Analysis
-
max time kernel
150s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
18-04-2023 05:13
Behavioral task
behavioral1
Sample
053680ED933D58F4150FFDEFAC4D9F13.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
053680ED933D58F4150FFDEFAC4D9F13.exe
Resource
win10v2004-20230220-en
General
-
Target
053680ED933D58F4150FFDEFAC4D9F13.exe
-
Size
669KB
-
MD5
053680ed933d58f4150ffdefac4d9f13
-
SHA1
69c4a4ffb650a6fdfe343d6acca3b988647aee30
-
SHA256
af768da08a34ddf503522186a22e65e623491e48754356210cc6798598f85266
-
SHA512
4ed454e96f65c2a7cefbe27a499e2fb3eeea8512e704aae7de4245e0a0d38788ec7366937a68a57b714681da3f43ebddf32241756f0f0e6eb63488c8c3966de2
-
SSDEEP
12288:dQA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8DnKD/KeX:Tuf4wTuV2Ux3uIZeUBi2Te6HWmKrKe
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW_TO_RECOVER_DATA.html
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000014346-1029.dat family_medusalocker behavioral1/files/0x0008000000014346-1028.dat family_medusalocker -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 053680ED933D58F4150FFDEFAC4D9F13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 053680ED933D58F4150FFDEFAC4D9F13.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\DebugSearch.tiff 053680ED933D58F4150FFDEFAC4D9F13.exe File opened for modification C:\Users\Admin\Pictures\SyncPush.tiff 053680ED933D58F4150FFDEFAC4D9F13.exe File renamed C:\Users\Admin\Pictures\RevokeJoin.png => C:\Users\Admin\Pictures\RevokeJoin.png.FartingGiraffeAttacks 053680ED933D58F4150FFDEFAC4D9F13.exe File renamed C:\Users\Admin\Pictures\SyncPush.tiff => C:\Users\Admin\Pictures\SyncPush.tiff.FartingGiraffeAttacks 053680ED933D58F4150FFDEFAC4D9F13.exe File renamed C:\Users\Admin\Pictures\TestInitialize.png => C:\Users\Admin\Pictures\TestInitialize.png.FartingGiraffeAttacks 053680ED933D58F4150FFDEFAC4D9F13.exe File renamed C:\Users\Admin\Pictures\DebugSearch.tiff => C:\Users\Admin\Pictures\DebugSearch.tiff.FartingGiraffeAttacks 053680ED933D58F4150FFDEFAC4D9F13.exe File renamed C:\Users\Admin\Pictures\EditRequest.raw => C:\Users\Admin\Pictures\EditRequest.raw.FartingGiraffeAttacks 053680ED933D58F4150FFDEFAC4D9F13.exe File renamed C:\Users\Admin\Pictures\LockReset.tif => C:\Users\Admin\Pictures\LockReset.tif.FartingGiraffeAttacks 053680ED933D58F4150FFDEFAC4D9F13.exe File renamed C:\Users\Admin\Pictures\MeasureResume.crw => C:\Users\Admin\Pictures\MeasureResume.crw.FartingGiraffeAttacks 053680ED933D58F4150FFDEFAC4D9F13.exe File renamed C:\Users\Admin\Pictures\ResumeMerge.png => C:\Users\Admin\Pictures\ResumeMerge.png.FartingGiraffeAttacks 053680ED933D58F4150FFDEFAC4D9F13.exe -
Executes dropped EXE 1 IoCs
pid Process 912 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 053680ED933D58F4150FFDEFAC4D9F13.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1283023626-844874658-3193756055-1000\desktop.ini 053680ED933D58F4150FFDEFAC4D9F13.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\Q: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\R: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\S: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\T: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\A: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\H: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\N: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\P: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\X: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\Z: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\E: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\M: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\G: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\I: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\L: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\V: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\B: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\F: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\U: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\W: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\Y: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\K: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\O: 053680ED933D58F4150FFDEFAC4D9F13.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 912 vssadmin.exe 1644 vssadmin.exe 1992 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 1160 053680ED933D58F4150FFDEFAC4D9F13.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeBackupPrivilege 692 vssvc.exe Token: SeRestorePrivilege 692 vssvc.exe Token: SeAuditPrivilege 692 vssvc.exe Token: SeIncreaseQuotaPrivilege 1476 wmic.exe Token: SeSecurityPrivilege 1476 wmic.exe Token: SeTakeOwnershipPrivilege 1476 wmic.exe Token: SeLoadDriverPrivilege 1476 wmic.exe Token: SeSystemProfilePrivilege 1476 wmic.exe Token: SeSystemtimePrivilege 1476 wmic.exe Token: SeProfSingleProcessPrivilege 1476 wmic.exe Token: SeIncBasePriorityPrivilege 1476 wmic.exe Token: SeCreatePagefilePrivilege 1476 wmic.exe Token: SeBackupPrivilege 1476 wmic.exe Token: SeRestorePrivilege 1476 wmic.exe Token: SeShutdownPrivilege 1476 wmic.exe Token: SeDebugPrivilege 1476 wmic.exe Token: SeSystemEnvironmentPrivilege 1476 wmic.exe Token: SeRemoteShutdownPrivilege 1476 wmic.exe Token: SeUndockPrivilege 1476 wmic.exe Token: SeManageVolumePrivilege 1476 wmic.exe Token: 33 1476 wmic.exe Token: 34 1476 wmic.exe Token: 35 1476 wmic.exe Token: SeIncreaseQuotaPrivilege 772 wmic.exe Token: SeSecurityPrivilege 772 wmic.exe Token: SeTakeOwnershipPrivilege 772 wmic.exe Token: SeLoadDriverPrivilege 772 wmic.exe Token: SeSystemProfilePrivilege 772 wmic.exe Token: SeSystemtimePrivilege 772 wmic.exe Token: SeProfSingleProcessPrivilege 772 wmic.exe Token: SeIncBasePriorityPrivilege 772 wmic.exe Token: SeCreatePagefilePrivilege 772 wmic.exe Token: SeBackupPrivilege 772 wmic.exe Token: SeRestorePrivilege 772 wmic.exe Token: SeShutdownPrivilege 772 wmic.exe Token: SeDebugPrivilege 772 wmic.exe Token: SeSystemEnvironmentPrivilege 772 wmic.exe Token: SeRemoteShutdownPrivilege 772 wmic.exe Token: SeUndockPrivilege 772 wmic.exe Token: SeManageVolumePrivilege 772 wmic.exe Token: 33 772 wmic.exe Token: 34 772 wmic.exe Token: 35 772 wmic.exe Token: SeIncreaseQuotaPrivilege 1368 wmic.exe Token: SeSecurityPrivilege 1368 wmic.exe Token: SeTakeOwnershipPrivilege 1368 wmic.exe Token: SeLoadDriverPrivilege 1368 wmic.exe Token: SeSystemProfilePrivilege 1368 wmic.exe Token: SeSystemtimePrivilege 1368 wmic.exe Token: SeProfSingleProcessPrivilege 1368 wmic.exe Token: SeIncBasePriorityPrivilege 1368 wmic.exe Token: SeCreatePagefilePrivilege 1368 wmic.exe Token: SeBackupPrivilege 1368 wmic.exe Token: SeRestorePrivilege 1368 wmic.exe Token: SeShutdownPrivilege 1368 wmic.exe Token: SeDebugPrivilege 1368 wmic.exe Token: SeSystemEnvironmentPrivilege 1368 wmic.exe Token: SeRemoteShutdownPrivilege 1368 wmic.exe Token: SeUndockPrivilege 1368 wmic.exe Token: SeManageVolumePrivilege 1368 wmic.exe Token: 33 1368 wmic.exe Token: 34 1368 wmic.exe Token: 35 1368 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1160 wrote to memory of 912 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 27 PID 1160 wrote to memory of 912 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 27 PID 1160 wrote to memory of 912 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 27 PID 1160 wrote to memory of 912 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 27 PID 1160 wrote to memory of 1476 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 30 PID 1160 wrote to memory of 1476 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 30 PID 1160 wrote to memory of 1476 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 30 PID 1160 wrote to memory of 1476 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 30 PID 1160 wrote to memory of 1644 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 32 PID 1160 wrote to memory of 1644 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 32 PID 1160 wrote to memory of 1644 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 32 PID 1160 wrote to memory of 1644 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 32 PID 1160 wrote to memory of 772 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 34 PID 1160 wrote to memory of 772 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 34 PID 1160 wrote to memory of 772 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 34 PID 1160 wrote to memory of 772 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 34 PID 1160 wrote to memory of 1992 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 36 PID 1160 wrote to memory of 1992 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 36 PID 1160 wrote to memory of 1992 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 36 PID 1160 wrote to memory of 1992 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 36 PID 1160 wrote to memory of 1368 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 38 PID 1160 wrote to memory of 1368 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 38 PID 1160 wrote to memory of 1368 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 38 PID 1160 wrote to memory of 1368 1160 053680ED933D58F4150FFDEFAC4D9F13.exe 38 PID 1352 wrote to memory of 912 1352 taskeng.exe 43 PID 1352 wrote to memory of 912 1352 taskeng.exe 43 PID 1352 wrote to memory of 912 1352 taskeng.exe 43 PID 1352 wrote to memory of 912 1352 taskeng.exe 43 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 053680ED933D58F4150FFDEFAC4D9F13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 053680ED933D58F4150FFDEFAC4D9F13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 053680ED933D58F4150FFDEFAC4D9F13.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\053680ED933D58F4150FFDEFAC4D9F13.exe"C:\Users\Admin\AppData\Local\Temp\053680ED933D58F4150FFDEFAC4D9F13.exe"1⤵
- UAC bypass
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1160 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:912
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1644
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1992
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:692
-
C:\Windows\system32\taskeng.exetaskeng.exe {53388A83-184A-45AF-9334-2F56063D9E14} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
PID:912
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD56810ab42d384cc2cc2f7a07ef129eb92
SHA1846beee66cc05de4bd3be68468d074e0bdda6a2f
SHA256151e493a07ed8e64ca006c990dfecdd66f9ed40c7ad17cd94b0fe82772b48965
SHA5120cfb79147da820654e241dfbfb5314c06f275d10e6d1e6d31c220e5a1dc8edfe37ee9011c0e276d924fb227a222a7ff49a2fc7d2d0090fc170ca89b66a043e4e
-
Filesize
669KB
MD5053680ed933d58f4150ffdefac4d9f13
SHA169c4a4ffb650a6fdfe343d6acca3b988647aee30
SHA256af768da08a34ddf503522186a22e65e623491e48754356210cc6798598f85266
SHA5124ed454e96f65c2a7cefbe27a499e2fb3eeea8512e704aae7de4245e0a0d38788ec7366937a68a57b714681da3f43ebddf32241756f0f0e6eb63488c8c3966de2
-
Filesize
669KB
MD5053680ed933d58f4150ffdefac4d9f13
SHA169c4a4ffb650a6fdfe343d6acca3b988647aee30
SHA256af768da08a34ddf503522186a22e65e623491e48754356210cc6798598f85266
SHA5124ed454e96f65c2a7cefbe27a499e2fb3eeea8512e704aae7de4245e0a0d38788ec7366937a68a57b714681da3f43ebddf32241756f0f0e6eb63488c8c3966de2
-
Filesize
536B
MD596e9f8850bf63462a19f9ad28af788b5
SHA1a563a62613303c95433d6d034dc7eaa83a8c0ce1
SHA25661e3c3a8ee8aa9218625745aabf7550361d791d6d348e283eb67c307a943bd13
SHA512bf033f06e19e8af384d2e2ca634f27910d19bc9ef2140c0868740570b32e6a236922b3c140383c52da7a2051c7e12eb60da09bddaa0b577dbb8438268c8d74ad