medusalocker | 78ed6afa57daa57bb3d7989d65f2de526594168c1aa85f7d5564e6e97619ea53

General

Target

add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
Size

678KB
MD5

168447d837fc71deeee9f6c15e22d4f4
SHA1

80ad29680cb8cecf58d870ee675b155fc616097f
SHA256

add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b
SHA512

f8e123b601b5df3e89109fcc2e215e014b0d99b382d7cfb1a8cfd55790525c4e5504ee668ac30108c1bebf32e312e0c33edb5737c7ae166b59f791269bd66112
SSDEEP

12288:cPJ4U1TYQivI2qZ7aSgLwkFVpzUvest4ZEbjJLuDJVoM7:J6TYVQ2qZ7aSgLwuVfstRJLIYM

Score

10^/10

medusalocker evasion ransomware spyware stealer trojan

Malware Config

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker

MedusaLocker payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\svhost.exe	family_medusalocker
C:\Users\Admin\AppData\Roaming\svhost.exe	family_medusalocker

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\OpenRepair.tiff => C:\Users\Admin\Pictures\OpenRepair.tiff.lockfiles	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened for modification	C:\Users\Admin\Pictures\RedoDisconnect.tiff	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File renamed	C:\Users\Admin\Pictures\RedoDisconnect.tiff => C:\Users\Admin\Pictures\RedoDisconnect.tiff.lockfiles	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File renamed	C:\Users\Admin\Pictures\SkipTrace.raw => C:\Users\Admin\Pictures\SkipTrace.raw.lockfiles	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File renamed	C:\Users\Admin\Pictures\EnterUnlock.png => C:\Users\Admin\Pictures\EnterUnlock.png.lockfiles	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened for modification	C:\Users\Admin\Pictures\OpenRepair.tiff	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File renamed	C:\Users\Admin\Pictures\UseAdd.tif => C:\Users\Admin\Pictures\UseAdd.tif.lockfiles	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File renamed	C:\Users\Admin\Pictures\GetSelect.png => C:\Users\Admin\Pictures\GetSelect.png.lockfiles	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File renamed	C:\Users\Admin\Pictures\UnlockSwitch.tif => C:\Users\Admin\Pictures\UnlockSwitch.tif.lockfiles	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

1756 svhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1756	svhost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

description	ioc	process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-3430344531-3702557399-3004411149-1000\desktop.ini	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

description	ioc	process
File opened (read-only)	\??\Y:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\Z:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\G:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\H:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\I:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\S:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\W:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\K:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\R:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\T:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\U:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\V:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\A:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\B:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\F:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\P:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\Q:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\O:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\X:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\E:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\J:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\L:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\M:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\N:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

472 vssadmin.exe
888 vssadmin.exe
832 vssadmin.exe

pid	process
472	vssadmin.exe
888	vssadmin.exe
832	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

pid	process
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

vssvc.exewmic.exewmic.exewmic.exe

description	pid	process
Token: SeBackupPrivilege	704	vssvc.exe
Token: SeRestorePrivilege	704	vssvc.exe
Token: SeAuditPrivilege	704	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1120	wmic.exe
Token: SeSecurityPrivilege	1120	wmic.exe
Token: SeTakeOwnershipPrivilege	1120	wmic.exe
Token: SeLoadDriverPrivilege	1120	wmic.exe
Token: SeSystemProfilePrivilege	1120	wmic.exe
Token: SeSystemtimePrivilege	1120	wmic.exe
Token: SeProfSingleProcessPrivilege	1120	wmic.exe
Token: SeIncBasePriorityPrivilege	1120	wmic.exe
Token: SeCreatePagefilePrivilege	1120	wmic.exe
Token: SeBackupPrivilege	1120	wmic.exe
Token: SeRestorePrivilege	1120	wmic.exe
Token: SeShutdownPrivilege	1120	wmic.exe
Token: SeDebugPrivilege	1120	wmic.exe
Token: SeSystemEnvironmentPrivilege	1120	wmic.exe
Token: SeRemoteShutdownPrivilege	1120	wmic.exe
Token: SeUndockPrivilege	1120	wmic.exe
Token: SeManageVolumePrivilege	1120	wmic.exe
Token: 33	1120	wmic.exe
Token: 34	1120	wmic.exe
Token: 35	1120	wmic.exe
Token: SeIncreaseQuotaPrivilege	1540	wmic.exe
Token: SeSecurityPrivilege	1540	wmic.exe
Token: SeTakeOwnershipPrivilege	1540	wmic.exe
Token: SeLoadDriverPrivilege	1540	wmic.exe
Token: SeSystemProfilePrivilege	1540	wmic.exe
Token: SeSystemtimePrivilege	1540	wmic.exe
Token: SeProfSingleProcessPrivilege	1540	wmic.exe
Token: SeIncBasePriorityPrivilege	1540	wmic.exe
Token: SeCreatePagefilePrivilege	1540	wmic.exe
Token: SeBackupPrivilege	1540	wmic.exe
Token: SeRestorePrivilege	1540	wmic.exe
Token: SeShutdownPrivilege	1540	wmic.exe
Token: SeDebugPrivilege	1540	wmic.exe
Token: SeSystemEnvironmentPrivilege	1540	wmic.exe
Token: SeRemoteShutdownPrivilege	1540	wmic.exe
Token: SeUndockPrivilege	1540	wmic.exe
Token: SeManageVolumePrivilege	1540	wmic.exe
Token: 33	1540	wmic.exe
Token: 34	1540	wmic.exe
Token: 35	1540	wmic.exe
Token: SeIncreaseQuotaPrivilege	836	wmic.exe
Token: SeSecurityPrivilege	836	wmic.exe
Token: SeTakeOwnershipPrivilege	836	wmic.exe
Token: SeLoadDriverPrivilege	836	wmic.exe
Token: SeSystemProfilePrivilege	836	wmic.exe
Token: SeSystemtimePrivilege	836	wmic.exe
Token: SeProfSingleProcessPrivilege	836	wmic.exe
Token: SeIncBasePriorityPrivilege	836	wmic.exe
Token: SeCreatePagefilePrivilege	836	wmic.exe
Token: SeBackupPrivilege	836	wmic.exe
Token: SeRestorePrivilege	836	wmic.exe
Token: SeShutdownPrivilege	836	wmic.exe
Token: SeDebugPrivilege	836	wmic.exe
Token: SeSystemEnvironmentPrivilege	836	wmic.exe
Token: SeRemoteShutdownPrivilege	836	wmic.exe
Token: SeUndockPrivilege	836	wmic.exe
Token: SeManageVolumePrivilege	836	wmic.exe
Token: 33	836	wmic.exe
Token: 34	836	wmic.exe
Token: 35	836	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exetaskeng.exe

description	pid	process	target process
PID 1716 wrote to memory of 472	1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	vssadmin.exe
PID 1716 wrote to memory of 472	1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	vssadmin.exe
PID 1716 wrote to memory of 472	1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	vssadmin.exe
PID 1716 wrote to memory of 472	1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	vssadmin.exe
PID 1716 wrote to memory of 1120	1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	wmic.exe
PID 1716 wrote to memory of 1120	1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	wmic.exe
PID 1716 wrote to memory of 1120	1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	wmic.exe
PID 1716 wrote to memory of 1120	1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	wmic.exe
PID 1716 wrote to memory of 888	1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	vssadmin.exe
PID 1716 wrote to memory of 888	1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	vssadmin.exe
PID 1716 wrote to memory of 888	1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	vssadmin.exe
PID 1716 wrote to memory of 888	1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	vssadmin.exe
PID 1716 wrote to memory of 1540	1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	wmic.exe
PID 1716 wrote to memory of 1540	1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	wmic.exe
PID 1716 wrote to memory of 1540	1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	wmic.exe
PID 1716 wrote to memory of 1540	1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	wmic.exe
PID 1716 wrote to memory of 832	1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	vssadmin.exe
PID 1716 wrote to memory of 832	1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	vssadmin.exe
PID 1716 wrote to memory of 832	1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	vssadmin.exe
PID 1716 wrote to memory of 832	1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	vssadmin.exe
PID 1716 wrote to memory of 836	1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	wmic.exe
PID 1716 wrote to memory of 836	1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	wmic.exe
PID 1716 wrote to memory of 836	1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	wmic.exe
PID 1716 wrote to memory of 836	1716	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	wmic.exe
PID 1804 wrote to memory of 1756	1804	taskeng.exe	svhost.exe
PID 1804 wrote to memory of 1756	1804	taskeng.exe	svhost.exe
PID 1804 wrote to memory of 1756	1804	taskeng.exe	svhost.exe
PID 1804 wrote to memory of 1756	1804	taskeng.exe	svhost.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
"C:\Users\Admin\AppData\Local\Temp\add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe"
1⤵
- UAC bypass
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1716
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:472
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1120
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:888
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:832
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:836

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\Windows\system32\taskeng.exe
taskeng.exe {6DA5E91F-DE61-4627-AD9C-E70EBFE7C5D1} S-1-5-21-3430344531-3702557399-3004411149-1000:WFSTZEPN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Roaming\svhost.exe
  C:\Users\Admin\AppData\Roaming\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

File Deletion

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\How_to_back_files.html

Filesize
4KB

MD5
de10cccbcc909b07eacc4b59921b73e7

SHA1
a947c5ef697fd2d77c1478ac842133050b7879a3

SHA256
7a7cbc81b59ee91e7f691a7d7a5c9bc62e9c58166df6f0bb8a4435be2bd6fe81

SHA512
7cd5c9959661e26df6099ae104e1660538cc8a67ec0570f7ff946f85226c876ed58392df4d05a905d7d3fe48b66a9c3b106af035cfc7ed5a55a460c7f2f147cf

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
678KB

MD5
168447d837fc71deeee9f6c15e22d4f4

SHA1
80ad29680cb8cecf58d870ee675b155fc616097f

SHA256
add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b

SHA512
f8e123b601b5df3e89109fcc2e215e014b0d99b382d7cfb1a8cfd55790525c4e5504ee668ac30108c1bebf32e312e0c33edb5737c7ae166b59f791269bd66112

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
678KB

MD5
168447d837fc71deeee9f6c15e22d4f4

SHA1
80ad29680cb8cecf58d870ee675b155fc616097f

SHA256
add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b

SHA512
f8e123b601b5df3e89109fcc2e215e014b0d99b382d7cfb1a8cfd55790525c4e5504ee668ac30108c1bebf32e312e0c33edb5737c7ae166b59f791269bd66112

Download Submit
C:\Users\Default\NTUSER.DAT.LOG2

Filesize
536B

MD5
7ef205c3b27313f46e5b6cae7caf7b0f

SHA1
6414d16bb727a3f2bbc5e00fe599bdbb6bdd64f4

SHA256
233908203e794bf6da4625e3cf04fd40dd3f757591512f8e8b65cf2dc906b225

SHA512
a1d54f14d7ebeba62aef38012dfa940d24e878b347444cae616a902deb839858ff0bb2ff05cbae956b2d97f7c1171d06b482e7c6752fe774e7b7a3154b45aad5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads