Analysis
-
max time kernel
128s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
09-03-2023 18:32
General
-
Target
LFm.bin.exe
-
Size
678KB
-
MD5
168447d837fc71deeee9f6c15e22d4f4
-
SHA1
80ad29680cb8cecf58d870ee675b155fc616097f
-
SHA256
add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b
-
SHA512
f8e123b601b5df3e89109fcc2e215e014b0d99b382d7cfb1a8cfd55790525c4e5504ee668ac30108c1bebf32e312e0c33edb5737c7ae166b59f791269bd66112
-
SSDEEP
12288:cPJ4U1TYQivI2qZ7aSgLwkFVpzUvest4ZEbjJLuDJVoM7:J6TYVQ2qZ7aSgLwuVfstRJLIYM
Malware Config
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 2 IoCs
-
UAC bypass 3 TTPs 2 IoCs
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 63 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\LFm.bin.exe"C:\Users\Admin\AppData\Local\Temp\LFm.bin.exe"1⤵
- UAC bypass
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
678KB
MD5168447d837fc71deeee9f6c15e22d4f4
SHA180ad29680cb8cecf58d870ee675b155fc616097f
SHA256add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b
SHA512f8e123b601b5df3e89109fcc2e215e014b0d99b382d7cfb1a8cfd55790525c4e5504ee668ac30108c1bebf32e312e0c33edb5737c7ae166b59f791269bd66112
-
Filesize
678KB
MD5168447d837fc71deeee9f6c15e22d4f4
SHA180ad29680cb8cecf58d870ee675b155fc616097f
SHA256add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b
SHA512f8e123b601b5df3e89109fcc2e215e014b0d99b382d7cfb1a8cfd55790525c4e5504ee668ac30108c1bebf32e312e0c33edb5737c7ae166b59f791269bd66112
-
Filesize
536B
MD53454c8ebf2f69aff22ec8694557b08f7
SHA1a82defe86d5f9b5d43ae37bcce457fef5a800cdb
SHA256830d5b5c2537d68713e630bd284f4edfaf230afde5cc19bf8923d59431768a19
SHA512853d688e5369958c3095511663fe59061d22dc3e568adc8b38ea54fdfa973a782eed435bd2b57a31dbfeb0d0e9a00af429c8d7b3a562aafbd762488d018fa467
-
Filesize
4KB
MD5f61437405a97e628a2bbed647ebd2a01
SHA19002bb4b6ebb808ea6738dc7f471a535472e22a9
SHA256dc46a10dab1dc7287224e2f647a33d6dd8990839f2b3ea103d8328fd1aa00981
SHA512a94b34d9e0d642bb98e0e76dbed9f9350f420f24ab753735f8d16f075c919bd1e5b146fc1f47c709be0f3c9a457a580dd5804784bc799a257ce9423fe4189ffc