Analysis
-
max time kernel
1s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
06-01-2024 09:22
Behavioral task
behavioral1
Sample
45de70c85ece8763c685808eea085df4.exe
Resource
win7-20231215-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
45de70c85ece8763c685808eea085df4.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
45de70c85ece8763c685808eea085df4.exe
-
Size
669KB
-
MD5
45de70c85ece8763c685808eea085df4
-
SHA1
c9dd5313a661fd17b154ccb17a36e8399fc933a5
-
SHA256
d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532
-
SHA512
03a1d922711db1afc0a512151371c9a97a7478578c11591109537b1427aeac8b3ac44aa52c83439afe56e20134fd888bcaee1632f6046ce8edf0d99622fb362d
-
SSDEEP
12288:dQA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8DNKD/KeX:Tuf4wTuV2Ux3uIZeUBi2Te6HWgKrKe
Score
10/10
Malware Config
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 45de70c85ece8763c685808eea085df4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 45de70c85ece8763c685808eea085df4.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 45de70c85ece8763c685808eea085df4.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: 45de70c85ece8763c685808eea085df4.exe File opened (read-only) \??\N: 45de70c85ece8763c685808eea085df4.exe File opened (read-only) \??\O: 45de70c85ece8763c685808eea085df4.exe File opened (read-only) \??\A: 45de70c85ece8763c685808eea085df4.exe File opened (read-only) \??\H: 45de70c85ece8763c685808eea085df4.exe File opened (read-only) \??\L: 45de70c85ece8763c685808eea085df4.exe File opened (read-only) \??\P: 45de70c85ece8763c685808eea085df4.exe File opened (read-only) \??\R: 45de70c85ece8763c685808eea085df4.exe File opened (read-only) \??\J: 45de70c85ece8763c685808eea085df4.exe File opened (read-only) \??\K: 45de70c85ece8763c685808eea085df4.exe File opened (read-only) \??\U: 45de70c85ece8763c685808eea085df4.exe File opened (read-only) \??\V: 45de70c85ece8763c685808eea085df4.exe File opened (read-only) \??\W: 45de70c85ece8763c685808eea085df4.exe File opened (read-only) \??\X: 45de70c85ece8763c685808eea085df4.exe File opened (read-only) \??\Y: 45de70c85ece8763c685808eea085df4.exe File opened (read-only) \??\Z: 45de70c85ece8763c685808eea085df4.exe File opened (read-only) \??\B: 45de70c85ece8763c685808eea085df4.exe File opened (read-only) \??\Q: 45de70c85ece8763c685808eea085df4.exe File opened (read-only) \??\M: 45de70c85ece8763c685808eea085df4.exe File opened (read-only) \??\S: 45de70c85ece8763c685808eea085df4.exe File opened (read-only) \??\T: 45de70c85ece8763c685808eea085df4.exe File opened (read-only) \??\E: 45de70c85ece8763c685808eea085df4.exe File opened (read-only) \??\G: 45de70c85ece8763c685808eea085df4.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe 3512 45de70c85ece8763c685808eea085df4.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3160 wmic.exe Token: SeSecurityPrivilege 3160 wmic.exe Token: SeTakeOwnershipPrivilege 3160 wmic.exe Token: SeLoadDriverPrivilege 3160 wmic.exe Token: SeSystemProfilePrivilege 3160 wmic.exe Token: SeSystemtimePrivilege 3160 wmic.exe Token: SeProfSingleProcessPrivilege 3160 wmic.exe Token: SeIncBasePriorityPrivilege 3160 wmic.exe Token: SeCreatePagefilePrivilege 3160 wmic.exe Token: SeBackupPrivilege 3160 wmic.exe Token: SeRestorePrivilege 3160 wmic.exe Token: SeShutdownPrivilege 3160 wmic.exe Token: SeDebugPrivilege 3160 wmic.exe Token: SeSystemEnvironmentPrivilege 3160 wmic.exe Token: SeRemoteShutdownPrivilege 3160 wmic.exe Token: SeUndockPrivilege 3160 wmic.exe Token: SeManageVolumePrivilege 3160 wmic.exe Token: 33 3160 wmic.exe Token: 34 3160 wmic.exe Token: 35 3160 wmic.exe Token: 36 3160 wmic.exe Token: SeIncreaseQuotaPrivilege 3892 wmic.exe Token: SeSecurityPrivilege 3892 wmic.exe Token: SeTakeOwnershipPrivilege 3892 wmic.exe Token: SeLoadDriverPrivilege 3892 wmic.exe Token: SeSystemProfilePrivilege 3892 wmic.exe Token: SeSystemtimePrivilege 3892 wmic.exe Token: SeProfSingleProcessPrivilege 3892 wmic.exe Token: SeIncBasePriorityPrivilege 3892 wmic.exe Token: SeCreatePagefilePrivilege 3892 wmic.exe Token: SeBackupPrivilege 3892 wmic.exe Token: SeRestorePrivilege 3892 wmic.exe Token: SeShutdownPrivilege 3892 wmic.exe Token: SeDebugPrivilege 3892 wmic.exe Token: SeSystemEnvironmentPrivilege 3892 wmic.exe Token: SeRemoteShutdownPrivilege 3892 wmic.exe Token: SeUndockPrivilege 3892 wmic.exe Token: SeManageVolumePrivilege 3892 wmic.exe Token: 33 3892 wmic.exe Token: 34 3892 wmic.exe Token: 35 3892 wmic.exe Token: 36 3892 wmic.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3512 wrote to memory of 3160 3512 45de70c85ece8763c685808eea085df4.exe 25 PID 3512 wrote to memory of 3160 3512 45de70c85ece8763c685808eea085df4.exe 25 PID 3512 wrote to memory of 3160 3512 45de70c85ece8763c685808eea085df4.exe 25 PID 3512 wrote to memory of 3892 3512 45de70c85ece8763c685808eea085df4.exe 35 PID 3512 wrote to memory of 3892 3512 45de70c85ece8763c685808eea085df4.exe 35 PID 3512 wrote to memory of 3892 3512 45de70c85ece8763c685808eea085df4.exe 35 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 45de70c85ece8763c685808eea085df4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 45de70c85ece8763c685808eea085df4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe"C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3512 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3160
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵PID:2464
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe1⤵PID:4884
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2