Malware Analysis Report

2024-09-11 01:49

Sample ID 240106-mcb8waefg9
Target 45de70c85ece8763c685808eea085df4.exe
SHA256 d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532
Tags
medusalocker evasion ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532

Threat Level: Known bad

The file 45de70c85ece8763c685808eea085df4.exe was found to be: Known bad.

Malicious Activity Summary

medusalocker evasion ransomware spyware stealer trojan

MedusaLocker payload

MedusaLocker

Medusalocker family

UAC bypass

Renames multiple (311) files with added filename extension

Deletes shadow copies

Renames multiple (188) files with added filename extension

Executes dropped EXE

Reads user/profile data of web browsers

Checks whether UAC is enabled

Enumerates connected drives

Drops desktop.ini file(s)

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

System policy modification

Uses Volume Shadow Copy service COM API

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Modify Registry
T1112
Indicator Removal
T1070
File Deletion
T1070.004
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-01-06 10:18

Signatures

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Medusalocker family

medusalocker

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-06 10:18

Reported

2024-01-06 10:22

Platform

win7-20231215-en

Max time kernel

148s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe"

Signatures

MedusaLocker

ransomware medusalocker

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A

Deletes shadow copies

ransomware

Renames multiple (311) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1603059206-2004189698-4139800220-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1228 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1228 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1228 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1228 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1228 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1228 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1228 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1228 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1228 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1228 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1228 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1228 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1228 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1228 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1228 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1228 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1228 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1228 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1228 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1228 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1228 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1228 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1228 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2664 wrote to memory of 1612 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 2664 wrote to memory of 1612 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 2664 wrote to memory of 1612 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 2664 wrote to memory of 1612 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe

"C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe"

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\taskeng.exe

taskeng.exe {E765C05C-285C-49DC-9407-7331EDBF29A0} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

Network

N/A

Files

\Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html

MD5 f3a83618eed87efe3f4152b831cb29e4
SHA1 462f99e20d4e03a01ad6778da0d3b95150a7e3b5
SHA256 ea4150ab1ecedc59130c30505217a5481f8931e56a726d215c0fcc5d91126c2d
SHA512 b6c0b4e7eb3840eadbfc5b757fda4c096d34eac36a156016b8c27b684bb2b5a496614a73297c71d57cfd696507b0019a7e6a9f2cacb61c7e079da6f621e442ba

C:\Users\Default\NTUSER.DAT.LOG2

MD5 a90faf655441ca757aadf431dbd002e5
SHA1 cc09b68983943a120d82ad9a44a4c3e89d6d5a47
SHA256 59d52113452e64f2f43fb8368c812568a2127bea242e60a499f57fd543b7af9c
SHA512 945393906dd51d2b62f412ddcc4d081eb145416e73ccb69b1f86e588813da023e766b6d70b51c298680129a50d6f88e72ff5bceb5c322e2a1820d7e35a4062cc

C:\Users\Admin\AppData\Roaming\svhost.exe

MD5 45de70c85ece8763c685808eea085df4
SHA1 c9dd5313a661fd17b154ccb17a36e8399fc933a5
SHA256 d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532
SHA512 03a1d922711db1afc0a512151371c9a97a7478578c11591109537b1427aeac8b3ac44aa52c83439afe56e20134fd888bcaee1632f6046ce8edf0d99622fb362d

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-06 10:18

Reported

2024-01-06 10:21

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe"

Signatures

MedusaLocker

ransomware medusalocker

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A

Renames multiple (188) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-768304381-2824894965-3840216961-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1596 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1596 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1596 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1596 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1596 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1596 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1596 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1596 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1596 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe C:\Windows\SysWOW64\Wbem\wmic.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe

"C:\Users\Admin\AppData\Local\Temp\45de70c85ece8763c685808eea085df4.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
GB 88.221.135.211:80 tcp
GB 88.221.135.211:80 tcp

Files

\Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html

MD5 ed45448c8877c80a7dd08869ed961512
SHA1 6a6566e40c808628bcccb69a4f0ee753d79e4f09
SHA256 3e16ceb8048cef9ec0fe7b26c35e7d64fa4acaaf6c0ce0b9d7bec10f9ea67c61
SHA512 f2a263d834b24c0801e6ff46d9afa8c9094e7006a60a29da5e68a5ce9d7bf47d827b5a60b12782bb56302d8fb00e6ef8b4783fbb52510c0ca776a4e5536c7b4c

C:\Users\Default\ntuser.dat.LOG2

MD5 f04f89c55e9ffa459ea434741ce586d0
SHA1 9ab734eb71b6176006cdf20887c0eac79c5059fb
SHA256 14129ad776df6cccba70025005ffc73ec40496bec86491eab2c3435c6c7cf93b
SHA512 e3dbfe1058f0ebc3b40097cdea4ee20950495c28ee11e45960e2f013d2bc5bd3577261603a94dec3a45e0d5b51b6c182a4823c7380c9c2d00206c518996be5bb

C:\Users\Admin\AppData\Roaming\svhost.exe

MD5 9ef25437156e94a677ef32c022b9931f
SHA1 8a35d05a8c0436f080f7c03e0e13b9b4793e1f86
SHA256 bc281ea5178fef9db029dd90ee9a3b0da2b3ea4f6d3dcc5f951ea8ef5f3ebee3
SHA512 138b8a6b1d4e4a351357464e124304ac7dc1c8ecb927e762675861442193263dfa61c97c5b9d3a853b08f4a60e2392f67d1a4136720635f3c7b3017e3a979dff

C:\Users\Admin\AppData\Roaming\svhost.exe

MD5 554d996e3d80a958a675bfbae6a5d9f7
SHA1 a6634399f55941844eeddd2f37861cc911098dec
SHA256 1d4631cac5e7f2b94ae8bc4fec304db5d1a648861e46754fa6fe063b1aa35071
SHA512 ff1d4ce5e18f64ba8c81d2ebfcc0b7689ec739e2522199d6f4c708d0174f5d10b0a9524307f19054229401b67732099e764fc22eb21dad11abeec0993f4397f5