Analysis
-
max time kernel
150s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
03-05-2023 21:05
Behavioral task
behavioral1
Sample
1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
out.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
out.exe
Resource
win10v2004-20230221-en
General
-
Target
1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
-
Size
235KB
-
MD5
f6f120d1262b88f79debb5d848ac7db9
-
SHA1
1339282f9b2d2a41326daf3cf284ec2ae8f0f93c
-
SHA256
1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281
-
SHA512
1067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd
-
SSDEEP
6144:c5vMUmRTTgwnfeP+Jx1cLNAIyBcc9WrEWUC4wQh/6BeX:/U8Tgufnx1cLNncgQWUUQh/+e
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW_TO_RECOVER_DATA.html
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 9 IoCs
resource yara_rule behavioral1/memory/1048-55-0x0000000000AC0000-0x0000000000B72000-memory.dmp family_medusalocker behavioral1/memory/1048-197-0x0000000000AC0000-0x0000000000B72000-memory.dmp family_medusalocker behavioral1/memory/1048-315-0x0000000000AC0000-0x0000000000B72000-memory.dmp family_medusalocker behavioral1/memory/1048-1016-0x0000000000AC0000-0x0000000000B72000-memory.dmp family_medusalocker behavioral1/memory/1048-1069-0x0000000000AC0000-0x0000000000B72000-memory.dmp family_medusalocker behavioral1/memory/976-1072-0x00000000002B0000-0x0000000000362000-memory.dmp family_medusalocker behavioral1/memory/1048-1073-0x0000000000AC0000-0x0000000000B72000-memory.dmp family_medusalocker behavioral1/memory/1048-1077-0x0000000000AC0000-0x0000000000B72000-memory.dmp family_medusalocker behavioral1/memory/1048-1078-0x0000000000AC0000-0x0000000000B72000-memory.dmp family_medusalocker -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ExpandGet.png => C:\Users\Admin\Pictures\ExpandGet.png.marlock07 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened for modification C:\Users\Admin\Pictures\StopSet.tiff 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File renamed C:\Users\Admin\Pictures\UpdateGet.tiff => C:\Users\Admin\Pictures\UpdateGet.tiff.marlock07 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File renamed C:\Users\Admin\Pictures\ShowGrant.tiff => C:\Users\Admin\Pictures\ShowGrant.tiff.marlock07 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File renamed C:\Users\Admin\Pictures\StopSet.tiff => C:\Users\Admin\Pictures\StopSet.tiff.marlock07 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File renamed C:\Users\Admin\Pictures\UnblockExit.tif => C:\Users\Admin\Pictures\UnblockExit.tif.marlock07 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened for modification C:\Users\Admin\Pictures\UpdateGet.tiff 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File renamed C:\Users\Admin\Pictures\MountGrant.raw => C:\Users\Admin\Pictures\MountGrant.raw.marlock07 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File renamed C:\Users\Admin\Pictures\PushUnregister.raw => C:\Users\Admin\Pictures\PushUnregister.raw.marlock07 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened for modification C:\Users\Admin\Pictures\ShowGrant.tiff 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe -
Executes dropped EXE 1 IoCs
pid Process 976 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1048-55-0x0000000000AC0000-0x0000000000B72000-memory.dmp upx behavioral1/memory/1048-197-0x0000000000AC0000-0x0000000000B72000-memory.dmp upx behavioral1/memory/1048-315-0x0000000000AC0000-0x0000000000B72000-memory.dmp upx behavioral1/memory/1048-1016-0x0000000000AC0000-0x0000000000B72000-memory.dmp upx behavioral1/memory/1048-1069-0x0000000000AC0000-0x0000000000B72000-memory.dmp upx behavioral1/files/0x0009000000014b97-1070.dat upx behavioral1/files/0x0009000000014b97-1071.dat upx behavioral1/memory/976-1072-0x00000000002B0000-0x0000000000362000-memory.dmp upx behavioral1/memory/1048-1073-0x0000000000AC0000-0x0000000000B72000-memory.dmp upx behavioral1/memory/1048-1077-0x0000000000AC0000-0x0000000000B72000-memory.dmp upx behavioral1/memory/1048-1078-0x0000000000AC0000-0x0000000000B72000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1563773381-2037468142-1146002597-1000\desktop.ini 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\W: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\X: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\Z: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\O: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\Q: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\V: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\F: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\G: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\K: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\L: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\N: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\I: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\S: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\P: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\R: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\T: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\A: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\B: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\E: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\H: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\J: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\U: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\Y: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1728 vssadmin.exe 612 vssadmin.exe 1384 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeBackupPrivilege 1440 vssvc.exe Token: SeRestorePrivilege 1440 vssvc.exe Token: SeAuditPrivilege 1440 vssvc.exe Token: SeIncreaseQuotaPrivilege 1740 wmic.exe Token: SeSecurityPrivilege 1740 wmic.exe Token: SeTakeOwnershipPrivilege 1740 wmic.exe Token: SeLoadDriverPrivilege 1740 wmic.exe Token: SeSystemProfilePrivilege 1740 wmic.exe Token: SeSystemtimePrivilege 1740 wmic.exe Token: SeProfSingleProcessPrivilege 1740 wmic.exe Token: SeIncBasePriorityPrivilege 1740 wmic.exe Token: SeCreatePagefilePrivilege 1740 wmic.exe Token: SeBackupPrivilege 1740 wmic.exe Token: SeRestorePrivilege 1740 wmic.exe Token: SeShutdownPrivilege 1740 wmic.exe Token: SeDebugPrivilege 1740 wmic.exe Token: SeSystemEnvironmentPrivilege 1740 wmic.exe Token: SeRemoteShutdownPrivilege 1740 wmic.exe Token: SeUndockPrivilege 1740 wmic.exe Token: SeManageVolumePrivilege 1740 wmic.exe Token: 33 1740 wmic.exe Token: 34 1740 wmic.exe Token: 35 1740 wmic.exe Token: SeIncreaseQuotaPrivilege 1220 wmic.exe Token: SeSecurityPrivilege 1220 wmic.exe Token: SeTakeOwnershipPrivilege 1220 wmic.exe Token: SeLoadDriverPrivilege 1220 wmic.exe Token: SeSystemProfilePrivilege 1220 wmic.exe Token: SeSystemtimePrivilege 1220 wmic.exe Token: SeProfSingleProcessPrivilege 1220 wmic.exe Token: SeIncBasePriorityPrivilege 1220 wmic.exe Token: SeCreatePagefilePrivilege 1220 wmic.exe Token: SeBackupPrivilege 1220 wmic.exe Token: SeRestorePrivilege 1220 wmic.exe Token: SeShutdownPrivilege 1220 wmic.exe Token: SeDebugPrivilege 1220 wmic.exe Token: SeSystemEnvironmentPrivilege 1220 wmic.exe Token: SeRemoteShutdownPrivilege 1220 wmic.exe Token: SeUndockPrivilege 1220 wmic.exe Token: SeManageVolumePrivilege 1220 wmic.exe Token: 33 1220 wmic.exe Token: 34 1220 wmic.exe Token: 35 1220 wmic.exe Token: SeIncreaseQuotaPrivilege 1528 wmic.exe Token: SeSecurityPrivilege 1528 wmic.exe Token: SeTakeOwnershipPrivilege 1528 wmic.exe Token: SeLoadDriverPrivilege 1528 wmic.exe Token: SeSystemProfilePrivilege 1528 wmic.exe Token: SeSystemtimePrivilege 1528 wmic.exe Token: SeProfSingleProcessPrivilege 1528 wmic.exe Token: SeIncBasePriorityPrivilege 1528 wmic.exe Token: SeCreatePagefilePrivilege 1528 wmic.exe Token: SeBackupPrivilege 1528 wmic.exe Token: SeRestorePrivilege 1528 wmic.exe Token: SeShutdownPrivilege 1528 wmic.exe Token: SeDebugPrivilege 1528 wmic.exe Token: SeSystemEnvironmentPrivilege 1528 wmic.exe Token: SeRemoteShutdownPrivilege 1528 wmic.exe Token: SeUndockPrivilege 1528 wmic.exe Token: SeManageVolumePrivilege 1528 wmic.exe Token: 33 1528 wmic.exe Token: 34 1528 wmic.exe Token: 35 1528 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1048 wrote to memory of 1728 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 27 PID 1048 wrote to memory of 1728 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 27 PID 1048 wrote to memory of 1728 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 27 PID 1048 wrote to memory of 1728 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 27 PID 1048 wrote to memory of 1740 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 30 PID 1048 wrote to memory of 1740 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 30 PID 1048 wrote to memory of 1740 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 30 PID 1048 wrote to memory of 1740 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 30 PID 1048 wrote to memory of 612 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 32 PID 1048 wrote to memory of 612 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 32 PID 1048 wrote to memory of 612 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 32 PID 1048 wrote to memory of 612 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 32 PID 1048 wrote to memory of 1220 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 34 PID 1048 wrote to memory of 1220 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 34 PID 1048 wrote to memory of 1220 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 34 PID 1048 wrote to memory of 1220 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 34 PID 1048 wrote to memory of 1384 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 36 PID 1048 wrote to memory of 1384 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 36 PID 1048 wrote to memory of 1384 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 36 PID 1048 wrote to memory of 1384 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 36 PID 1048 wrote to memory of 1528 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 38 PID 1048 wrote to memory of 1528 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 38 PID 1048 wrote to memory of 1528 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 38 PID 1048 wrote to memory of 1528 1048 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 38 PID 1740 wrote to memory of 976 1740 taskeng.exe 43 PID 1740 wrote to memory of 976 1740 taskeng.exe 43 PID 1740 wrote to memory of 976 1740 taskeng.exe 43 PID 1740 wrote to memory of 976 1740 taskeng.exe 43 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe"C:\Users\Admin\AppData\Local\Temp\1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe"1⤵
- UAC bypass
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1048 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1728
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:612
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1220
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1384
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
C:\Windows\system32\taskeng.exetaskeng.exe {B0EEEEB2-8C6A-4485-8B96-199EB69A82B6} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
PID:976
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD554c393680b3227c3c4228b8de0f0361e
SHA1339a9fa2c670cc1637f0bba3189b40fda4fbfc41
SHA25676f0c37329f0b5243fb6762d78ddae930cee095cde3443d5bfdb201e34a9c337
SHA51252ef35487473a25aafff2a1f2c4f0222edce4a4a0fe271bf921a7fb1779a30ecfaa6da1e937e4a76bb562c28a9541694fe48045357c0c7f1932550a8bf2228ac
-
Filesize
235KB
MD5f6f120d1262b88f79debb5d848ac7db9
SHA11339282f9b2d2a41326daf3cf284ec2ae8f0f93c
SHA2561bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281
SHA5121067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd
-
Filesize
235KB
MD5f6f120d1262b88f79debb5d848ac7db9
SHA11339282f9b2d2a41326daf3cf284ec2ae8f0f93c
SHA2561bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281
SHA5121067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd
-
Filesize
536B
MD5b4622c774b91a483d9653125e7918414
SHA15fe57d7f4cca6467c417730f6472c0ce067508d1
SHA2566dda9b74696542d392b1f5815cd6fe025a6c08c1a09f0f36ffa4674d633f26f7
SHA51200eb9ffad8201a55500e574f260e90d968f47def8e22bc61a6e063bfc572ade7b5126f6d26a5ddd7750c9a245da3d0d1996d50b1aed69663480482a730df9f69