medusalocker | 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7

General

Target

860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
Size

666KB
MD5

1a018c68582e13d7f51aa58f87e2ed50
SHA1

9568f4a2959eda46af35c5d18c190f0d85047ac3
SHA256

860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7
SHA512

a6775058f5ee5adc24b1f3fb6dbd29d9b0315e17a7061679bcda146a377912cf46292456435af27fd7790b6a8cc83025c4964c6526cdf1528cd55e8d68c1b7c9
SSDEEP

12288:ZYW1LNT35lDbK/LIVaN8+T7vwqyqhYMhWt918vulAZC9+m:dd35lDbKDIwWUDyqS5omIC9+

Score

10^/10

medusalocker evasion ransomware spyware stealer trojan

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\!-Recovery_Instructions-!.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset='utf-8'> <meta name='viewport' content='width=device-width,initial-scale=1'> <title></title> <style> html, body { background-color: #1a1a1a; } body { padding-top: 1rem !important; font-size: 1.3rem; color: white; } #text h2 { font-size: 2rem; font-weight: 600; line-height: 1.125; } .container { max-width: 1152px; flex-grow: 1; margin: 0 auto; position: relative; width: auto; } .box { background-color: #242424; display: block; padding: 1.25rem; border: 1px solid #303030; } a { color: #00b4d8; text-decoration: none; } a:hover { text-decoration: underline; } li { margin-bottom: 10px; } </style> </head> <body> <div class='container'> <div class='box'> <div id='text'> <h2>If you get this message, your network was hacked!</h2> <p>After we gained full access to your servers, we first downloaded a large amount of sensitive data and then encrypted all the data stored on them.</p> <p>That includes personal information on your clients, partners, your personnel, accounting documents, and other crucial files that are necessary for your company to work normally.</p> <p>We used modern complicated algorithms, so you or any recovery service will not be able to decrypt files without our help, wasting time on these attempts instead of negotiations can be fatal for your company.</p> <p>Make sure to act within <span style='color:#f4a261;'>72</span> hours or the negotiations will be considered failed!</p> <p>Inform your superior management about what's going on.</p> <p> Contact us for pricing and decryption software.</p> <p> Contact us by email:<p> <h2>[email protected]</h2> </p>If you do not receive a response within 24 hours, please contact us at our additional contacts:</p> <p> 1) Download for TOX CHAT https://tox.chat/download.html</p> <p> 2) Open chat<p> <p>Add ID Chat: </p><h2>3C9D49B928FDC3C15F0314217623A71B865909B308576B4B0D10AEA62C98677B4A3F160D5C93</h2> <p>If we did not answer you, leave the chat enabled, the operator will contact you!<p> </p>To verify the possibility of the recovery of your files we can decrypted 1-3 file for free.</p> </p>Attach file to the letter (no more than 5Mb).</p> <h2>If you and us succeed the negotiations we will grant you:</h2> <ul> <li>complete confidentiality, we will keep in secret any information regarding to attack, your company will act as if nothing had happened.</li> <li>comprehensive information about vulnerabilities of your network and security report.</li> <li>software and instructions to decrypt all the data that was encrypted.</li> <li>all sensitive downloaded data will be permanently deleted from our cloud storage and we will provide an erasure log.</li> </ul> <h2>Our options if you act like nothing's happening, refuse to make a deal or fail the negotiations:</h2> <ul> <li>inform the media and independent journalists about what happened to your servers. To prove it we'll publish a chunk of private data that you should have ciphered if you care about potential breaches. Moreover, your company will inevitably take decent reputational loss which is hard to assess precisely.</li> <li>inform your clients, employees, partners by phone, e-mail, sms and social networks that you haven't prevent their data leakage. You will violate laws about private data protection.</li> <li>start DDOS attack on you website and infrastructures.</li> <li>personal data stored will be put on sale on the Darknet to find anyone interested to buy useful information regarding your company. It could be data mining agencies or your market competitors.</li> <li>publish all the discovered vulnerabilities found in your network, so anyone will do anything with it.</li> </ul> <h2>Why pay us?</h2> <p>We care about our reputation. You are welcome to google our cases up and be sure that we don't have a single case of failure to provide what we promissed.</p> <p>Turning this issue to a bug bounty will save your private information, reputation and will allow you to use the security report and avoid this kind of situations in future.</p> <h2>Your personal ID</p> Your ID: A0EC1BE99482FBA2CF997E156B0D52874A931263DC0CA6901EA567BBBB3ECA07F9995DEA83DA3B9CF630A6B6BEB9CBD95B60EA5ADB2DCAC55160AEBDC7E83F2A<br>6C605A0EEFE0598A0CC1F4B171ADE1A05D2E2782B5CC35DA9D20852D8D4A6AC21ED604BB1FA29C84005F6AB6C192DB5D5C34A3E96412918EDC929CB55514<br>D35BBE8A2D8130CAB344228237FF3CF0AA445C4EC50EBE7C01269477AC1FA8B63A66F1022ED95F6D61EA92611A13CDBE2E0E9BE432B09E3A3CB8060930CE<br>E97135BF4DF785E6E8B1D68B93502DA0825DC1A861B4CF4181EA9D5797561C8CE2B1781D864F0E78061E1B15235D3BB1B0FD9F649A93D8FE0EE81C0F336B<br>BA05F4D3EB00D37670DF0B943D7099F3F1D5A70815505E7054EB699EA021D216CEF575E2255E97566593A07C6739A4A1CBDEFD9C7B56E962C07C7D034D3F<br>86AC81CCF3A74AF78BC21DA11A54921CE212315F05E99C99F10465B40615F2E50D61E0FB3EE4D9566B195688094F5DDDCDB3AFCC5445130DEA2D601B8DD2<br>7390222BBF8F1C4E645353BBAFB301A1D982CBB30AB8376A6A3A6965C093F99A89B4174FA244663D9E916855089B82E61C079005F242F023F9775EB5C2A9<br>69E88368E2B6714A64536EC295D1482990F863E69FF14964BBC6A15E4AFDCCFF20AE36771B7E0AED545E0D5D525C7CA0918B818543BA35A97376514ECB44<br>8E0BF25BB8C7DC0F0AA3C45FA073

Emails

<h2>[email protected]</h2>

URLs

https://tox.chat/download.html</p>

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker

MedusaLocker payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\svhost.exe	family_medusalocker
C:\Users\Admin\AppData\Roaming\svhost.exe	family_medusalocker

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe

Renames multiple (199) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

5000 svhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5000	svhost.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe

description	ioc	process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-1043950675-1972537973-2972532878-1000\desktop.ini	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe

description	ioc	process
File opened (read-only)	\??\A:	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
File opened (read-only)	\??\E:	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
File opened (read-only)	\??\I:	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
File opened (read-only)	\??\O:	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
File opened (read-only)	\??\P:	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
File opened (read-only)	\??\R:	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
File opened (read-only)	\??\W:	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
File opened (read-only)	\??\H:	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
File opened (read-only)	\??\J:	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
File opened (read-only)	\??\N:	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
File opened (read-only)	\??\S:	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
File opened (read-only)	\??\B:	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
File opened (read-only)	\??\M:	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
File opened (read-only)	\??\Q:	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
File opened (read-only)	\??\T:	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
File opened (read-only)	\??\V:	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
File opened (read-only)	\??\X:	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
File opened (read-only)	\??\Z:	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
File opened (read-only)	\??\G:	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
File opened (read-only)	\??\K:	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
File opened (read-only)	\??\L:	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
File opened (read-only)	\??\U:	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
File opened (read-only)	\??\Y:	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
File opened (read-only)	\??\F:	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe

pid	process
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

wmic.exewmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2668	wmic.exe
Token: SeSecurityPrivilege	2668	wmic.exe
Token: SeTakeOwnershipPrivilege	2668	wmic.exe
Token: SeLoadDriverPrivilege	2668	wmic.exe
Token: SeSystemProfilePrivilege	2668	wmic.exe
Token: SeSystemtimePrivilege	2668	wmic.exe
Token: SeProfSingleProcessPrivilege	2668	wmic.exe
Token: SeIncBasePriorityPrivilege	2668	wmic.exe
Token: SeCreatePagefilePrivilege	2668	wmic.exe
Token: SeBackupPrivilege	2668	wmic.exe
Token: SeRestorePrivilege	2668	wmic.exe
Token: SeShutdownPrivilege	2668	wmic.exe
Token: SeDebugPrivilege	2668	wmic.exe
Token: SeSystemEnvironmentPrivilege	2668	wmic.exe
Token: SeRemoteShutdownPrivilege	2668	wmic.exe
Token: SeUndockPrivilege	2668	wmic.exe
Token: SeManageVolumePrivilege	2668	wmic.exe
Token: 33	2668	wmic.exe
Token: 34	2668	wmic.exe
Token: 35	2668	wmic.exe
Token: 36	2668	wmic.exe
Token: SeIncreaseQuotaPrivilege	2384	wmic.exe
Token: SeSecurityPrivilege	2384	wmic.exe
Token: SeTakeOwnershipPrivilege	2384	wmic.exe
Token: SeLoadDriverPrivilege	2384	wmic.exe
Token: SeSystemProfilePrivilege	2384	wmic.exe
Token: SeSystemtimePrivilege	2384	wmic.exe
Token: SeProfSingleProcessPrivilege	2384	wmic.exe
Token: SeIncBasePriorityPrivilege	2384	wmic.exe
Token: SeCreatePagefilePrivilege	2384	wmic.exe
Token: SeBackupPrivilege	2384	wmic.exe
Token: SeRestorePrivilege	2384	wmic.exe
Token: SeShutdownPrivilege	2384	wmic.exe
Token: SeDebugPrivilege	2384	wmic.exe
Token: SeSystemEnvironmentPrivilege	2384	wmic.exe
Token: SeRemoteShutdownPrivilege	2384	wmic.exe
Token: SeUndockPrivilege	2384	wmic.exe
Token: SeManageVolumePrivilege	2384	wmic.exe
Token: 33	2384	wmic.exe
Token: 34	2384	wmic.exe
Token: 35	2384	wmic.exe
Token: 36	2384	wmic.exe
Token: SeIncreaseQuotaPrivilege	3248	wmic.exe
Token: SeSecurityPrivilege	3248	wmic.exe
Token: SeTakeOwnershipPrivilege	3248	wmic.exe
Token: SeLoadDriverPrivilege	3248	wmic.exe
Token: SeSystemProfilePrivilege	3248	wmic.exe
Token: SeSystemtimePrivilege	3248	wmic.exe
Token: SeProfSingleProcessPrivilege	3248	wmic.exe
Token: SeIncBasePriorityPrivilege	3248	wmic.exe
Token: SeCreatePagefilePrivilege	3248	wmic.exe
Token: SeBackupPrivilege	3248	wmic.exe
Token: SeRestorePrivilege	3248	wmic.exe
Token: SeShutdownPrivilege	3248	wmic.exe
Token: SeDebugPrivilege	3248	wmic.exe
Token: SeSystemEnvironmentPrivilege	3248	wmic.exe
Token: SeRemoteShutdownPrivilege	3248	wmic.exe
Token: SeUndockPrivilege	3248	wmic.exe
Token: SeManageVolumePrivilege	3248	wmic.exe
Token: 33	3248	wmic.exe
Token: 34	3248	wmic.exe
Token: 35	3248	wmic.exe
Token: 36	3248	wmic.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe

description	pid	process	target process
PID 3768 wrote to memory of 2668	3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe	wmic.exe
PID 3768 wrote to memory of 2668	3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe	wmic.exe
PID 3768 wrote to memory of 2668	3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe	wmic.exe
PID 3768 wrote to memory of 2384	3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe	wmic.exe
PID 3768 wrote to memory of 2384	3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe	wmic.exe
PID 3768 wrote to memory of 2384	3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe	wmic.exe
PID 3768 wrote to memory of 3248	3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe	wmic.exe
PID 3768 wrote to memory of 3248	3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe	wmic.exe
PID 3768 wrote to memory of 3248	3768	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe	wmic.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe

C:\Users\Admin\AppData\Local\Temp\860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe
"C:\Users\Admin\AppData\Local\Temp\860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7.exe"
1⤵
- UAC bypass
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3768
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3248

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
1⤵
- Executes dropped EXE
PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
666KB

MD5
1a018c68582e13d7f51aa58f87e2ed50

SHA1
9568f4a2959eda46af35c5d18c190f0d85047ac3

SHA256
860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7

SHA512
a6775058f5ee5adc24b1f3fb6dbd29d9b0315e17a7061679bcda146a377912cf46292456435af27fd7790b6a8cc83025c4964c6526cdf1528cd55e8d68c1b7c9

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
666KB

MD5
1a018c68582e13d7f51aa58f87e2ed50

SHA1
9568f4a2959eda46af35c5d18c190f0d85047ac3

SHA256
860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7

SHA512
a6775058f5ee5adc24b1f3fb6dbd29d9b0315e17a7061679bcda146a377912cf46292456435af27fd7790b6a8cc83025c4964c6526cdf1528cd55e8d68c1b7c9

Download Submit
C:\Users\Default\ntuser.dat.LOG2

Filesize
536B

MD5
9deb71e4029adb8eb7f65df1121347e1

SHA1
5bbc35b95c4e4790f1163e5468bd5256c1d75f40

SHA256
cb00b0c6a4809a9374b3385f740552fc11017894124e9be9c98ac10e499376aa

SHA512
3557a6c539af32d491825d1eb5e63504959ed974165f1608ff8544bd7da7a3cf6ea9ec9da909bf5fa0d4a481b79546e5fe7004d05b0a32b74029a6f80373dbb5

Download Submit
\Device\HarddiskVolume1\Boot\!-Recovery_Instructions-!.html

Filesize
5KB

MD5
d8fb98b009e58322f755623dedf3028a

SHA1
5f24987c8b5867477b11488bf05cdaba17a12489

SHA256
6145533ef0f1ef3f3963bb0f45b3dd6ffb6bdea40c738646423f6a735854adbe

SHA512
4a923fcf8427daddd17ad63520464123dc23f9095ca3190824a9a54be647c0fd9ade65740b0ac4b92fa77d55844597f04fce98bd28448ce29ae7e2e23d3513df

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads