Analysis
-
max time kernel
156s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-01-2023 19:39
Behavioral task
behavioral1
Sample
64_MEcip2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
64_MEcip2.exe
Resource
win10v2004-20220812-en
General
-
Target
64_MEcip2.exe
-
Size
666KB
-
MD5
55c4883494e8846ca0f66f20973aee0e
-
SHA1
0ac359313afbce0bd5a02a02e55a0c7f1004ee82
-
SHA256
8e797fff8fae9afb216b81ae341aac9f05f419061075b0f6ce4c0c7a67f458a4
-
SHA512
523dfd6ac0435f229cb5202f29ab45ea547d7666380301471c10274fc8892dfdeeb5f05283ae1b1176f40ef3fa4917db36495e7e3d9d89ba41944c8379f3edd8
-
SSDEEP
12288:ZYW1LNT35lDbK/LIVaN8+T7vwqyqhYMhWt918vulA4C9+m:dd35lDbKDIwWUDyqS5ompC9+
Malware Config
Extracted
C:\!-Recovery_Instructions-!.html
<h2>[email protected]</h2>
https://tox.chat/download.html</p>
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\svhost.exe family_medusalocker C:\Users\Admin\AppData\Roaming\svhost.exe family_medusalocker -
Processes:
64_MEcip2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 64_MEcip2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 64_MEcip2.exe -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 1028 svhost.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
64_MEcip2.exedescription ioc process File renamed C:\Users\Admin\Pictures\ImportOut.tiff => C:\Users\Admin\Pictures\ImportOut.tiff.cipher2 64_MEcip2.exe File renamed C:\Users\Admin\Pictures\MoveSelect.raw => C:\Users\Admin\Pictures\MoveSelect.raw.cipher2 64_MEcip2.exe File opened for modification C:\Users\Admin\Pictures\ImportOut.tiff 64_MEcip2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
64_MEcip2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 64_MEcip2.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
64_MEcip2.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2891029575-1462575-1165213807-1000\desktop.ini 64_MEcip2.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
64_MEcip2.exedescription ioc process File opened (read-only) \??\Y: 64_MEcip2.exe File opened (read-only) \??\O: 64_MEcip2.exe File opened (read-only) \??\Q: 64_MEcip2.exe File opened (read-only) \??\R: 64_MEcip2.exe File opened (read-only) \??\T: 64_MEcip2.exe File opened (read-only) \??\W: 64_MEcip2.exe File opened (read-only) \??\N: 64_MEcip2.exe File opened (read-only) \??\P: 64_MEcip2.exe File opened (read-only) \??\A: 64_MEcip2.exe File opened (read-only) \??\E: 64_MEcip2.exe File opened (read-only) \??\F: 64_MEcip2.exe File opened (read-only) \??\H: 64_MEcip2.exe File opened (read-only) \??\M: 64_MEcip2.exe File opened (read-only) \??\Z: 64_MEcip2.exe File opened (read-only) \??\B: 64_MEcip2.exe File opened (read-only) \??\G: 64_MEcip2.exe File opened (read-only) \??\S: 64_MEcip2.exe File opened (read-only) \??\U: 64_MEcip2.exe File opened (read-only) \??\V: 64_MEcip2.exe File opened (read-only) \??\I: 64_MEcip2.exe File opened (read-only) \??\J: 64_MEcip2.exe File opened (read-only) \??\K: 64_MEcip2.exe File opened (read-only) \??\L: 64_MEcip2.exe File opened (read-only) \??\X: 64_MEcip2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
64_MEcip2.exepid process 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe 1428 64_MEcip2.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
wmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 5032 wmic.exe Token: SeSecurityPrivilege 5032 wmic.exe Token: SeTakeOwnershipPrivilege 5032 wmic.exe Token: SeLoadDriverPrivilege 5032 wmic.exe Token: SeSystemProfilePrivilege 5032 wmic.exe Token: SeSystemtimePrivilege 5032 wmic.exe Token: SeProfSingleProcessPrivilege 5032 wmic.exe Token: SeIncBasePriorityPrivilege 5032 wmic.exe Token: SeCreatePagefilePrivilege 5032 wmic.exe Token: SeBackupPrivilege 5032 wmic.exe Token: SeRestorePrivilege 5032 wmic.exe Token: SeShutdownPrivilege 5032 wmic.exe Token: SeDebugPrivilege 5032 wmic.exe Token: SeSystemEnvironmentPrivilege 5032 wmic.exe Token: SeRemoteShutdownPrivilege 5032 wmic.exe Token: SeUndockPrivilege 5032 wmic.exe Token: SeManageVolumePrivilege 5032 wmic.exe Token: 33 5032 wmic.exe Token: 34 5032 wmic.exe Token: 35 5032 wmic.exe Token: 36 5032 wmic.exe Token: SeIncreaseQuotaPrivilege 2388 wmic.exe Token: SeSecurityPrivilege 2388 wmic.exe Token: SeTakeOwnershipPrivilege 2388 wmic.exe Token: SeLoadDriverPrivilege 2388 wmic.exe Token: SeSystemProfilePrivilege 2388 wmic.exe Token: SeSystemtimePrivilege 2388 wmic.exe Token: SeProfSingleProcessPrivilege 2388 wmic.exe Token: SeIncBasePriorityPrivilege 2388 wmic.exe Token: SeCreatePagefilePrivilege 2388 wmic.exe Token: SeBackupPrivilege 2388 wmic.exe Token: SeRestorePrivilege 2388 wmic.exe Token: SeShutdownPrivilege 2388 wmic.exe Token: SeDebugPrivilege 2388 wmic.exe Token: SeSystemEnvironmentPrivilege 2388 wmic.exe Token: SeRemoteShutdownPrivilege 2388 wmic.exe Token: SeUndockPrivilege 2388 wmic.exe Token: SeManageVolumePrivilege 2388 wmic.exe Token: 33 2388 wmic.exe Token: 34 2388 wmic.exe Token: 35 2388 wmic.exe Token: 36 2388 wmic.exe Token: SeIncreaseQuotaPrivilege 208 wmic.exe Token: SeSecurityPrivilege 208 wmic.exe Token: SeTakeOwnershipPrivilege 208 wmic.exe Token: SeLoadDriverPrivilege 208 wmic.exe Token: SeSystemProfilePrivilege 208 wmic.exe Token: SeSystemtimePrivilege 208 wmic.exe Token: SeProfSingleProcessPrivilege 208 wmic.exe Token: SeIncBasePriorityPrivilege 208 wmic.exe Token: SeCreatePagefilePrivilege 208 wmic.exe Token: SeBackupPrivilege 208 wmic.exe Token: SeRestorePrivilege 208 wmic.exe Token: SeShutdownPrivilege 208 wmic.exe Token: SeDebugPrivilege 208 wmic.exe Token: SeSystemEnvironmentPrivilege 208 wmic.exe Token: SeRemoteShutdownPrivilege 208 wmic.exe Token: SeUndockPrivilege 208 wmic.exe Token: SeManageVolumePrivilege 208 wmic.exe Token: 33 208 wmic.exe Token: 34 208 wmic.exe Token: 35 208 wmic.exe Token: 36 208 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
64_MEcip2.exedescription pid process target process PID 1428 wrote to memory of 5032 1428 64_MEcip2.exe wmic.exe PID 1428 wrote to memory of 5032 1428 64_MEcip2.exe wmic.exe PID 1428 wrote to memory of 5032 1428 64_MEcip2.exe wmic.exe PID 1428 wrote to memory of 2388 1428 64_MEcip2.exe wmic.exe PID 1428 wrote to memory of 2388 1428 64_MEcip2.exe wmic.exe PID 1428 wrote to memory of 2388 1428 64_MEcip2.exe wmic.exe PID 1428 wrote to memory of 208 1428 64_MEcip2.exe wmic.exe PID 1428 wrote to memory of 208 1428 64_MEcip2.exe wmic.exe PID 1428 wrote to memory of 208 1428 64_MEcip2.exe wmic.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
64_MEcip2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 64_MEcip2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 64_MEcip2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64_MEcip2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\64_MEcip2.exe"C:\Users\Admin\AppData\Local\Temp\64_MEcip2.exe"1⤵
- UAC bypass
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1428 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe1⤵
- Executes dropped EXE
PID:1028
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
666KB
MD555c4883494e8846ca0f66f20973aee0e
SHA10ac359313afbce0bd5a02a02e55a0c7f1004ee82
SHA2568e797fff8fae9afb216b81ae341aac9f05f419061075b0f6ce4c0c7a67f458a4
SHA512523dfd6ac0435f229cb5202f29ab45ea547d7666380301471c10274fc8892dfdeeb5f05283ae1b1176f40ef3fa4917db36495e7e3d9d89ba41944c8379f3edd8
-
Filesize
666KB
MD555c4883494e8846ca0f66f20973aee0e
SHA10ac359313afbce0bd5a02a02e55a0c7f1004ee82
SHA2568e797fff8fae9afb216b81ae341aac9f05f419061075b0f6ce4c0c7a67f458a4
SHA512523dfd6ac0435f229cb5202f29ab45ea547d7666380301471c10274fc8892dfdeeb5f05283ae1b1176f40ef3fa4917db36495e7e3d9d89ba41944c8379f3edd8