivilege 1092 wmic.exe Token: SeSystemtimePrivilege 1092 wmic.exe Token: SeProfSingleProcessPrivilege 1092 wmic.exe Token: SeIncBasePriorityPrivilege 1092 wmic.exe Token: SeCreatePagefilePrivilege 1092 wmic.exe Token: SeBackupPrivilege 1092 wmic.exe Token: SeRestorePrivilege 1092 wmic.exe Token: SeShutdownPrivilege 1092 wmic.exe Token: SeDebugPrivilege 1092 wmic.exe Token: SeSystemEnvironmentPrivilege 1092 wmic.exe Token: SeRemoteShutdownPrivilege 1092 wmic.exe Token: SeUndockPrivilege 1092 wmic.exe Token: SeManageVolumePrivilege 1092 wmic.exe Token: 33 1092 wmic.exe Token: 34 1092 wmic.exe Token: 35 1092 wmic.exe Token: SeIncreaseQuotaPrivilege 1116 wmic.exe Token: SeSecurityPrivilege 1116 wmic.exe Token: SeTakeOwnershipPrivilege 1116 wmic.exe Token: SeLoadDriverPrivilege 1116 wmic.exe Token: SeSystemProfilePrivilege 1116 wmic.exe Token: SeSystemtimePrivilege 1116 wmic.exe Token: SeProfSingleProcessPrivilege 1116 wmic.exe Token: SeIncBasePriorityPrivilege 1116 wmic.exe Token: SeCreatePagefilePrivilege 1116 wmic.exe Token: SeBackupPrivilege 1116 wmic.exe Token: SeRestorePrivilege 1116 wmic.exe Token: SeShutdownPrivilege 1116 wmic.exe Token: SeDebugPrivilege 1116 wmic.exe Token: SeSystemEnvironmentPrivilege 1116 wmic.exe Token: SeRemoteShutdownPrivilege 1116 wmic.exe Token: SeUndockPrivilege 1116 wmic.exe Token: SeManageVolumePrivilege 1116 wmic.exe Token: 33 1116 wmic.exe Token: 34 1116 wmic.exe Token: 35 1116 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1684 wrote to memory of 1388 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 27 PID 1684 wrote to memory of 1388 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 27 PID 1684 wrote to memory of 1388 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 27 PID 1684 wrote to memory of 1388 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 27 PID 1684 wrote to memory of 996 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 30 PID 1684 wrote to memory of 996 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 30 PID 1684 wrote to memory of 996 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 30 PID 1684 wrote to memory of 996 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 30 PID 1684 wrote to memory of 1944 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 32 PID 1684 wrote to memory of 1944 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 32 PID 1684 wrote to memory of 1944 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 32 PID 1684 wrote to memory of 1944 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 32 PID 1684 wrote to memory of 1092 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 34 PID 1684 wrote to memory of 1092 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 34 PID 1684 wrote to memory of 1092 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 34 PID 1684 wrote to memory of 1092 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 34 PID 1684 wrote to memory of 828 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 36 PID 1684 wrote to memory of 828 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 36 PID 1684 wrote to memory of 828 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 36 PID 1684 wrote to memory of 828 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 36 PID 1684 wrote to memory of 1116 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 38 PID 1684 wrote to memory of 1116 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 38 PID 1684 wrote to memory of 1116 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 38 PID 1684 wrote to memory of 1116 1684 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe 38 PID 792 wrote to memory of 1696 792 taskeng.exe 43 PID 792 wrote to memory of 1696 792 taskeng.exe 43 PID 792 wrote to memory of 1696 792 taskeng.exe 43 PID 792 wrote to memory of 1696 792 taskeng.exe 43 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe"C:\Users\Admin\AppData\Local\Temp\03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c.exe"1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1684 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1388
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:996
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1944
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:828
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:268
-
C:\Windows\system32\taskeng.exetaskeng.exe {C4A5D99E-A25C-49D2-B1E3-7D0F9C2AD9FA} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
PID:1696
-