Analysis
-
max time kernel
186s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
08-04-2022 10:49
Static task
static1
Behavioral task
behavioral1
Sample
c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe
Resource
win7-20220331-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe
Resource
win10v2004-20220331-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe
-
Size
669KB
-
MD5
87142e82f1cb0ecbcee7167ce8a183af
-
SHA1
f80b1b3435a09a6b66e0bc5188892f0790ca2faa
-
SHA256
c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4
-
SHA512
ff44ab7a94ad1fbf5b773b3b8aed8fc40ad142bfe8c6b91991c0237b300ec39922f4840945e5369f70bbc673f2b0ca509d4eb0a287ef42364784e7ceec17f8fa
Malware Config
Extracted
Path
C:\HOW_TO_RECOVER_DATA.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">04D4E6D9C8B5CA233AD6E93A74DDFBE9034837941AEEBFBA7CAD4203AA00FEAC320F556BE08CC361DC9255DDADC685316192431E58A0639EFF99FBAA677FC09D<br>0E163E94D17C3F90FACF041025974CB252EB30E738D202E733B49337DED7524E8AAB4F48789450D37EAE4657994B024B99B07D72180404775010A0B530DB<br>E83966623D61FE80259876332E01CF0C580FCC08B394D00AB28398878CBE576CF2FFE0991460407C82E9A0AE2C9AA4E8CE71F87C4A952577CA491D2167C8<br>1285E331DE3AFA5D0EA66764D7C2A2BFAF7130BA27FB4D135D3B43AD1E09EC8AC0307EFF42276EFFB47220DA21445D449781194E8474C65542CE762EE75E<br>A948762CE374133BAD8E4F421262160B70076F791D5F63D304C81162BF7D748F8161DF6724F78E0DF6C95EF0020F10A285B250C5F212C829C61D334B9605<br>192BA6EA0289526AA86A1F8B67152ED325E433A8F684A59D2776A1348F60CC9215EE5644260286FDBD1A2C88D4ABDCE028A45B7838DB44083D04D0C98246<br>613872EBCDD4BAAED9B1D5232BC81A3D09C4C358EDD60478FABE66EA345477F3BAD0DC4EA7328E4DF549440CC8DCC4328569E011471D30EE289302021DC6<br>F323393EEA10CE1CDF80C995BCB732F33771BC494F3D7FA5507BFB87307186BBC5296F3880F6E9628D0344642D53DA79400C7C8F844D50E9290DBF62BADF<br>A42558B7A6A99161A536711E2AA8</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br>
</a>
4. Start a chat and follow the further instructions. <br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker Payload 2 IoCs
resource yara_rule behavioral2/files/0x000a000000021e2c-127.dat family_medusalocker behavioral2/files/0x000a000000021e2c-128.dat family_medusalocker -
Executes dropped EXE 1 IoCs
pid Process 1508 svhost.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ExportEnter.raw => C:\Users\Admin\Pictures\ExportEnter.raw.mlock4 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-157025953-3125636059-437143553-1000\desktop.ini c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe File opened (read-only) \??\V: c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe File opened (read-only) \??\W: c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe File opened (read-only) \??\E: c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe File opened (read-only) \??\P: c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe File opened (read-only) \??\R: c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe File opened (read-only) \??\S: c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe File opened (read-only) \??\U: c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe File opened (read-only) \??\A: c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe File opened (read-only) \??\I: c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe File opened (read-only) \??\J: c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe File opened (read-only) \??\M: c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe File opened (read-only) \??\B: c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe File opened (read-only) \??\L: c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe File opened (read-only) \??\O: c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe File opened (read-only) \??\Z: c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe File opened (read-only) \??\N: c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe File opened (read-only) \??\Q: c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe File opened (read-only) \??\X: c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe File opened (read-only) \??\Y: c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe File opened (read-only) \??\F: c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe File opened (read-only) \??\G: c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe File opened (read-only) \??\H: c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe File opened (read-only) \??\K: c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 616 wmic.exe Token: SeSecurityPrivilege 616 wmic.exe Token: SeTakeOwnershipPrivilege 616 wmic.exe Token: SeLoadDriverPrivilege 616 wmic.exe Token: SeSystemProfilePrivilege 616 wmic.exe Token: SeSystemtimePrivilege 616 wmic.exe Token: SeProfSingleProcessPrivilege 616 wmic.exe Token: SeIncBasePriorityPrivilege 616 wmic.exe Token: SeCreatePagefilePrivilege 616 wmic.exe Token: SeBackupPrivilege 616 wmic.exe Token: SeRestorePrivilege 616 wmic.exe Token: SeShutdownPrivilege 616 wmic.exe Token: SeDebugPrivilege 616 wmic.exe Token: SeSystemEnvironmentPrivilege 616 wmic.exe Token: SeRemoteShutdownPrivilege 616 wmic.exe Token: SeUndockPrivilege 616 wmic.exe Token: SeManageVolumePrivilege 616 wmic.exe Token: 33 616 wmic.exe Token: 34 616 wmic.exe Token: 35 616 wmic.exe Token: 36 616 wmic.exe Token: SeIncreaseQuotaPrivilege 4520 wmic.exe Token: SeSecurityPrivilege 4520 wmic.exe Token: SeTakeOwnershipPrivilege 4520 wmic.exe Token: SeLoadDriverPrivilege 4520 wmic.exe Token: SeSystemProfilePrivilege 4520 wmic.exe Token: SeSystemtimePrivilege 4520 wmic.exe Token: SeProfSingleProcessPrivilege 4520 wmic.exe Token: SeIncBasePriorityPrivilege 4520 wmic.exe Token: SeCreatePagefilePrivilege 4520 wmic.exe Token: SeBackupPrivilege 4520 wmic.exe Token: SeRestorePrivilege 4520 wmic.exe Token: SeShutdownPrivilege 4520 wmic.exe Token: SeDebugPrivilege 4520 wmic.exe Token: SeSystemEnvironmentPrivilege 4520 wmic.exe Token: SeRemoteShutdownPrivilege 4520 wmic.exe Token: SeUndockPrivilege 4520 wmic.exe Token: SeManageVolumePrivilege 4520 wmic.exe Token: 33 4520 wmic.exe Token: 34 4520 wmic.exe Token: 35 4520 wmic.exe Token: 36 4520 wmic.exe Token: SeIncreaseQuotaPrivilege 224 wmic.exe Token: SeSecurityPrivilege 224 wmic.exe Token: SeTakeOwnershipPrivilege 224 wmic.exe Token: SeLoadDriverPrivilege 224 wmic.exe Token: SeSystemProfilePrivilege 224 wmic.exe Token: SeSystemtimePrivilege 224 wmic.exe Token: SeProfSingleProcessPrivilege 224 wmic.exe Token: SeIncBasePriorityPrivilege 224 wmic.exe Token: SeCreatePagefilePrivilege 224 wmic.exe Token: SeBackupPrivilege 224 wmic.exe Token: SeRestorePrivilege 224 wmic.exe Token: SeShutdownPrivilege 224 wmic.exe Token: SeDebugPrivilege 224 wmic.exe Token: SeSystemEnvironmentPrivilege 224 wmic.exe Token: SeRemoteShutdownPrivilege 224 wmic.exe Token: SeUndockPrivilege 224 wmic.exe Token: SeManageVolumePrivilege 224 wmic.exe Token: 33 224 wmic.exe Token: 34 224 wmic.exe Token: 35 224 wmic.exe Token: 36 224 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3556 wrote to memory of 616 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 82 PID 3556 wrote to memory of 616 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 82 PID 3556 wrote to memory of 616 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 82 PID 3556 wrote to memory of 4520 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 85 PID 3556 wrote to memory of 4520 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 85 PID 3556 wrote to memory of 4520 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 85 PID 3556 wrote to memory of 224 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 87 PID 3556 wrote to memory of 224 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 87 PID 3556 wrote to memory of 224 3556 c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe 87 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe"C:\Users\Admin\AppData\Local\Temp\c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4.exe"1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3556 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:616
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4520
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:224
-
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe1⤵
- Executes dropped EXE
PID:1508
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
669KB
MD587142e82f1cb0ecbcee7167ce8a183af
SHA1f80b1b3435a09a6b66e0bc5188892f0790ca2faa
SHA256c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4
SHA512ff44ab7a94ad1fbf5b773b3b8aed8fc40ad142bfe8c6b91991c0237b300ec39922f4840945e5369f70bbc673f2b0ca509d4eb0a287ef42364784e7ceec17f8fa
-
Filesize
669KB
MD587142e82f1cb0ecbcee7167ce8a183af
SHA1f80b1b3435a09a6b66e0bc5188892f0790ca2faa
SHA256c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4
SHA512ff44ab7a94ad1fbf5b773b3b8aed8fc40ad142bfe8c6b91991c0237b300ec39922f4840945e5369f70bbc673f2b0ca509d4eb0a287ef42364784e7ceec17f8fa