medusalocker | 8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29

Analysis

max time kernel
176s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
06/03/2022, 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
Size

678KB
MD5

cd5e831586e171b130dd719e73e13f62
SHA1

baf8da95632066364ff74df394bc2979c49e1993
SHA256

8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29
SHA512

f4d615a45d45b3630c9d2840dec3cd710d3dcb68ed60e74248e0026c99c62f4c3fbb2ae2b354d6492cc2b18c1b6cbc6eea8137100a42d591b07d191184f33ee0

Score

10^/10

medusalocker evasion ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Recovery_Instructions.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">7A4DBD3E0BEC56261C7180789DB28B7A5952949C468E4B105B5DD449D02381A7A068402B59936AB37E90BF09443F0818052E9F9FFA5D86EA19C1FA589B4AFB71<br>AFCEE0DB8E3B5C9668488CBF1499E3E9424178B25F075A9180536B3A85950863CF3F93314823DA48EF75A8A03DC4D7DC0A1851AD8B7185661C706A11F2E0<br>D38A26DFDEB6B7A4A68A647450735F382F5B2EF72C09E6669B70EDD98C09A1F4C6C6B2FE62A8ADAF3374025B16D0E462516E63E013F4A8523F1FA1D0A909<br>247924798DF58EF92354DF7184F9009A20AD87E0E45D6A82AF6D78D88EAC3FBEC07C9B6A6B397DC3EEB74D98A0E85C2C52D71C30FE550F7468081C8CEC6B<br>3A0CAFCC7F4DD51B6911E4F6AEA386D31B39C5D37BD41526B5E550B207216CB8A62C367D3B68DB362CDCBB3669F1359D6A2BB2DD88C519D69502699C5CEC<br>2DCAF2770E9FE3EF4023BC9DC1B2CDEE585563591020467808361950DA3B64943B4EF50E042B545B4F74225C3AB5056CEA8338FD1540937D635CBED9DE30<br>22AD6AE7B2CAA5F5D5F367556330A6A2E9FCF5920B8FE1403EE9A7276351832CA836C3E2E8E6D258F6B22FCA1C4FA0059D579E64AF0CA0D9C48B788E97BF<br>DC4E0292CA63684754FD3B09019F952C6631DB5B9E0995D3782D9EB25BE0A64420A672730135506120A333AF5184184A7132234FF308380DAEE05F287CBD<br>AF58F1F3C65ED192E761CDC7C31A</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED!</b><br><br> YOUR FILES ARE SAFE! JUST MODIFIED ONLY. (RSA+AES) <br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMENANTLY DESTROY YOUR FILE.<br> DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES.<br><br> NO SOFTWARE AVAILABLE ON INTERNET CAN HELP YOU. WE ONLY HAVE<br> SOLUTION TO YOUR PROBLEM.<br><br> WE GATHERED HIGHLY CONFIDENTIAL/PERSORNAL DATA. THESE DATA<br> ARE CURRENTLY STORED ON A PRIVATE SERVER. THIS SERVER WILL BE<br> IMMEDIATELY DESTROYED AFTER YOUR PAYMENT. WE ONLY SEEK MONEY<br> AND DO NOT WANT TO DAMAGE YOUR REPUTATION. IF YOU DECIDE TO<br> NOT PAY, WE WILL RELEASE THIS DATA TO PUBLIC OR RE-SELLER.<br><br> <b>Important! Emails from us may come to you in spam, so please check your spam!.</b><br><br> <a href=" [email protected] ? ">Your files are uploaded to the cloud. if you refuse to pay, we will put your data up for auction </a> <hr> YOU WILL CAN SEND US 2-3 NON-IMPORTANT FILES AND WE WILL<br> DECRYPT IT FOR FREE TO PROVE WE ARE ABLE TO GIVE YOUR FILES<br> BACK.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a href="">http://gvlay6u4g53rxdi5.onion/8-wnO3bDcxIf8DcvdLyfIYTpkXq8pHVAOt-hpbJ4jkalDTXRjGLiFYuEPE9UL43Teiu</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open "{{URL}}". <br> 4. Start a chat and follow the further instructions. <br><br> <b>If you can't use the above link, use the email:</b><br> <a href=" [email protected] ? ">[email protected] </a> <hr> <a href=" [email protected] ? ">[email protected] </a> <hr> MAKE CONTACT AS SOON AS POSSIBLE. YOUR DECRYPTION KEY IS ONLY STORED <br> TEMPORARLY. IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker

MedusaLocker Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000500000001e7bd-130.dat	family_medusalocker
behavioral2/files/0x000500000001e7bd-131.dat	family_medusalocker

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
4956	svhost.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\MergePop.png => C:\Users\Admin\Pictures\MergePop.png.divsouth	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
File renamed	C:\Users\Admin\Pictures\UseStep.raw => C:\Users\Admin\Pictures\UseStep.raw.divsouth	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
File opened (read-only)	\??\K:	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
File opened (read-only)	\??\M:	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
File opened (read-only)	\??\N:	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
File opened (read-only)	\??\S:	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
File opened (read-only)	\??\W:	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
File opened (read-only)	\??\X:	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
File opened (read-only)	\??\Y:	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
File opened (read-only)	\??\A:	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
File opened (read-only)	\??\I:	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
File opened (read-only)	\??\L:	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
File opened (read-only)	\??\O:	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
File opened (read-only)	\??\P:	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
File opened (read-only)	\??\R:	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
File opened (read-only)	\??\H:	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
File opened (read-only)	\??\J:	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
File opened (read-only)	\??\T:	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
File opened (read-only)	\??\Z:	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
File opened (read-only)	\??\B:	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
File opened (read-only)	\??\F:	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
File opened (read-only)	\??\G:	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
File opened (read-only)	\??\Q:	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
File opened (read-only)	\??\U:	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
File opened (read-only)	\??\V:	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2564	wmic.exe
Token: SeSecurityPrivilege	2564	wmic.exe
Token: SeTakeOwnershipPrivilege	2564	wmic.exe
Token: SeLoadDriverPrivilege	2564	wmic.exe
Token: SeSystemProfilePrivilege	2564	wmic.exe
Token: SeSystemtimePrivilege	2564	wmic.exe
Token: SeProfSingleProcessPrivilege	2564	wmic.exe
Token: SeIncBasePriorityPrivilege	2564	wmic.exe
Token: SeCreatePagefilePrivilege	2564	wmic.exe
Token: SeBackupPrivilege	2564	wmic.exe
Token: SeRestorePrivilege	2564	wmic.exe
Token: SeShutdownPrivilege	2564	wmic.exe
Token: SeDebugPrivilege	2564	wmic.exe
Token: SeSystemEnvironmentPrivilege	2564	wmic.exe
Token: SeRemoteShutdownPrivilege	2564	wmic.exe
Token: SeUndockPrivilege	2564	wmic.exe
Token: SeManageVolumePrivilege	2564	wmic.exe
Token: 33	2564	wmic.exe
Token: 34	2564	wmic.exe
Token: 35	2564	wmic.exe
Token: 36	2564	wmic.exe
Token: SeIncreaseQuotaPrivilege	2724	wmic.exe
Token: SeSecurityPrivilege	2724	wmic.exe
Token: SeTakeOwnershipPrivilege	2724	wmic.exe
Token: SeLoadDriverPrivilege	2724	wmic.exe
Token: SeSystemProfilePrivilege	2724	wmic.exe
Token: SeSystemtimePrivilege	2724	wmic.exe
Token: SeProfSingleProcessPrivilege	2724	wmic.exe
Token: SeIncBasePriorityPrivilege	2724	wmic.exe
Token: SeCreatePagefilePrivilege	2724	wmic.exe
Token: SeBackupPrivilege	2724	wmic.exe
Token: SeRestorePrivilege	2724	wmic.exe
Token: SeShutdownPrivilege	2724	wmic.exe
Token: SeDebugPrivilege	2724	wmic.exe
Token: SeSystemEnvironmentPrivilege	2724	wmic.exe
Token: SeRemoteShutdownPrivilege	2724	wmic.exe
Token: SeUndockPrivilege	2724	wmic.exe
Token: SeManageVolumePrivilege	2724	wmic.exe
Token: 33	2724	wmic.exe
Token: 34	2724	wmic.exe
Token: 35	2724	wmic.exe
Token: 36	2724	wmic.exe
Token: SeIncreaseQuotaPrivilege	1288	wmic.exe
Token: SeSecurityPrivilege	1288	wmic.exe
Token: SeTakeOwnershipPrivilege	1288	wmic.exe
Token: SeLoadDriverPrivilege	1288	wmic.exe
Token: SeSystemProfilePrivilege	1288	wmic.exe
Token: SeSystemtimePrivilege	1288	wmic.exe
Token: SeProfSingleProcessPrivilege	1288	wmic.exe
Token: SeIncBasePriorityPrivilege	1288	wmic.exe
Token: SeCreatePagefilePrivilege	1288	wmic.exe
Token: SeBackupPrivilege	1288	wmic.exe
Token: SeRestorePrivilege	1288	wmic.exe
Token: SeShutdownPrivilege	1288	wmic.exe
Token: SeDebugPrivilege	1288	wmic.exe
Token: SeSystemEnvironmentPrivilege	1288	wmic.exe
Token: SeRemoteShutdownPrivilege	1288	wmic.exe
Token: SeUndockPrivilege	1288	wmic.exe
Token: SeManageVolumePrivilege	1288	wmic.exe
Token: 33	1288	wmic.exe
Token: 34	1288	wmic.exe
Token: 35	1288	wmic.exe
Token: 36	1288	wmic.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2564	1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe	79
PID 1644 wrote to memory of 2564	1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe	79
PID 1644 wrote to memory of 2564	1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe	79
PID 1644 wrote to memory of 2724	1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe	83
PID 1644 wrote to memory of 2724	1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe	83
PID 1644 wrote to memory of 2724	1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe	83
PID 1644 wrote to memory of 1288	1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe	85
PID 1644 wrote to memory of 1288	1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe	85
PID 1644 wrote to memory of 1288	1644	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe	85

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe

C:\Users\Admin\AppData\Local\Temp\8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
"C:\Users\Admin\AppData\Local\Temp\8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe"
1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1644
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1288