Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2022 19:27
Behavioral task
behavioral1
Sample
64ME_bul5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
64ME_bul5.exe
Resource
win10v2004-20221111-en
General
-
Target
64ME_bul5.exe
-
Size
666KB
-
MD5
6e1f9df1a8a359bc82f5288139ac8d70
-
SHA1
53fbdde8d2f45f0a09a269ba4fc1eb84c55343bf
-
SHA256
e5d819fd969d6bc913698c44beb5c8f763a6d6f07b7cdb3514c4b61a68a1d747
-
SHA512
72df4fce5b78409ec2762a3ee0002721693026f3285ab804b2dbc58d55c3cce40efbdff34c7cfe415e3715b12b8e9418d78d3af19f23381aa4d7a0e2480a9ab2
-
SSDEEP
12288:ZYW1LNT35lDbK/LIVaN8+T7vwqyqhYMhWt918vulASC9+m:dd35lDbKDIwWUDyqS5omHC9+
Malware Config
Extracted
C:\!-Recovery_Instructions-!.html
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\svhost.exe family_medusalocker C:\Users\Admin\AppData\Roaming\svhost.exe family_medusalocker -
Processes:
64ME_bul5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 64ME_bul5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 64ME_bul5.exe -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 4676 svhost.exe -
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
64ME_bul5.exedescription ioc process File renamed C:\Users\Admin\Pictures\CompressFormat.raw => C:\Users\Admin\Pictures\CompressFormat.raw.bulwark5 64ME_bul5.exe File renamed C:\Users\Admin\Pictures\CopyPop.crw => C:\Users\Admin\Pictures\CopyPop.crw.bulwark5 64ME_bul5.exe File renamed C:\Users\Admin\Pictures\DisconnectClear.tiff => C:\Users\Admin\Pictures\DisconnectClear.tiff.bulwark5 64ME_bul5.exe File renamed C:\Users\Admin\Pictures\PingMount.raw => C:\Users\Admin\Pictures\PingMount.raw.bulwark5 64ME_bul5.exe File renamed C:\Users\Admin\Pictures\RequestRepair.png => C:\Users\Admin\Pictures\RequestRepair.png.bulwark5 64ME_bul5.exe File renamed C:\Users\Admin\Pictures\CheckpointDismount.crw => C:\Users\Admin\Pictures\CheckpointDismount.crw.bulwark5 64ME_bul5.exe File renamed C:\Users\Admin\Pictures\RevokeSplit.raw => C:\Users\Admin\Pictures\RevokeSplit.raw.bulwark5 64ME_bul5.exe File renamed C:\Users\Admin\Pictures\SyncFind.tif => C:\Users\Admin\Pictures\SyncFind.tif.bulwark5 64ME_bul5.exe File renamed C:\Users\Admin\Pictures\UndoConvert.tif => C:\Users\Admin\Pictures\UndoConvert.tif.bulwark5 64ME_bul5.exe File renamed C:\Users\Admin\Pictures\WaitResume.png => C:\Users\Admin\Pictures\WaitResume.png.bulwark5 64ME_bul5.exe File opened for modification C:\Users\Admin\Pictures\DisconnectClear.tiff 64ME_bul5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
64ME_bul5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 64ME_bul5.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
64ME_bul5.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2386679933-1492765628-3466841596-1000\desktop.ini 64ME_bul5.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
64ME_bul5.exedescription ioc process File opened (read-only) \??\N: 64ME_bul5.exe File opened (read-only) \??\O: 64ME_bul5.exe File opened (read-only) \??\P: 64ME_bul5.exe File opened (read-only) \??\H: 64ME_bul5.exe File opened (read-only) \??\L: 64ME_bul5.exe File opened (read-only) \??\Q: 64ME_bul5.exe File opened (read-only) \??\S: 64ME_bul5.exe File opened (read-only) \??\W: 64ME_bul5.exe File opened (read-only) \??\Y: 64ME_bul5.exe File opened (read-only) \??\J: 64ME_bul5.exe File opened (read-only) \??\K: 64ME_bul5.exe File opened (read-only) \??\E: 64ME_bul5.exe File opened (read-only) \??\I: 64ME_bul5.exe File opened (read-only) \??\V: 64ME_bul5.exe File opened (read-only) \??\X: 64ME_bul5.exe File opened (read-only) \??\Z: 64ME_bul5.exe File opened (read-only) \??\A: 64ME_bul5.exe File opened (read-only) \??\B: 64ME_bul5.exe File opened (read-only) \??\M: 64ME_bul5.exe File opened (read-only) \??\R: 64ME_bul5.exe File opened (read-only) \??\T: 64ME_bul5.exe File opened (read-only) \??\U: 64ME_bul5.exe File opened (read-only) \??\F: 64ME_bul5.exe File opened (read-only) \??\G: 64ME_bul5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
64ME_bul5.exepid process 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe 4816 64ME_bul5.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
wmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 3348 wmic.exe Token: SeSecurityPrivilege 3348 wmic.exe Token: SeTakeOwnershipPrivilege 3348 wmic.exe Token: SeLoadDriverPrivilege 3348 wmic.exe Token: SeSystemProfilePrivilege 3348 wmic.exe Token: SeSystemtimePrivilege 3348 wmic.exe Token: SeProfSingleProcessPrivilege 3348 wmic.exe Token: SeIncBasePriorityPrivilege 3348 wmic.exe Token: SeCreatePagefilePrivilege 3348 wmic.exe Token: SeBackupPrivilege 3348 wmic.exe Token: SeRestorePrivilege 3348 wmic.exe Token: SeShutdownPrivilege 3348 wmic.exe Token: SeDebugPrivilege 3348 wmic.exe Token: SeSystemEnvironmentPrivilege 3348 wmic.exe Token: SeRemoteShutdownPrivilege 3348 wmic.exe Token: SeUndockPrivilege 3348 wmic.exe Token: SeManageVolumePrivilege 3348 wmic.exe Token: 33 3348 wmic.exe Token: 34 3348 wmic.exe Token: 35 3348 wmic.exe Token: 36 3348 wmic.exe Token: SeIncreaseQuotaPrivilege 4412 wmic.exe Token: SeSecurityPrivilege 4412 wmic.exe Token: SeTakeOwnershipPrivilege 4412 wmic.exe Token: SeLoadDriverPrivilege 4412 wmic.exe Token: SeSystemProfilePrivilege 4412 wmic.exe Token: SeSystemtimePrivilege 4412 wmic.exe Token: SeProfSingleProcessPrivilege 4412 wmic.exe Token: SeIncBasePriorityPrivilege 4412 wmic.exe Token: SeCreatePagefilePrivilege 4412 wmic.exe Token: SeBackupPrivilege 4412 wmic.exe Token: SeRestorePrivilege 4412 wmic.exe Token: SeShutdownPrivilege 4412 wmic.exe Token: SeDebugPrivilege 4412 wmic.exe Token: SeSystemEnvironmentPrivilege 4412 wmic.exe Token: SeRemoteShutdownPrivilege 4412 wmic.exe Token: SeUndockPrivilege 4412 wmic.exe Token: SeManageVolumePrivilege 4412 wmic.exe Token: 33 4412 wmic.exe Token: 34 4412 wmic.exe Token: 35 4412 wmic.exe Token: 36 4412 wmic.exe Token: SeIncreaseQuotaPrivilege 1272 wmic.exe Token: SeSecurityPrivilege 1272 wmic.exe Token: SeTakeOwnershipPrivilege 1272 wmic.exe Token: SeLoadDriverPrivilege 1272 wmic.exe Token: SeSystemProfilePrivilege 1272 wmic.exe Token: SeSystemtimePrivilege 1272 wmic.exe Token: SeProfSingleProcessPrivilege 1272 wmic.exe Token: SeIncBasePriorityPrivilege 1272 wmic.exe Token: SeCreatePagefilePrivilege 1272 wmic.exe Token: SeBackupPrivilege 1272 wmic.exe Token: SeRestorePrivilege 1272 wmic.exe Token: SeShutdownPrivilege 1272 wmic.exe Token: SeDebugPrivilege 1272 wmic.exe Token: SeSystemEnvironmentPrivilege 1272 wmic.exe Token: SeRemoteShutdownPrivilege 1272 wmic.exe Token: SeUndockPrivilege 1272 wmic.exe Token: SeManageVolumePrivilege 1272 wmic.exe Token: 33 1272 wmic.exe Token: 34 1272 wmic.exe Token: 35 1272 wmic.exe Token: 36 1272 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
64ME_bul5.exedescription pid process target process PID 4816 wrote to memory of 3348 4816 64ME_bul5.exe wmic.exe PID 4816 wrote to memory of 3348 4816 64ME_bul5.exe wmic.exe PID 4816 wrote to memory of 3348 4816 64ME_bul5.exe wmic.exe PID 4816 wrote to memory of 4412 4816 64ME_bul5.exe wmic.exe PID 4816 wrote to memory of 4412 4816 64ME_bul5.exe wmic.exe PID 4816 wrote to memory of 4412 4816 64ME_bul5.exe wmic.exe PID 4816 wrote to memory of 1272 4816 64ME_bul5.exe wmic.exe PID 4816 wrote to memory of 1272 4816 64ME_bul5.exe wmic.exe PID 4816 wrote to memory of 1272 4816 64ME_bul5.exe wmic.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
64ME_bul5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 64ME_bul5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 64ME_bul5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64ME_bul5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\64ME_bul5.exe"C:\Users\Admin\AppData\Local\Temp\64ME_bul5.exe"1⤵
- UAC bypass
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4816 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3348
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe1⤵
- Executes dropped EXE
PID:4676
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
666KB
MD56e1f9df1a8a359bc82f5288139ac8d70
SHA153fbdde8d2f45f0a09a269ba4fc1eb84c55343bf
SHA256e5d819fd969d6bc913698c44beb5c8f763a6d6f07b7cdb3514c4b61a68a1d747
SHA51272df4fce5b78409ec2762a3ee0002721693026f3285ab804b2dbc58d55c3cce40efbdff34c7cfe415e3715b12b8e9418d78d3af19f23381aa4d7a0e2480a9ab2
-
Filesize
666KB
MD56e1f9df1a8a359bc82f5288139ac8d70
SHA153fbdde8d2f45f0a09a269ba4fc1eb84c55343bf
SHA256e5d819fd969d6bc913698c44beb5c8f763a6d6f07b7cdb3514c4b61a68a1d747
SHA51272df4fce5b78409ec2762a3ee0002721693026f3285ab804b2dbc58d55c3cce40efbdff34c7cfe415e3715b12b8e9418d78d3af19f23381aa4d7a0e2480a9ab2