Malware Analysis Report

2024-09-11 01:53

Sample ID 230822-kwsnvsbb74
Target 05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873
SHA256 05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873
Tags
medusalocker evasion ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873

Threat Level: Known bad

The file 05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873 was found to be: Known bad.

Malicious Activity Summary

medusalocker evasion ransomware spyware stealer trojan

MedusaLocker payload

UAC bypass

Medusalocker family

MedusaLocker

Renames multiple (200) files with added filename extension

Deletes shadow copies

Renames multiple (300) files with added filename extension

Executes dropped EXE

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Enumerates connected drives

Unsigned PE

Enumerates physical storage devices

Interacts with shadow copies

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Modify Registry
T1112
Indicator Removal
T1070
File Deletion
T1070.004
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2023-08-22 08:57

Signatures

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Medusalocker family

medusalocker

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-22 08:57

Reported

2023-08-22 09:00

Platform

win7-20230712-en

Max time kernel

128s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe"

Signatures

MedusaLocker

ransomware medusalocker

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A

Deletes shadow copies

ransomware

Renames multiple (300) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-4219371764-2579186923-3390623117-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2464 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2464 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2464 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2464 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2464 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2464 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2464 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2464 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2464 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2464 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2464 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2464 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2464 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2464 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2464 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2464 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2464 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2464 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2464 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2464 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2464 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2464 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2464 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2464 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1048 wrote to memory of 1628 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 1048 wrote to memory of 1628 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 1048 wrote to memory of 1628 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 1048 wrote to memory of 1628 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe

"C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe"

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\taskeng.exe

taskeng.exe {6F720946-E326-492D-B15A-091F996E3486} S-1-5-21-4219371764-2579186923-3390623117-1000:NVACMPYA\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

Network

N/A

Files

\Device\HarddiskVolume1\Boot\!-Recovery_Instructions-!.html

MD5 c9669c65961593b3856079230e1e85b3
SHA1 ceaf386a8303f140964812a16b05fa87f47d71e4
SHA256 d45fb0ba60aba77949234f4968b84b020ad202b024ce8269bc5195902e32d221
SHA512 7fa750bb1434e39f63471c0cc99aa79a60ef38883aefead1255d16a080c537223153430c306fb2ea0d2bd74ae6ecee400e039a6ea9ecb7553b2e0852c897effb

C:\Users\Default\NTUSER.DAT.LOG2

MD5 99899f665305e610c226788489c614b0
SHA1 40cef3f26103a29e88ae5438f3826827612e5f38
SHA256 6d4dd3a4fce8ed9036954530702b0e0fe3b3f8da3c0527a8994de13e330fd2dc
SHA512 667cb21870f9cd6c43cbaff92af994dcb3b7c4b569a4788a5926869bc52f92f5d6d5df12b8948d61b793e7e934e829589f92d12dc7e6a88db479d2abd92fb1b6

C:\Users\Admin\AppData\Roaming\svhost.exe

MD5 4660887b36d65e42b7d71d5e18187dfe
SHA1 49ad1eecb9bbb8d736833006685b8c2c1300115b
SHA256 05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873
SHA512 d0983ec2cb04d7b7fe0f1749ca903c34bb9b55a6a57f18d93feefbe7a358c6faddc42cc964e79315a250c940b22c067f2bcecd5d41aa334fe9b992ac632df6f8

C:\Users\Admin\AppData\Roaming\svhost.exe

MD5 4660887b36d65e42b7d71d5e18187dfe
SHA1 49ad1eecb9bbb8d736833006685b8c2c1300115b
SHA256 05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873
SHA512 d0983ec2cb04d7b7fe0f1749ca903c34bb9b55a6a57f18d93feefbe7a358c6faddc42cc964e79315a250c940b22c067f2bcecd5d41aa334fe9b992ac632df6f8

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-22 08:57

Reported

2023-08-22 09:00

Platform

win10v2004-20230703-en

Max time kernel

128s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe"

Signatures

MedusaLocker

ransomware medusalocker

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A

Renames multiple (200) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-618519468-4027732583-1827558364-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2844 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2844 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2844 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2844 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2844 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2844 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2844 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2844 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2844 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe C:\Windows\SysWOW64\Wbem\wmic.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe

"C:\Users\Admin\AppData\Local\Temp\05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.134.241.8.in-addr.arpa udp
US 8.8.8.8:53 73.239.69.13.in-addr.arpa udp

Files

\Device\HarddiskVolume1\Boot\!-Recovery_Instructions-!.html

MD5 8c59c44566a44b3180d8f9b9f377b2e6
SHA1 8c6b7ee7a102fdc2276190c5910ff3a6cacafb2e
SHA256 063c96f7e5473de6d74e5db12623c2face9ef364c198793633a80b538f79fd91
SHA512 70a7ea3795420e1a6069004e17ab51a0d935fb4d194675da46f39100dd552ee296a8170a6e5d132ebc1314f576a906a6929f0c51b4dad58dc0c8b3c24a8a4753

C:\Users\Default\ntuser.dat.LOG2

MD5 f6191d90604364616d3ed36fb58e2c25
SHA1 d03b7b9a8c339262af4e855a01a1a81a0a1b3326
SHA256 8d4509802d89d758feb0814884fea1929cfd2aeb18d6e10958a66b0fb0d91544
SHA512 fb88088ec94944733eebacbbe358fedc60f04d4a48d6cb313045a1e4b5bd8e9356a03f271ad746e11120919766ab06bcae7e2312593247cc3404a505b30b697c

C:\Users\Admin\AppData\Roaming\svhost.exe

MD5 4660887b36d65e42b7d71d5e18187dfe
SHA1 49ad1eecb9bbb8d736833006685b8c2c1300115b
SHA256 05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873
SHA512 d0983ec2cb04d7b7fe0f1749ca903c34bb9b55a6a57f18d93feefbe7a358c6faddc42cc964e79315a250c940b22c067f2bcecd5d41aa334fe9b992ac632df6f8

C:\Users\Admin\AppData\Roaming\svhost.exe

MD5 4660887b36d65e42b7d71d5e18187dfe
SHA1 49ad1eecb9bbb8d736833006685b8c2c1300115b
SHA256 05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873
SHA512 d0983ec2cb04d7b7fe0f1749ca903c34bb9b55a6a57f18d93feefbe7a358c6faddc42cc964e79315a250c940b22c067f2bcecd5d41aa334fe9b992ac632df6f8