Analysis
-
max time kernel
150s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
23-03-2023 16:59
Behavioral task
behavioral1
Sample
9708006633.zip
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
9708006633.zip
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
out.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
out.exe
Resource
win10v2004-20230220-en
General
-
Target
1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
-
Size
235KB
-
MD5
f6f120d1262b88f79debb5d848ac7db9
-
SHA1
1339282f9b2d2a41326daf3cf284ec2ae8f0f93c
-
SHA256
1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281
-
SHA512
1067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd
-
SSDEEP
6144:c5vMUmRTTgwnfeP+Jx1cLNAIyBcc9WrEWUC4wQh/6BeX:/U8Tgufnx1cLNncgQWUUQh/+e
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW_TO_RECOVER_DATA.html
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 13 IoCs
resource yara_rule behavioral3/memory/928-55-0x00000000012D0000-0x0000000001382000-memory.dmp family_medusalocker behavioral3/memory/928-281-0x00000000012D0000-0x0000000001382000-memory.dmp family_medusalocker behavioral3/memory/928-384-0x00000000012D0000-0x0000000001382000-memory.dmp family_medusalocker behavioral3/memory/928-992-0x00000000012D0000-0x0000000001382000-memory.dmp family_medusalocker behavioral3/memory/928-1018-0x00000000012D0000-0x0000000001382000-memory.dmp family_medusalocker behavioral3/memory/928-1019-0x00000000012D0000-0x0000000001382000-memory.dmp family_medusalocker behavioral3/memory/680-1023-0x0000000001240000-0x00000000012F2000-memory.dmp family_medusalocker behavioral3/memory/928-1024-0x00000000012D0000-0x0000000001382000-memory.dmp family_medusalocker behavioral3/memory/928-1025-0x00000000012D0000-0x0000000001382000-memory.dmp family_medusalocker behavioral3/memory/928-1027-0x00000000012D0000-0x0000000001382000-memory.dmp family_medusalocker behavioral3/memory/928-1028-0x00000000012D0000-0x0000000001382000-memory.dmp family_medusalocker behavioral3/memory/928-1029-0x00000000012D0000-0x0000000001382000-memory.dmp family_medusalocker behavioral3/memory/928-1031-0x00000000012D0000-0x0000000001382000-memory.dmp family_medusalocker -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\BlockClose.png => C:\Users\Admin\Pictures\BlockClose.png.marlock07 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File renamed C:\Users\Admin\Pictures\ResolveSync.crw => C:\Users\Admin\Pictures\ResolveSync.crw.marlock07 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe -
Executes dropped EXE 1 IoCs
pid Process 680 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral3/memory/928-55-0x00000000012D0000-0x0000000001382000-memory.dmp upx behavioral3/memory/928-281-0x00000000012D0000-0x0000000001382000-memory.dmp upx behavioral3/memory/928-384-0x00000000012D0000-0x0000000001382000-memory.dmp upx behavioral3/memory/928-992-0x00000000012D0000-0x0000000001382000-memory.dmp upx behavioral3/memory/928-1018-0x00000000012D0000-0x0000000001382000-memory.dmp upx behavioral3/memory/928-1019-0x00000000012D0000-0x0000000001382000-memory.dmp upx behavioral3/files/0x000a00000001235a-1021.dat upx behavioral3/files/0x000a00000001235a-1022.dat upx behavioral3/memory/680-1023-0x0000000001240000-0x00000000012F2000-memory.dmp upx behavioral3/memory/928-1024-0x00000000012D0000-0x0000000001382000-memory.dmp upx behavioral3/memory/928-1025-0x00000000012D0000-0x0000000001382000-memory.dmp upx behavioral3/memory/928-1027-0x00000000012D0000-0x0000000001382000-memory.dmp upx behavioral3/memory/928-1028-0x00000000012D0000-0x0000000001382000-memory.dmp upx behavioral3/memory/928-1029-0x00000000012D0000-0x0000000001382000-memory.dmp upx behavioral3/memory/928-1031-0x00000000012D0000-0x0000000001382000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3948302646-268491222-1934009652-1000\desktop.ini 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\K: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\N: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\U: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\V: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\T: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\A: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\B: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\G: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\I: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\P: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\R: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\S: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\H: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\J: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\L: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\Q: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\X: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\Y: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\Z: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\F: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\M: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\O: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\W: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1524 vssadmin.exe 1540 vssadmin.exe 1056 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeBackupPrivilege 752 vssvc.exe Token: SeRestorePrivilege 752 vssvc.exe Token: SeAuditPrivilege 752 vssvc.exe Token: SeIncreaseQuotaPrivilege 1472 wmic.exe Token: SeSecurityPrivilege 1472 wmic.exe Token: SeTakeOwnershipPrivilege 1472 wmic.exe Token: SeLoadDriverPrivilege 1472 wmic.exe Token: SeSystemProfilePrivilege 1472 wmic.exe Token: SeSystemtimePrivilege 1472 wmic.exe Token: SeProfSingleProcessPrivilege 1472 wmic.exe Token: SeIncBasePriorityPrivilege 1472 wmic.exe Token: SeCreatePagefilePrivilege 1472 wmic.exe Token: SeBackupPrivilege 1472 wmic.exe Token: SeRestorePrivilege 1472 wmic.exe Token: SeShutdownPrivilege 1472 wmic.exe Token: SeDebugPrivilege 1472 wmic.exe Token: SeSystemEnvironmentPrivilege 1472 wmic.exe Token: SeRemoteShutdownPrivilege 1472 wmic.exe Token: SeUndockPrivilege 1472 wmic.exe Token: SeManageVolumePrivilege 1472 wmic.exe Token: 33 1472 wmic.exe Token: 34 1472 wmic.exe Token: 35 1472 wmic.exe Token: SeIncreaseQuotaPrivilege 1564 wmic.exe Token: SeSecurityPrivilege 1564 wmic.exe Token: SeTakeOwnershipPrivilege 1564 wmic.exe Token: SeLoadDriverPrivilege 1564 wmic.exe Token: SeSystemProfilePrivilege 1564 wmic.exe Token: SeSystemtimePrivilege 1564 wmic.exe Token: SeProfSingleProcessPrivilege 1564 wmic.exe Token: SeIncBasePriorityPrivilege 1564 wmic.exe Token: SeCreatePagefilePrivilege 1564 wmic.exe Token: SeBackupPrivilege 1564 wmic.exe Token: SeRestorePrivilege 1564 wmic.exe Token: SeShutdownPrivilege 1564 wmic.exe Token: SeDebugPrivilege 1564 wmic.exe Token: SeSystemEnvironmentPrivilege 1564 wmic.exe Token: SeRemoteShutdownPrivilege 1564 wmic.exe Token: SeUndockPrivilege 1564 wmic.exe Token: SeManageVolumePrivilege 1564 wmic.exe Token: 33 1564 wmic.exe Token: 34 1564 wmic.exe Token: 35 1564 wmic.exe Token: SeIncreaseQuotaPrivilege 296 wmic.exe Token: SeSecurityPrivilege 296 wmic.exe Token: SeTakeOwnershipPrivilege 296 wmic.exe Token: SeLoadDriverPrivilege 296 wmic.exe Token: SeSystemProfilePrivilege 296 wmic.exe Token: SeSystemtimePrivilege 296 wmic.exe Token: SeProfSingleProcessPrivilege 296 wmic.exe Token: SeIncBasePriorityPrivilege 296 wmic.exe Token: SeCreatePagefilePrivilege 296 wmic.exe Token: SeBackupPrivilege 296 wmic.exe Token: SeRestorePrivilege 296 wmic.exe Token: SeShutdownPrivilege 296 wmic.exe Token: SeDebugPrivilege 296 wmic.exe Token: SeSystemEnvironmentPrivilege 296 wmic.exe Token: SeRemoteShutdownPrivilege 296 wmic.exe Token: SeUndockPrivilege 296 wmic.exe Token: SeManageVolumePrivilege 296 wmic.exe Token: 33 296 wmic.exe Token: 34 296 wmic.exe Token: 35 296 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 928 wrote to memory of 1056 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 27 PID 928 wrote to memory of 1056 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 27 PID 928 wrote to memory of 1056 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 27 PID 928 wrote to memory of 1056 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 27 PID 928 wrote to memory of 1472 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 30 PID 928 wrote to memory of 1472 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 30 PID 928 wrote to memory of 1472 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 30 PID 928 wrote to memory of 1472 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 30 PID 928 wrote to memory of 1524 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 32 PID 928 wrote to memory of 1524 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 32 PID 928 wrote to memory of 1524 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 32 PID 928 wrote to memory of 1524 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 32 PID 928 wrote to memory of 1564 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 34 PID 928 wrote to memory of 1564 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 34 PID 928 wrote to memory of 1564 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 34 PID 928 wrote to memory of 1564 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 34 PID 928 wrote to memory of 1540 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 36 PID 928 wrote to memory of 1540 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 36 PID 928 wrote to memory of 1540 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 36 PID 928 wrote to memory of 1540 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 36 PID 928 wrote to memory of 296 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 38 PID 928 wrote to memory of 296 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 38 PID 928 wrote to memory of 296 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 38 PID 928 wrote to memory of 296 928 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 38 PID 1620 wrote to memory of 680 1620 taskeng.exe 43 PID 1620 wrote to memory of 680 1620 taskeng.exe 43 PID 1620 wrote to memory of 680 1620 taskeng.exe 43 PID 1620 wrote to memory of 680 1620 taskeng.exe 43 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe"C:\Users\Admin\AppData\Local\Temp\1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe"1⤵
- UAC bypass
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:928 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1056
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1524
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1540
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:296
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:752
-
C:\Windows\system32\taskeng.exetaskeng.exe {B5952E88-9B34-4C64-A99C-EA2AE4E33588} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
PID:680
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD57874159f5c9188bd5a0bae93d188a583
SHA1c707181ab0e5224dda1762547c89e09db9150ccc
SHA256e06779450a40330e921213506fc2543a8655698e0cb750d733dae58b98414006
SHA512c84d5c1d71f5e7b71983059c159339d316eed74434bc13c5dde56802158a8fc8c0be486bbb7e2683af16c1b522ec5b4e0e8e77a5594c4fd5936cf90592b1d51e
-
Filesize
235KB
MD5f6f120d1262b88f79debb5d848ac7db9
SHA11339282f9b2d2a41326daf3cf284ec2ae8f0f93c
SHA2561bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281
SHA5121067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd
-
Filesize
235KB
MD5f6f120d1262b88f79debb5d848ac7db9
SHA11339282f9b2d2a41326daf3cf284ec2ae8f0f93c
SHA2561bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281
SHA5121067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd
-
Filesize
536B
MD5979b096f97704773caec730cc1265596
SHA147346abea4387e3ca597c9dfc8d1cd1e0c24959c
SHA2568f7c2f4692ecdd62b0a8430abe4f83c90bb2186ba8e05fb9391d97f54a4b94a6
SHA512bfc494e4846a006d22486e0910a550696b14f78fc108a12f75759d5030ca0d1f240c5e4f58e29598244b9364692cfd6e96d53ce88673c3a60504afe3d0469831