Analysis
-
max time kernel
151s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
13-10-2022 18:28
Behavioral task
behavioral1
Sample
64ME_bul8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
64ME_bul8.exe
Resource
win10v2004-20220901-en
General
-
Target
64ME_bul8.exe
-
Size
666KB
-
MD5
ac8d418b660f7c9585ac97fe524abe8f
-
SHA1
653ecc2e07739e59bd5500f535c3f5c6e3d27060
-
SHA256
61c26b20a2b291252ccf1b2ae4319542df526e820f96ad4667478ab101b6ee1f
-
SHA512
edf33e15bb1d8f97799d25281429451ece9df0ae8c9ead93c301beeac851d802d501d7362c86cee6afb0a2772d58dbef1b17afe9ba84b83324f3959cf2fa7b1c
-
SSDEEP
12288:ZYW1LNT35lDbK/LIVaN8+T7vwqyqhYMhWt918vulA/C9+m:dd35lDbKDIwWUDyqS5omqC9+
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\!-Recovery_Instructions-!.html
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0007000000005c50-61.dat family_medusalocker behavioral1/files/0x0007000000005c50-63.dat family_medusalocker -
Processes:
64ME_bul8.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 64ME_bul8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 64ME_bul8.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Detects MedusaLocker ransomware 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0007000000005c50-61.dat MALWARE_Win_MedusaLocker behavioral1/files/0x0007000000005c50-63.dat MALWARE_Win_MedusaLocker -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid Process 1972 svhost.exe -
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
64ME_bul8.exedescription ioc Process File renamed C:\Users\Admin\Pictures\SplitEnable.tiff => C:\Users\Admin\Pictures\SplitEnable.tiff.bulwark8 64ME_bul8.exe File renamed C:\Users\Admin\Pictures\SuspendConnect.tif => C:\Users\Admin\Pictures\SuspendConnect.tif.bulwark8 64ME_bul8.exe File renamed C:\Users\Admin\Pictures\DenyInstall.tif => C:\Users\Admin\Pictures\DenyInstall.tif.bulwark8 64ME_bul8.exe File renamed C:\Users\Admin\Pictures\EditConfirm.crw => C:\Users\Admin\Pictures\EditConfirm.crw.bulwark8 64ME_bul8.exe File renamed C:\Users\Admin\Pictures\FindRename.png => C:\Users\Admin\Pictures\FindRename.png.bulwark8 64ME_bul8.exe File opened for modification C:\Users\Admin\Pictures\SelectNew.tiff 64ME_bul8.exe File renamed C:\Users\Admin\Pictures\SelectNew.tiff => C:\Users\Admin\Pictures\SelectNew.tiff.bulwark8 64ME_bul8.exe File opened for modification C:\Users\Admin\Pictures\SplitEnable.tiff 64ME_bul8.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
64ME_bul8.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 64ME_bul8.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
64ME_bul8.exedescription ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-999675638-2867687379-27515722-1000\desktop.ini 64ME_bul8.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
64ME_bul8.exedescription ioc Process File opened (read-only) \??\I: 64ME_bul8.exe File opened (read-only) \??\N: 64ME_bul8.exe File opened (read-only) \??\O: 64ME_bul8.exe File opened (read-only) \??\P: 64ME_bul8.exe File opened (read-only) \??\S: 64ME_bul8.exe File opened (read-only) \??\V: 64ME_bul8.exe File opened (read-only) \??\E: 64ME_bul8.exe File opened (read-only) \??\F: 64ME_bul8.exe File opened (read-only) \??\H: 64ME_bul8.exe File opened (read-only) \??\R: 64ME_bul8.exe File opened (read-only) \??\T: 64ME_bul8.exe File opened (read-only) \??\Y: 64ME_bul8.exe File opened (read-only) \??\Z: 64ME_bul8.exe File opened (read-only) \??\B: 64ME_bul8.exe File opened (read-only) \??\G: 64ME_bul8.exe File opened (read-only) \??\J: 64ME_bul8.exe File opened (read-only) \??\L: 64ME_bul8.exe File opened (read-only) \??\M: 64ME_bul8.exe File opened (read-only) \??\Q: 64ME_bul8.exe File opened (read-only) \??\A: 64ME_bul8.exe File opened (read-only) \??\U: 64ME_bul8.exe File opened (read-only) \??\W: 64ME_bul8.exe File opened (read-only) \??\X: 64ME_bul8.exe File opened (read-only) \??\K: 64ME_bul8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid Process 984 vssadmin.exe 1320 vssadmin.exe 660 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
64ME_bul8.exepid Process 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe 1672 64ME_bul8.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
vssvc.exewmic.exewmic.exewmic.exedescription pid Process Token: SeBackupPrivilege 1108 vssvc.exe Token: SeRestorePrivilege 1108 vssvc.exe Token: SeAuditPrivilege 1108 vssvc.exe Token: SeIncreaseQuotaPrivilege 1908 wmic.exe Token: SeSecurityPrivilege 1908 wmic.exe Token: SeTakeOwnershipPrivilege 1908 wmic.exe Token: SeLoadDriverPrivilege 1908 wmic.exe Token: SeSystemProfilePrivilege 1908 wmic.exe Token: SeSystemtimePrivilege 1908 wmic.exe Token: SeProfSingleProcessPrivilege 1908 wmic.exe Token: SeIncBasePriorityPrivilege 1908 wmic.exe Token: SeCreatePagefilePrivilege 1908 wmic.exe Token: SeBackupPrivilege 1908 wmic.exe Token: SeRestorePrivilege 1908 wmic.exe Token: SeShutdownPrivilege 1908 wmic.exe Token: SeDebugPrivilege 1908 wmic.exe Token: SeSystemEnvironmentPrivilege 1908 wmic.exe Token: SeRemoteShutdownPrivilege 1908 wmic.exe Token: SeUndockPrivilege 1908 wmic.exe Token: SeManageVolumePrivilege 1908 wmic.exe Token: 33 1908 wmic.exe Token: 34 1908 wmic.exe Token: 35 1908 wmic.exe Token: SeIncreaseQuotaPrivilege 1072 wmic.exe Token: SeSecurityPrivilege 1072 wmic.exe Token: SeTakeOwnershipPrivilege 1072 wmic.exe Token: SeLoadDriverPrivilege 1072 wmic.exe Token: SeSystemProfilePrivilege 1072 wmic.exe Token: SeSystemtimePrivilege 1072 wmic.exe Token: SeProfSingleProcessPrivilege 1072 wmic.exe Token: SeIncBasePriorityPrivilege 1072 wmic.exe Token: SeCreatePagefilePrivilege 1072 wmic.exe Token: SeBackupPrivilege 1072 wmic.exe Token: SeRestorePrivilege 1072 wmic.exe Token: SeShutdownPrivilege 1072 wmic.exe Token: SeDebugPrivilege 1072 wmic.exe Token: SeSystemEnvironmentPrivilege 1072 wmic.exe Token: SeRemoteShutdownPrivilege 1072 wmic.exe Token: SeUndockPrivilege 1072 wmic.exe Token: SeManageVolumePrivilege 1072 wmic.exe Token: 33 1072 wmic.exe Token: 34 1072 wmic.exe Token: 35 1072 wmic.exe Token: SeIncreaseQuotaPrivilege 1676 wmic.exe Token: SeSecurityPrivilege 1676 wmic.exe Token: SeTakeOwnershipPrivilege 1676 wmic.exe Token: SeLoadDriverPrivilege 1676 wmic.exe Token: SeSystemProfilePrivilege 1676 wmic.exe Token: SeSystemtimePrivilege 1676 wmic.exe Token: SeProfSingleProcessPrivilege 1676 wmic.exe Token: SeIncBasePriorityPrivilege 1676 wmic.exe Token: SeCreatePagefilePrivilege 1676 wmic.exe Token: SeBackupPrivilege 1676 wmic.exe Token: SeRestorePrivilege 1676 wmic.exe Token: SeShutdownPrivilege 1676 wmic.exe Token: SeDebugPrivilege 1676 wmic.exe Token: SeSystemEnvironmentPrivilege 1676 wmic.exe Token: SeRemoteShutdownPrivilege 1676 wmic.exe Token: SeUndockPrivilege 1676 wmic.exe Token: SeManageVolumePrivilege 1676 wmic.exe Token: 33 1676 wmic.exe Token: 34 1676 wmic.exe Token: 35 1676 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
64ME_bul8.exetaskeng.exedescription pid Process procid_target PID 1672 wrote to memory of 984 1672 64ME_bul8.exe 27 PID 1672 wrote to memory of 984 1672 64ME_bul8.exe 27 PID 1672 wrote to memory of 984 1672 64ME_bul8.exe 27 PID 1672 wrote to memory of 984 1672 64ME_bul8.exe 27 PID 1672 wrote to memory of 1908 1672 64ME_bul8.exe 31 PID 1672 wrote to memory of 1908 1672 64ME_bul8.exe 31 PID 1672 wrote to memory of 1908 1672 64ME_bul8.exe 31 PID 1672 wrote to memory of 1908 1672 64ME_bul8.exe 31 PID 1672 wrote to memory of 1320 1672 64ME_bul8.exe 33 PID 1672 wrote to memory of 1320 1672 64ME_bul8.exe 33 PID 1672 wrote to memory of 1320 1672 64ME_bul8.exe 33 PID 1672 wrote to memory of 1320 1672 64ME_bul8.exe 33 PID 1672 wrote to memory of 1072 1672 64ME_bul8.exe 35 PID 1672 wrote to memory of 1072 1672 64ME_bul8.exe 35 PID 1672 wrote to memory of 1072 1672 64ME_bul8.exe 35 PID 1672 wrote to memory of 1072 1672 64ME_bul8.exe 35 PID 1672 wrote to memory of 660 1672 64ME_bul8.exe 37 PID 1672 wrote to memory of 660 1672 64ME_bul8.exe 37 PID 1672 wrote to memory of 660 1672 64ME_bul8.exe 37 PID 1672 wrote to memory of 660 1672 64ME_bul8.exe 37 PID 1672 wrote to memory of 1676 1672 64ME_bul8.exe 39 PID 1672 wrote to memory of 1676 1672 64ME_bul8.exe 39 PID 1672 wrote to memory of 1676 1672 64ME_bul8.exe 39 PID 1672 wrote to memory of 1676 1672 64ME_bul8.exe 39 PID 584 wrote to memory of 1972 584 taskeng.exe 43 PID 584 wrote to memory of 1972 584 taskeng.exe 43 PID 584 wrote to memory of 1972 584 taskeng.exe 43 PID 584 wrote to memory of 1972 584 taskeng.exe 43 -
System policy modification 1 TTPs 3 IoCs
Processes:
64ME_bul8.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 64ME_bul8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64ME_bul8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 64ME_bul8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\64ME_bul8.exe"C:\Users\Admin\AppData\Local\Temp\64ME_bul8.exe"1⤵
- UAC bypass
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1672 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:984
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1320
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:660
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
C:\Windows\system32\taskeng.exetaskeng.exe {4BAADC82-3C6A-4879-9852-E3CD35AECEC8} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
PID:1972
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
666KB
MD5ac8d418b660f7c9585ac97fe524abe8f
SHA1653ecc2e07739e59bd5500f535c3f5c6e3d27060
SHA25661c26b20a2b291252ccf1b2ae4319542df526e820f96ad4667478ab101b6ee1f
SHA512edf33e15bb1d8f97799d25281429451ece9df0ae8c9ead93c301beeac851d802d501d7362c86cee6afb0a2772d58dbef1b17afe9ba84b83324f3959cf2fa7b1c
-
Filesize
666KB
MD5ac8d418b660f7c9585ac97fe524abe8f
SHA1653ecc2e07739e59bd5500f535c3f5c6e3d27060
SHA25661c26b20a2b291252ccf1b2ae4319542df526e820f96ad4667478ab101b6ee1f
SHA512edf33e15bb1d8f97799d25281429451ece9df0ae8c9ead93c301beeac851d802d501d7362c86cee6afb0a2772d58dbef1b17afe9ba84b83324f3959cf2fa7b1c