Analysis
-
max time kernel
150s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
20-12-2022 07:14
Behavioral task
behavioral1
Sample
860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
Resource
win7-20221111-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
-
Size
666KB
-
MD5
1a018c68582e13d7f51aa58f87e2ed50
-
SHA1
9568f4a2959eda46af35c5d18c190f0d85047ac3
-
SHA256
860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7
-
SHA512
a6775058f5ee5adc24b1f3fb6dbd29d9b0315e17a7061679bcda146a377912cf46292456435af27fd7790b6a8cc83025c4964c6526cdf1528cd55e8d68c1b7c9
-
SSDEEP
12288:ZYW1LNT35lDbK/LIVaN8+T7vwqyqhYMhWt918vulAZC9+m:dd35lDbKDIwWUDyqS5omIC9+
Malware Config
Extracted
Path
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\!-Recovery_Instructions-!.html
Ransom Note
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset='utf-8'>
<meta name='viewport' content='width=device-width,initial-scale=1'>
<title></title>
<style>
html, body {
background-color: #1a1a1a;
}
body {
padding-top: 1rem !important;
font-size: 1.3rem;
color: white;
}
#text h2 {
font-size: 2rem;
font-weight: 600;
line-height: 1.125;
}
.container {
max-width: 1152px;
flex-grow: 1;
margin: 0 auto;
position: relative;
width: auto;
}
.box {
background-color: #242424;
display: block;
padding: 1.25rem;
border: 1px solid #303030;
}
a {
color: #00b4d8;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
li {
margin-bottom: 10px;
}
</style>
</head>
<body>
<div class='container'>
<div class='box'>
<div id='text'>
<h2>If you get this message, your network was hacked!</h2>
<p>After we gained full access to your servers, we first downloaded a large amount of sensitive data and then encrypted all the data stored on them.</p>
<p>That includes personal information on your clients, partners, your personnel, accounting documents, and other crucial files that are necessary for your company to work normally.</p>
<p>We used modern complicated algorithms, so you or any recovery service will not be able to decrypt files without our help, wasting time on these attempts instead of negotiations can be fatal for your company.</p>
<p>Make sure to act within <span style='color:#f4a261;'>72</span> hours or the negotiations will be considered failed!</p>
<p>Inform your superior management about what's going on.</p>
<p> Contact us for pricing and decryption software.</p>
<p> Contact us by email:<p>
<h2>[email protected]</h2>
</p>If you do not receive a response within 24 hours, please contact us at our additional contacts:</p>
<p> 1) Download for TOX CHAT https://tox.chat/download.html</p>
<p> 2) Open chat<p>
<p>Add ID Chat: </p><h2>3C9D49B928FDC3C15F0314217623A71B865909B308576B4B0D10AEA62C98677B4A3F160D5C93</h2>
<p>If we did not answer you, leave the chat enabled, the operator will contact you!<p>
</p>To verify the possibility of the recovery of your files we can decrypted 1-3 file for free.</p>
</p>Attach file to the letter (no more than 5Mb).</p>
<h2>If you and us succeed the negotiations we will grant you:</h2>
<ul>
<li>complete confidentiality, we will keep in secret any information regarding to attack, your company will act as if nothing had happened.</li>
<li>comprehensive information about vulnerabilities of your network and security report.</li>
<li>software and instructions to decrypt all the data that was encrypted.</li>
<li>all sensitive downloaded data will be permanently deleted from our cloud storage and we will provide an erasure log.</li>
</ul>
<h2>Our options if you act like nothing's happening, refuse to make a deal or fail the negotiations:</h2>
<ul>
<li>inform the media and independent journalists about what happened to your servers. To prove it we'll publish a chunk of private data that you should have ciphered if you care about potential breaches.
Moreover, your company will inevitably take decent reputational loss which is hard to assess precisely.</li>
<li>inform your clients, employees, partners by phone, e-mail, sms and social networks that you haven't prevent their data leakage.
You will violate laws about private data protection.</li>
<li>start DDOS attack on you website and infrastructures.</li>
<li>personal data stored will be put on sale on the Darknet to find anyone interested to buy useful information regarding your company. It could be data mining agencies or your market competitors.</li>
<li>publish all the discovered vulnerabilities found in your network, so anyone will do anything with it.</li>
</ul>
<h2>Why pay us?</h2>
<p>We care about our reputation. You are welcome to google our cases up and be sure that we don't have a single case of failure to provide what we promissed.</p>
<p>Turning this issue to a bug bounty will save your private information, reputation and will allow you to use the security report and
avoid this kind of situations in future.</p>
<h2>Your personal ID</p>
Your ID:
9D13C0687466C5A48DAF65FF5430D49A5E09A6BDA47B8FF13A718235EC49DFFD36E5181087DA4A9C87BA4ACE7BA42E803DD0A92BC9B94BD83F2AFF64A736CBFC<br>ECCCA62E461659C3F37C275B230EAB6C77270EEECDBEB54D0B92A5BD0BCA0F36B06346FF1312EBA8632AFCF3B94A1A9A761D0577BB091B7AB1DA044757E5<br>0137776E421B812DEFD58D22007C0E00FB34AAA6DE16135D0D7026BA594C7A0EA6DF627ECFE123CF76D5D8DD22424759C67B1CA2F2118CB65B528DD8885C<br>6BA20E9BC40F98A2E28B873A3E12F111ABBBE6FA286F8950738AFEE78C710F9F163D12BD7F8F03948FD39EDE2FB1AEBDD341041C89238DD358F14975EF50<br>72FFCC774535519A18FBAE795BF7B6F721AE113A256165CB48A03BA32F437C1AC164E2E20E08C3A1559384C365D76A7EE2D5834421DB1353E7C65069A6D9<br>A88240A3F35BA04E74075C3C9B6C3BBC8FEA4B58D14B1C7F7F3DC2EC586064F7441EFA7DBFE9D605633849C299A1C22D06BE9E307F0F306CBBDDBC200C70<br>3DCFECDF8E3BBE236C1721CCFE145C8857480CF788277109FBA8834E0B507954EA8D353227B77DAFF2DB5088698BD057E6B23292C9ACAA6FC3013F810707<br>3D043AA92DCA97CE5022C90DCF3B575B3D493E5614302F4A7A24CCC494395F819998629A2B3C3B1BBA1BFE8E8977FEC2B7106A5A721EA2FA15EA8698E9CB<br>2E4A6A03A853661901248F80DE7A
Emails
<h2>[email protected]</h2>
URLs
https://tox.chat/download.html</p>
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000012311-61.dat family_medusalocker behavioral1/files/0x000b000000012311-63.dat family_medusalocker -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 960 svhost.exe -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\StartProtect.crw => C:\Users\Admin\Pictures\StartProtect.crw.cipher5 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File renamed C:\Users\Admin\Pictures\UninstallPing.tif => C:\Users\Admin\Pictures\UninstallPing.tif.cipher5 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File opened for modification C:\Users\Admin\Pictures\CopyWrite.tiff 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File renamed C:\Users\Admin\Pictures\CopyWrite.tiff => C:\Users\Admin\Pictures\CopyWrite.tiff.cipher5 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File renamed C:\Users\Admin\Pictures\NewInitialize.crw => C:\Users\Admin\Pictures\NewInitialize.crw.cipher5 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File renamed C:\Users\Admin\Pictures\SplitTest.png => C:\Users\Admin\Pictures\SplitTest.png.cipher5 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3406023954-474543476-3319432036-1000\desktop.ini 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File opened (read-only) \??\L: 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File opened (read-only) \??\O: 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File opened (read-only) \??\T: 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File opened (read-only) \??\W: 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File opened (read-only) \??\B: 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File opened (read-only) \??\G: 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File opened (read-only) \??\S: 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File opened (read-only) \??\V: 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File opened (read-only) \??\E: 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File opened (read-only) \??\Q: 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File opened (read-only) \??\N: 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File opened (read-only) \??\R: 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File opened (read-only) \??\U: 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File opened (read-only) \??\Z: 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File opened (read-only) \??\F: 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File opened (read-only) \??\K: 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File opened (read-only) \??\J: 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File opened (read-only) \??\M: 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File opened (read-only) \??\P: 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File opened (read-only) \??\X: 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File opened (read-only) \??\Y: 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File opened (read-only) \??\A: 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe File opened (read-only) \??\I: 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 828 vssadmin.exe 1272 vssadmin.exe 1032 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeBackupPrivilege 692 vssvc.exe Token: SeRestorePrivilege 692 vssvc.exe Token: SeAuditPrivilege 692 vssvc.exe Token: SeIncreaseQuotaPrivilege 1884 wmic.exe Token: SeSecurityPrivilege 1884 wmic.exe Token: SeTakeOwnershipPrivilege 1884 wmic.exe Token: SeLoadDriverPrivilege 1884 wmic.exe Token: SeSystemProfilePrivilege 1884 wmic.exe Token: SeSystemtimePrivilege 1884 wmic.exe Token: SeProfSingleProcessPrivilege 1884 wmic.exe Token: SeIncBasePriorityPrivilege 1884 wmic.exe Token: SeCreatePagefilePrivilege 1884 wmic.exe Token: SeBackupPrivilege 1884 wmic.exe Token: SeRestorePrivilege 1884 wmic.exe Token: SeShutdownPrivilege 1884 wmic.exe Token: SeDebugPrivilege 1884 wmic.exe Token: SeSystemEnvironmentPrivilege 1884 wmic.exe Token: SeRemoteShutdownPrivilege 1884 wmic.exe Token: SeUndockPrivilege 1884 wmic.exe Token: SeManageVolumePrivilege 1884 wmic.exe Token: 33 1884 wmic.exe Token: 34 1884 wmic.exe Token: 35 1884 wmic.exe Token: SeIncreaseQuotaPrivilege 844 wmic.exe Token: SeSecurityPrivilege 844 wmic.exe Token: SeTakeOwnershipPrivilege 844 wmic.exe Token: SeLoadDriverPrivilege 844 wmic.exe Token: SeSystemProfilePrivilege 844 wmic.exe Token: SeSystemtimePrivilege 844 wmic.exe Token: SeProfSingleProcessPrivilege 844 wmic.exe Token: SeIncBasePriorityPrivilege 844 wmic.exe Token: SeCreatePagefilePrivilege 844 wmic.exe Token: SeBackupPrivilege 844 wmic.exe Token: SeRestorePrivilege 844 wmic.exe Token: SeShutdownPrivilege 844 wmic.exe Token: SeDebugPrivilege 844 wmic.exe Token: SeSystemEnvironmentPrivilege 844 wmic.exe Token: SeRemoteShutdownPrivilege 844 wmic.exe Token: SeUndockPrivilege 844 wmic.exe Token: SeManageVolumePrivilege 844 wmic.exe Token: 33 844 wmic.exe Token: 34 844 wmic.exe Token: 35 844 wmic.exe Token: SeIncreaseQuotaPrivilege 1236 wmic.exe Token: SeSecurityPrivilege 1236 wmic.exe Token: SeTakeOwnershipPrivilege 1236 wmic.exe Token: SeLoadDriverPrivilege 1236 wmic.exe Token: SeSystemProfilePrivilege 1236 wmic.exe Token: SeSystemtimePrivilege 1236 wmic.exe Token: SeProfSingleProcessPrivilege 1236 wmic.exe Token: SeIncBasePriorityPrivilege 1236 wmic.exe Token: SeCreatePagefilePrivilege 1236 wmic.exe Token: SeBackupPrivilege 1236 wmic.exe Token: SeRestorePrivilege 1236 wmic.exe Token: SeShutdownPrivilege 1236 wmic.exe Token: SeDebugPrivilege 1236 wmic.exe Token: SeSystemEnvironmentPrivilege 1236 wmic.exe Token: SeRemoteShutdownPrivilege 1236 wmic.exe Token: SeUndockPrivilege 1236 wmic.exe Token: SeManageVolumePrivilege 1236 wmic.exe Token: 33 1236 wmic.exe Token: 34 1236 wmic.exe Token: 35 1236 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1404 wrote to memory of 1032 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 28 PID 1404 wrote to memory of 1032 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 28 PID 1404 wrote to memory of 1032 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 28 PID 1404 wrote to memory of 1032 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 28 PID 1404 wrote to memory of 1884 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 31 PID 1404 wrote to memory of 1884 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 31 PID 1404 wrote to memory of 1884 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 31 PID 1404 wrote to memory of 1884 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 31 PID 1404 wrote to memory of 828 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 33 PID 1404 wrote to memory of 828 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 33 PID 1404 wrote to memory of 828 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 33 PID 1404 wrote to memory of 828 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 33 PID 1404 wrote to memory of 844 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 35 PID 1404 wrote to memory of 844 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 35 PID 1404 wrote to memory of 844 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 35 PID 1404 wrote to memory of 844 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 35 PID 1404 wrote to memory of 1272 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 37 PID 1404 wrote to memory of 1272 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 37 PID 1404 wrote to memory of 1272 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 37 PID 1404 wrote to memory of 1272 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 37 PID 1404 wrote to memory of 1236 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 39 PID 1404 wrote to memory of 1236 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 39 PID 1404 wrote to memory of 1236 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 39 PID 1404 wrote to memory of 1236 1404 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe 39 PID 668 wrote to memory of 960 668 taskeng.exe 43 PID 668 wrote to memory of 960 668 taskeng.exe 43 PID 668 wrote to memory of 960 668 taskeng.exe 43 PID 668 wrote to memory of 960 668 taskeng.exe 43 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe"C:\Users\Admin\AppData\Local\Temp\860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe"1⤵
- UAC bypass
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1404 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1032
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:828
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1272
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:692
-
C:\Windows\system32\taskeng.exetaskeng.exe {D3A54380-3F5E-467D-B8A3-8ECE1587EF31} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
PID:960
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
666KB
MD51a018c68582e13d7f51aa58f87e2ed50
SHA19568f4a2959eda46af35c5d18c190f0d85047ac3
SHA256860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7
SHA512a6775058f5ee5adc24b1f3fb6dbd29d9b0315e17a7061679bcda146a377912cf46292456435af27fd7790b6a8cc83025c4964c6526cdf1528cd55e8d68c1b7c9
-
Filesize
666KB
MD51a018c68582e13d7f51aa58f87e2ed50
SHA19568f4a2959eda46af35c5d18c190f0d85047ac3
SHA256860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7
SHA512a6775058f5ee5adc24b1f3fb6dbd29d9b0315e17a7061679bcda146a377912cf46292456435af27fd7790b6a8cc83025c4964c6526cdf1528cd55e8d68c1b7c9