Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
20-12-2022 05:47
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20220812-en
General
-
Target
tmp.exe
-
Size
666KB
-
MD5
c4154e2c1eb85e12e4c3795dcd3cb63f
-
SHA1
ae90c9193f6059f87a8cba89675922789797aa46
-
SHA256
abbaff145b18d26db84d52669d1279e928d51f1f571f686cb100d7893cb69295
-
SHA512
8bf3892ff9d5adfd43a52b9d4a0999cf74c07e6e5d0f1457120eb009e47f198d3a271540f045c818751e27aa63998824bc1245a40f6f585059dc2b50254d17d3
-
SSDEEP
12288:ZYW1LNT35lDbK/LIVaN8+T7vwqyqhYMhWt918vulAZC9+m:dd35lDbKDIwWUDyqS5omkC9+
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\!-Recovery_Instructions-!.html
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000005c51-61.dat family_medusalocker behavioral1/files/0x0008000000005c51-63.dat family_medusalocker -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tmp.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 436 svhost.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\ExpandExport.tiff tmp.exe File renamed C:\Users\Admin\Pictures\ExpandExport.tiff => C:\Users\Admin\Pictures\ExpandExport.tiff.bulwark6 tmp.exe File renamed C:\Users\Admin\Pictures\SendUndo.raw => C:\Users\Admin\Pictures\SendUndo.raw.bulwark6 tmp.exe File renamed C:\Users\Admin\Pictures\ShowConvertFrom.crw => C:\Users\Admin\Pictures\ShowConvertFrom.crw.bulwark6 tmp.exe File renamed C:\Users\Admin\Pictures\TestConfirm.raw => C:\Users\Admin\Pictures\TestConfirm.raw.bulwark6 tmp.exe File opened for modification C:\Users\Admin\Pictures\UninstallExit.tiff tmp.exe File renamed C:\Users\Admin\Pictures\UninstallExit.tiff => C:\Users\Admin\Pictures\UninstallExit.tiff.bulwark6 tmp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tmp.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-4063495947-34355257-727531523-1000\desktop.ini tmp.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: tmp.exe File opened (read-only) \??\T: tmp.exe File opened (read-only) \??\X: tmp.exe File opened (read-only) \??\A: tmp.exe File opened (read-only) \??\E: tmp.exe File opened (read-only) \??\F: tmp.exe File opened (read-only) \??\M: tmp.exe File opened (read-only) \??\N: tmp.exe File opened (read-only) \??\P: tmp.exe File opened (read-only) \??\R: tmp.exe File opened (read-only) \??\V: tmp.exe File opened (read-only) \??\G: tmp.exe File opened (read-only) \??\H: tmp.exe File opened (read-only) \??\L: tmp.exe File opened (read-only) \??\W: tmp.exe File opened (read-only) \??\Z: tmp.exe File opened (read-only) \??\S: tmp.exe File opened (read-only) \??\U: tmp.exe File opened (read-only) \??\Y: tmp.exe File opened (read-only) \??\O: tmp.exe File opened (read-only) \??\Q: tmp.exe File opened (read-only) \??\B: tmp.exe File opened (read-only) \??\I: tmp.exe File opened (read-only) \??\K: tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1204 vssadmin.exe 2032 vssadmin.exe 1732 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe 1380 tmp.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeBackupPrivilege 1116 vssvc.exe Token: SeRestorePrivilege 1116 vssvc.exe Token: SeAuditPrivilege 1116 vssvc.exe Token: SeIncreaseQuotaPrivilege 2000 wmic.exe Token: SeSecurityPrivilege 2000 wmic.exe Token: SeTakeOwnershipPrivilege 2000 wmic.exe Token: SeLoadDriverPrivilege 2000 wmic.exe Token: SeSystemProfilePrivilege 2000 wmic.exe Token: SeSystemtimePrivilege 2000 wmic.exe Token: SeProfSingleProcessPrivilege 2000 wmic.exe Token: SeIncBasePriorityPrivilege 2000 wmic.exe Token: SeCreatePagefilePrivilege 2000 wmic.exe Token: SeBackupPrivilege 2000 wmic.exe Token: SeRestorePrivilege 2000 wmic.exe Token: SeShutdownPrivilege 2000 wmic.exe Token: SeDebugPrivilege 2000 wmic.exe Token: SeSystemEnvironmentPrivilege 2000 wmic.exe Token: SeRemoteShutdownPrivilege 2000 wmic.exe Token: SeUndockPrivilege 2000 wmic.exe Token: SeManageVolumePrivilege 2000 wmic.exe Token: 33 2000 wmic.exe Token: 34 2000 wmic.exe Token: 35 2000 wmic.exe Token: SeIncreaseQuotaPrivilege 1376 wmic.exe Token: SeSecurityPrivilege 1376 wmic.exe Token: SeTakeOwnershipPrivilege 1376 wmic.exe Token: SeLoadDriverPrivilege 1376 wmic.exe Token: SeSystemProfilePrivilege 1376 wmic.exe Token: SeSystemtimePrivilege 1376 wmic.exe Token: SeProfSingleProcessPrivilege 1376 wmic.exe Token: SeIncBasePriorityPrivilege 1376 wmic.exe Token: SeCreatePagefilePrivilege 1376 wmic.exe Token: SeBackupPrivilege 1376 wmic.exe Token: SeRestorePrivilege 1376 wmic.exe Token: SeShutdownPrivilege 1376 wmic.exe Token: SeDebugPrivilege 1376 wmic.exe Token: SeSystemEnvironmentPrivilege 1376 wmic.exe Token: SeRemoteShutdownPrivilege 1376 wmic.exe Token: SeUndockPrivilege 1376 wmic.exe Token: SeManageVolumePrivilege 1376 wmic.exe Token: 33 1376 wmic.exe Token: 34 1376 wmic.exe Token: 35 1376 wmic.exe Token: SeIncreaseQuotaPrivilege 1240 wmic.exe Token: SeSecurityPrivilege 1240 wmic.exe Token: SeTakeOwnershipPrivilege 1240 wmic.exe Token: SeLoadDriverPrivilege 1240 wmic.exe Token: SeSystemProfilePrivilege 1240 wmic.exe Token: SeSystemtimePrivilege 1240 wmic.exe Token: SeProfSingleProcessPrivilege 1240 wmic.exe Token: SeIncBasePriorityPrivilege 1240 wmic.exe Token: SeCreatePagefilePrivilege 1240 wmic.exe Token: SeBackupPrivilege 1240 wmic.exe Token: SeRestorePrivilege 1240 wmic.exe Token: SeShutdownPrivilege 1240 wmic.exe Token: SeDebugPrivilege 1240 wmic.exe Token: SeSystemEnvironmentPrivilege 1240 wmic.exe Token: SeRemoteShutdownPrivilege 1240 wmic.exe Token: SeUndockPrivilege 1240 wmic.exe Token: SeManageVolumePrivilege 1240 wmic.exe Token: 33 1240 wmic.exe Token: 34 1240 wmic.exe Token: 35 1240 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1380 wrote to memory of 1204 1380 tmp.exe 27 PID 1380 wrote to memory of 1204 1380 tmp.exe 27 PID 1380 wrote to memory of 1204 1380 tmp.exe 27 PID 1380 wrote to memory of 1204 1380 tmp.exe 27 PID 1380 wrote to memory of 2000 1380 tmp.exe 30 PID 1380 wrote to memory of 2000 1380 tmp.exe 30 PID 1380 wrote to memory of 2000 1380 tmp.exe 30 PID 1380 wrote to memory of 2000 1380 tmp.exe 30 PID 1380 wrote to memory of 2032 1380 tmp.exe 32 PID 1380 wrote to memory of 2032 1380 tmp.exe 32 PID 1380 wrote to memory of 2032 1380 tmp.exe 32 PID 1380 wrote to memory of 2032 1380 tmp.exe 32 PID 1380 wrote to memory of 1376 1380 tmp.exe 34 PID 1380 wrote to memory of 1376 1380 tmp.exe 34 PID 1380 wrote to memory of 1376 1380 tmp.exe 34 PID 1380 wrote to memory of 1376 1380 tmp.exe 34 PID 1380 wrote to memory of 1732 1380 tmp.exe 36 PID 1380 wrote to memory of 1732 1380 tmp.exe 36 PID 1380 wrote to memory of 1732 1380 tmp.exe 36 PID 1380 wrote to memory of 1732 1380 tmp.exe 36 PID 1380 wrote to memory of 1240 1380 tmp.exe 38 PID 1380 wrote to memory of 1240 1380 tmp.exe 38 PID 1380 wrote to memory of 1240 1380 tmp.exe 38 PID 1380 wrote to memory of 1240 1380 tmp.exe 38 PID 992 wrote to memory of 436 992 taskeng.exe 42 PID 992 wrote to memory of 436 992 taskeng.exe 42 PID 992 wrote to memory of 436 992 taskeng.exe 42 PID 992 wrote to memory of 436 992 taskeng.exe 42 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- UAC bypass
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1380 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1204
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:2032
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1732
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
C:\Windows\system32\taskeng.exetaskeng.exe {F1107FC5-BCFA-42F9-A4CC-C1E0D9C8DB6F} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
PID:436
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
666KB
MD5c4154e2c1eb85e12e4c3795dcd3cb63f
SHA1ae90c9193f6059f87a8cba89675922789797aa46
SHA256abbaff145b18d26db84d52669d1279e928d51f1f571f686cb100d7893cb69295
SHA5128bf3892ff9d5adfd43a52b9d4a0999cf74c07e6e5d0f1457120eb009e47f198d3a271540f045c818751e27aa63998824bc1245a40f6f585059dc2b50254d17d3
-
Filesize
666KB
MD5c4154e2c1eb85e12e4c3795dcd3cb63f
SHA1ae90c9193f6059f87a8cba89675922789797aa46
SHA256abbaff145b18d26db84d52669d1279e928d51f1f571f686cb100d7893cb69295
SHA5128bf3892ff9d5adfd43a52b9d4a0999cf74c07e6e5d0f1457120eb009e47f198d3a271540f045c818751e27aa63998824bc1245a40f6f585059dc2b50254d17d3