medusalocker | 78ed6afa57daa57bb3d7989d65f2de526594168c1aa85f7d5564e6e97619ea53

General

Target

add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
Size

678KB
MD5

168447d837fc71deeee9f6c15e22d4f4
SHA1

80ad29680cb8cecf58d870ee675b155fc616097f
SHA256

add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b
SHA512

f8e123b601b5df3e89109fcc2e215e014b0d99b382d7cfb1a8cfd55790525c4e5504ee668ac30108c1bebf32e312e0c33edb5737c7ae166b59f791269bd66112
SSDEEP

12288:cPJ4U1TYQivI2qZ7aSgLwkFVpzUvest4ZEbjJLuDJVoM7:J6TYVQ2qZ7aSgLwuVfstRJLIYM

Score

10^/10

medusalocker evasion ransomware spyware stealer trojan

Malware Config

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker

MedusaLocker payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\svhost.exe	family_medusalocker
C:\Users\Admin\AppData\Roaming\svhost.exe	family_medusalocker

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

Modifies extensions of user files 11 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\NewConvertFrom.tiff	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File renamed	C:\Users\Admin\Pictures\UnblockRepair.crw => C:\Users\Admin\Pictures\UnblockRepair.crw.lockfiles	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File renamed	C:\Users\Admin\Pictures\CompareFind.crw => C:\Users\Admin\Pictures\CompareFind.crw.lockfiles	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File renamed	C:\Users\Admin\Pictures\ConnectCheckpoint.png => C:\Users\Admin\Pictures\ConnectCheckpoint.png.lockfiles	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File renamed	C:\Users\Admin\Pictures\NewConvertFrom.tiff => C:\Users\Admin\Pictures\NewConvertFrom.tiff.lockfiles	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File renamed	C:\Users\Admin\Pictures\SplitResolve.tif => C:\Users\Admin\Pictures\SplitResolve.tif.lockfiles	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File renamed	C:\Users\Admin\Pictures\SuspendHide.raw => C:\Users\Admin\Pictures\SuspendHide.raw.lockfiles	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File renamed	C:\Users\Admin\Pictures\TraceResize.tif => C:\Users\Admin\Pictures\TraceResize.tif.lockfiles	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File renamed	C:\Users\Admin\Pictures\UnpublishBlock.raw => C:\Users\Admin\Pictures\UnpublishBlock.raw.lockfiles	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened for modification	C:\Users\Admin\Pictures\UnpublishRedo.tiff	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File renamed	C:\Users\Admin\Pictures\UnpublishRedo.tiff => C:\Users\Admin\Pictures\UnpublishRedo.tiff.lockfiles	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

2580 svhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2580	svhost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

description	ioc	process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-144354903-2550862337-1367551827-1000\desktop.ini	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

description	ioc	process
File opened (read-only)	\??\J:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\K:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\M:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\R:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\S:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\U:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\H:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\I:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\W:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\Z:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\A:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\P:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\V:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\X:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\B:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\F:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\L:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\N:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\O:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\Q:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\T:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\Y:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\E:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
File opened (read-only)	\??\G:	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

pid	process
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

wmic.exewmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2276	wmic.exe
Token: SeSecurityPrivilege	2276	wmic.exe
Token: SeTakeOwnershipPrivilege	2276	wmic.exe
Token: SeLoadDriverPrivilege	2276	wmic.exe
Token: SeSystemProfilePrivilege	2276	wmic.exe
Token: SeSystemtimePrivilege	2276	wmic.exe
Token: SeProfSingleProcessPrivilege	2276	wmic.exe
Token: SeIncBasePriorityPrivilege	2276	wmic.exe
Token: SeCreatePagefilePrivilege	2276	wmic.exe
Token: SeBackupPrivilege	2276	wmic.exe
Token: SeRestorePrivilege	2276	wmic.exe
Token: SeShutdownPrivilege	2276	wmic.exe
Token: SeDebugPrivilege	2276	wmic.exe
Token: SeSystemEnvironmentPrivilege	2276	wmic.exe
Token: SeRemoteShutdownPrivilege	2276	wmic.exe
Token: SeUndockPrivilege	2276	wmic.exe
Token: SeManageVolumePrivilege	2276	wmic.exe
Token: 33	2276	wmic.exe
Token: 34	2276	wmic.exe
Token: 35	2276	wmic.exe
Token: 36	2276	wmic.exe
Token: SeIncreaseQuotaPrivilege	216	wmic.exe
Token: SeSecurityPrivilege	216	wmic.exe
Token: SeTakeOwnershipPrivilege	216	wmic.exe
Token: SeLoadDriverPrivilege	216	wmic.exe
Token: SeSystemProfilePrivilege	216	wmic.exe
Token: SeSystemtimePrivilege	216	wmic.exe
Token: SeProfSingleProcessPrivilege	216	wmic.exe
Token: SeIncBasePriorityPrivilege	216	wmic.exe
Token: SeCreatePagefilePrivilege	216	wmic.exe
Token: SeBackupPrivilege	216	wmic.exe
Token: SeRestorePrivilege	216	wmic.exe
Token: SeShutdownPrivilege	216	wmic.exe
Token: SeDebugPrivilege	216	wmic.exe
Token: SeSystemEnvironmentPrivilege	216	wmic.exe
Token: SeRemoteShutdownPrivilege	216	wmic.exe
Token: SeUndockPrivilege	216	wmic.exe
Token: SeManageVolumePrivilege	216	wmic.exe
Token: 33	216	wmic.exe
Token: 34	216	wmic.exe
Token: 35	216	wmic.exe
Token: 36	216	wmic.exe
Token: SeIncreaseQuotaPrivilege	4388	wmic.exe
Token: SeSecurityPrivilege	4388	wmic.exe
Token: SeTakeOwnershipPrivilege	4388	wmic.exe
Token: SeLoadDriverPrivilege	4388	wmic.exe
Token: SeSystemProfilePrivilege	4388	wmic.exe
Token: SeSystemtimePrivilege	4388	wmic.exe
Token: SeProfSingleProcessPrivilege	4388	wmic.exe
Token: SeIncBasePriorityPrivilege	4388	wmic.exe
Token: SeCreatePagefilePrivilege	4388	wmic.exe
Token: SeBackupPrivilege	4388	wmic.exe
Token: SeRestorePrivilege	4388	wmic.exe
Token: SeShutdownPrivilege	4388	wmic.exe
Token: SeDebugPrivilege	4388	wmic.exe
Token: SeSystemEnvironmentPrivilege	4388	wmic.exe
Token: SeRemoteShutdownPrivilege	4388	wmic.exe
Token: SeUndockPrivilege	4388	wmic.exe
Token: SeManageVolumePrivilege	4388	wmic.exe
Token: 33	4388	wmic.exe
Token: 34	4388	wmic.exe
Token: 35	4388	wmic.exe
Token: 36	4388	wmic.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

description	pid	process	target process
PID 1868 wrote to memory of 2276	1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	wmic.exe
PID 1868 wrote to memory of 2276	1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	wmic.exe
PID 1868 wrote to memory of 2276	1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	wmic.exe
PID 1868 wrote to memory of 216	1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	wmic.exe
PID 1868 wrote to memory of 216	1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	wmic.exe
PID 1868 wrote to memory of 216	1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	wmic.exe
PID 1868 wrote to memory of 4388	1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	wmic.exe
PID 1868 wrote to memory of 4388	1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	wmic.exe
PID 1868 wrote to memory of 4388	1868	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe	wmic.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

C:\Users\Admin\AppData\Local\Temp\add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
"C:\Users\Admin\AppData\Local\Temp\add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe"
1⤵
- UAC bypass
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1868
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:216
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4388

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
1⤵
- Executes dropped EXE
PID:2580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
678KB

MD5
168447d837fc71deeee9f6c15e22d4f4

SHA1
80ad29680cb8cecf58d870ee675b155fc616097f

SHA256
add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b

SHA512
f8e123b601b5df3e89109fcc2e215e014b0d99b382d7cfb1a8cfd55790525c4e5504ee668ac30108c1bebf32e312e0c33edb5737c7ae166b59f791269bd66112

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
678KB

MD5
168447d837fc71deeee9f6c15e22d4f4

SHA1
80ad29680cb8cecf58d870ee675b155fc616097f

SHA256
add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b

SHA512
f8e123b601b5df3e89109fcc2e215e014b0d99b382d7cfb1a8cfd55790525c4e5504ee668ac30108c1bebf32e312e0c33edb5737c7ae166b59f791269bd66112

Download Submit
C:\Users\Default\ntuser.dat.LOG2

Filesize
536B

MD5
4f3dca558d5b53c61d6188e1f6653b6b

SHA1
f15926bd47be371a34bb09000a9ead52b2fa8ae2

SHA256
a366beabd9732e30dfc777d01b013030b5d6ccdb61a16f8b85c529c460dbf0f0

SHA512
1d41305b7a718428bc8162b71ba47e85580991408d40f0593659de9453ef13aa0b9557ca6a409ad43cb61c98e5cc404f1cd4738942337f6bb8bd887f54588c32

Download Submit
\Device\HarddiskVolume1\Boot\How_to_back_files.html

Filesize
4KB

MD5
815e1591c8495946aca2b1c0e26458ba

SHA1
1f62ff3ded9742b94877a50fc713530cd73135e7

SHA256
d16aea1518d2172d99d9f31dc527bdea6ebb905746c9d698601fc4cafa53a5a1

SHA512
f43c7b25433899990ce05fedb6a4e5479f0496339e7d63e28d3d03078418a6fae7050cbb71a676e35af0adc339ebec00144779c98b039cc630bac7e9e41e5211

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads