Analysis
-
max time kernel
150s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
20-12-2022 05:57
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20221111-en
General
-
Target
tmp.exe
-
Size
666KB
-
MD5
5b780f32105ff92593db7b30ea2ac9ed
-
SHA1
6054922a051ce8d25d5d39565a9ad23575b7fe7f
-
SHA256
aa4cd5e9ff8ef8e4a72601c03154231631a5179167400a5478ca4282188b1163
-
SHA512
c93d9eee0cd547d513d3920f6fa5d3e22adaf6e4e7285f196ba4001d512f9ac05452e0243c526c713a880981249dbbad31947b08edf22f5eb53c6c77fb69d13d
-
SSDEEP
12288:ZYW1LNT35lDbK/LIVaN8+T7vwqyqhYMhWt918vulAWC9+m:dd35lDbKDIwWUDyqS5omDC9+
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\!-Recovery_Instructions-!.html
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\svhost.exe family_medusalocker C:\Users\Admin\AppData\Roaming\svhost.exe family_medusalocker -
Processes:
tmp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tmp.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 1980 svhost.exe -
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
tmp.exedescription ioc process File renamed C:\Users\Admin\Pictures\PingImport.raw => C:\Users\Admin\Pictures\PingImport.raw.bulwark9 tmp.exe File opened for modification C:\Users\Admin\Pictures\SaveOut.tiff tmp.exe File renamed C:\Users\Admin\Pictures\SaveOut.tiff => C:\Users\Admin\Pictures\SaveOut.tiff.bulwark9 tmp.exe File renamed C:\Users\Admin\Pictures\TraceProtect.png => C:\Users\Admin\Pictures\TraceProtect.png.bulwark9 tmp.exe File renamed C:\Users\Admin\Pictures\WaitLock.crw => C:\Users\Admin\Pictures\WaitLock.crw.bulwark9 tmp.exe File renamed C:\Users\Admin\Pictures\ApproveGroup.crw => C:\Users\Admin\Pictures\ApproveGroup.crw.bulwark9 tmp.exe File renamed C:\Users\Admin\Pictures\BlockSubmit.png => C:\Users\Admin\Pictures\BlockSubmit.png.bulwark9 tmp.exe File renamed C:\Users\Admin\Pictures\DenyDisable.png => C:\Users\Admin\Pictures\DenyDisable.png.bulwark9 tmp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
tmp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tmp.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
tmp.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1214520366-621468234-4062160515-1000\desktop.ini tmp.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
tmp.exedescription ioc process File opened (read-only) \??\Y: tmp.exe File opened (read-only) \??\Z: tmp.exe File opened (read-only) \??\F: tmp.exe File opened (read-only) \??\L: tmp.exe File opened (read-only) \??\N: tmp.exe File opened (read-only) \??\P: tmp.exe File opened (read-only) \??\R: tmp.exe File opened (read-only) \??\W: tmp.exe File opened (read-only) \??\X: tmp.exe File opened (read-only) \??\A: tmp.exe File opened (read-only) \??\J: tmp.exe File opened (read-only) \??\K: tmp.exe File opened (read-only) \??\Q: tmp.exe File opened (read-only) \??\S: tmp.exe File opened (read-only) \??\V: tmp.exe File opened (read-only) \??\B: tmp.exe File opened (read-only) \??\H: tmp.exe File opened (read-only) \??\I: tmp.exe File opened (read-only) \??\M: tmp.exe File opened (read-only) \??\O: tmp.exe File opened (read-only) \??\T: tmp.exe File opened (read-only) \??\E: tmp.exe File opened (read-only) \??\G: tmp.exe File opened (read-only) \??\U: tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1556 vssadmin.exe 1704 vssadmin.exe 1996 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
tmp.exepid process 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe 1232 tmp.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
vssvc.exewmic.exewmic.exewmic.exedescription pid process Token: SeBackupPrivilege 1500 vssvc.exe Token: SeRestorePrivilege 1500 vssvc.exe Token: SeAuditPrivilege 1500 vssvc.exe Token: SeIncreaseQuotaPrivilege 1308 wmic.exe Token: SeSecurityPrivilege 1308 wmic.exe Token: SeTakeOwnershipPrivilege 1308 wmic.exe Token: SeLoadDriverPrivilege 1308 wmic.exe Token: SeSystemProfilePrivilege 1308 wmic.exe Token: SeSystemtimePrivilege 1308 wmic.exe Token: SeProfSingleProcessPrivilege 1308 wmic.exe Token: SeIncBasePriorityPrivilege 1308 wmic.exe Token: SeCreatePagefilePrivilege 1308 wmic.exe Token: SeBackupPrivilege 1308 wmic.exe Token: SeRestorePrivilege 1308 wmic.exe Token: SeShutdownPrivilege 1308 wmic.exe Token: SeDebugPrivilege 1308 wmic.exe Token: SeSystemEnvironmentPrivilege 1308 wmic.exe Token: SeRemoteShutdownPrivilege 1308 wmic.exe Token: SeUndockPrivilege 1308 wmic.exe Token: SeManageVolumePrivilege 1308 wmic.exe Token: 33 1308 wmic.exe Token: 34 1308 wmic.exe Token: 35 1308 wmic.exe Token: SeIncreaseQuotaPrivilege 1968 wmic.exe Token: SeSecurityPrivilege 1968 wmic.exe Token: SeTakeOwnershipPrivilege 1968 wmic.exe Token: SeLoadDriverPrivilege 1968 wmic.exe Token: SeSystemProfilePrivilege 1968 wmic.exe Token: SeSystemtimePrivilege 1968 wmic.exe Token: SeProfSingleProcessPrivilege 1968 wmic.exe Token: SeIncBasePriorityPrivilege 1968 wmic.exe Token: SeCreatePagefilePrivilege 1968 wmic.exe Token: SeBackupPrivilege 1968 wmic.exe Token: SeRestorePrivilege 1968 wmic.exe Token: SeShutdownPrivilege 1968 wmic.exe Token: SeDebugPrivilege 1968 wmic.exe Token: SeSystemEnvironmentPrivilege 1968 wmic.exe Token: SeRemoteShutdownPrivilege 1968 wmic.exe Token: SeUndockPrivilege 1968 wmic.exe Token: SeManageVolumePrivilege 1968 wmic.exe Token: 33 1968 wmic.exe Token: 34 1968 wmic.exe Token: 35 1968 wmic.exe Token: SeIncreaseQuotaPrivilege 1604 wmic.exe Token: SeSecurityPrivilege 1604 wmic.exe Token: SeTakeOwnershipPrivilege 1604 wmic.exe Token: SeLoadDriverPrivilege 1604 wmic.exe Token: SeSystemProfilePrivilege 1604 wmic.exe Token: SeSystemtimePrivilege 1604 wmic.exe Token: SeProfSingleProcessPrivilege 1604 wmic.exe Token: SeIncBasePriorityPrivilege 1604 wmic.exe Token: SeCreatePagefilePrivilege 1604 wmic.exe Token: SeBackupPrivilege 1604 wmic.exe Token: SeRestorePrivilege 1604 wmic.exe Token: SeShutdownPrivilege 1604 wmic.exe Token: SeDebugPrivilege 1604 wmic.exe Token: SeSystemEnvironmentPrivilege 1604 wmic.exe Token: SeRemoteShutdownPrivilege 1604 wmic.exe Token: SeUndockPrivilege 1604 wmic.exe Token: SeManageVolumePrivilege 1604 wmic.exe Token: 33 1604 wmic.exe Token: 34 1604 wmic.exe Token: 35 1604 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
tmp.exetaskeng.exedescription pid process target process PID 1232 wrote to memory of 1996 1232 tmp.exe vssadmin.exe PID 1232 wrote to memory of 1996 1232 tmp.exe vssadmin.exe PID 1232 wrote to memory of 1996 1232 tmp.exe vssadmin.exe PID 1232 wrote to memory of 1996 1232 tmp.exe vssadmin.exe PID 1232 wrote to memory of 1308 1232 tmp.exe wmic.exe PID 1232 wrote to memory of 1308 1232 tmp.exe wmic.exe PID 1232 wrote to memory of 1308 1232 tmp.exe wmic.exe PID 1232 wrote to memory of 1308 1232 tmp.exe wmic.exe PID 1232 wrote to memory of 1556 1232 tmp.exe vssadmin.exe PID 1232 wrote to memory of 1556 1232 tmp.exe vssadmin.exe PID 1232 wrote to memory of 1556 1232 tmp.exe vssadmin.exe PID 1232 wrote to memory of 1556 1232 tmp.exe vssadmin.exe PID 1232 wrote to memory of 1968 1232 tmp.exe wmic.exe PID 1232 wrote to memory of 1968 1232 tmp.exe wmic.exe PID 1232 wrote to memory of 1968 1232 tmp.exe wmic.exe PID 1232 wrote to memory of 1968 1232 tmp.exe wmic.exe PID 1232 wrote to memory of 1704 1232 tmp.exe vssadmin.exe PID 1232 wrote to memory of 1704 1232 tmp.exe vssadmin.exe PID 1232 wrote to memory of 1704 1232 tmp.exe vssadmin.exe PID 1232 wrote to memory of 1704 1232 tmp.exe vssadmin.exe PID 1232 wrote to memory of 1604 1232 tmp.exe wmic.exe PID 1232 wrote to memory of 1604 1232 tmp.exe wmic.exe PID 1232 wrote to memory of 1604 1232 tmp.exe wmic.exe PID 1232 wrote to memory of 1604 1232 tmp.exe wmic.exe PID 1300 wrote to memory of 1980 1300 taskeng.exe svhost.exe PID 1300 wrote to memory of 1980 1300 taskeng.exe svhost.exe PID 1300 wrote to memory of 1980 1300 taskeng.exe svhost.exe PID 1300 wrote to memory of 1980 1300 taskeng.exe svhost.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
tmp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- UAC bypass
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1232 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1996
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1556
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1704
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
C:\Windows\system32\taskeng.exetaskeng.exe {26E7C68C-AAC0-4149-8FDE-AE0516698151} S-1-5-21-1214520366-621468234-4062160515-1000:VDWSWJJD\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
PID:1980
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
666KB
MD55b780f32105ff92593db7b30ea2ac9ed
SHA16054922a051ce8d25d5d39565a9ad23575b7fe7f
SHA256aa4cd5e9ff8ef8e4a72601c03154231631a5179167400a5478ca4282188b1163
SHA512c93d9eee0cd547d513d3920f6fa5d3e22adaf6e4e7285f196ba4001d512f9ac05452e0243c526c713a880981249dbbad31947b08edf22f5eb53c6c77fb69d13d
-
Filesize
666KB
MD55b780f32105ff92593db7b30ea2ac9ed
SHA16054922a051ce8d25d5d39565a9ad23575b7fe7f
SHA256aa4cd5e9ff8ef8e4a72601c03154231631a5179167400a5478ca4282188b1163
SHA512c93d9eee0cd547d513d3920f6fa5d3e22adaf6e4e7285f196ba4001d512f9ac05452e0243c526c713a880981249dbbad31947b08edf22f5eb53c6c77fb69d13d