Malware Analysis Report

2024-09-11 02:17

Sample ID 240109-xrn64aaae6
Target 4ef811b784b985769645e03bc0b9cd24
SHA256 4f9a833e79092006c06203a66b41fc9250bcebcee148fea404db75d52035131c
Tags
medusalocker evasion ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4f9a833e79092006c06203a66b41fc9250bcebcee148fea404db75d52035131c

Threat Level: Known bad

The file 4ef811b784b985769645e03bc0b9cd24 was found to be: Known bad.

Malicious Activity Summary

medusalocker evasion ransomware spyware stealer trojan

MedusaLocker payload

Medusalocker family

UAC bypass

MedusaLocker

Renames multiple (222) files with added filename extension

Renames multiple (283) files with added filename extension

Deletes shadow copies

Executes dropped EXE

Reads user/profile data of web browsers

Checks whether UAC is enabled

Enumerates connected drives

Drops desktop.ini file(s)

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Modify Registry
T1112
Indicator Removal
T1070
File Deletion
T1070.004
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-01-09 19:05

Signatures

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Medusalocker family

medusalocker

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-09 19:05

Reported

2024-01-09 19:08

Platform

win7-20231129-en

Max time kernel

126s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe"

Signatures

MedusaLocker

ransomware medusalocker

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A

Deletes shadow copies

ransomware

Renames multiple (283) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3470981204-343661084-3367201002-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2536 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2536 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2536 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2536 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2536 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2536 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2536 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2536 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2536 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2536 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2536 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2536 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2536 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2536 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2536 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2536 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2536 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2536 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2536 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2536 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2536 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2536 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2536 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2536 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3024 wrote to memory of 912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 3024 wrote to memory of 912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 3024 wrote to memory of 912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 3024 wrote to memory of 912 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe

"C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe"

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\taskeng.exe

taskeng.exe {54FE2C29-0BAC-40FD-80B8-A97D75CEB432} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

Network

N/A

Files

C:\Users\Default\NTUSER.DAT.LOG2

MD5 9db174e2091b616001dea9911dba4ec0
SHA1 e4ca40b6c20d93e71d114c52ce0d274e7f96e7e1
SHA256 d5dcd80c06595e196fb717b0e51b3fdcaa74949d1c16632729b0ab8baa6c1585
SHA512 3d49feb746e63deddb68982932be5381838bc00de0241a60064436a612d3d8f81b03be6834092e47ee2f72aad14bc1d4765feca91e01b4f942e8c1c4be21fbdd

C:\Users\Admin\AppData\Roaming\svhost.exe

MD5 c89c7f4705acb628e00c56966b54f0af
SHA1 91584344b182ef6f8be2a11b9c3255207c717036
SHA256 cd8925980225ea79877b4549a7ef2cf8304596e9f1d6cdbfaa08ef8e3a3257f0
SHA512 906db0dc9225862039091addfb6c6355103840f97b295841fc88e0fe9b7f6111b636e5d36ef5ec43e31e3591fe49cfdc4136bc89b706d2f491333c43bfb7d2f4

C:\Users\Admin\AppData\Roaming\svhost.exe

MD5 25577996bd81b3c7649d3379d288d67b
SHA1 505e80558cada747f6beac71bcbafb27d7ba749e
SHA256 bfd4cee8f4068e5489a0dce7248bc39ec1a24ed97c00fe9bc69ac31e6d12591b
SHA512 62a3ccaeb5f32f318baa05aae02d9f55e4f51276bc0c829efabbf4672ad6255d35a2488d6c7c54b47895330119aaba74ef329e0918604627d617065ad968d645

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-09 19:05

Reported

2024-01-09 19:08

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe"

Signatures

MedusaLocker

ransomware medusalocker

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A

Renames multiple (222) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3791175113-1062217823-1177695025-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4744 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4744 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4744 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4744 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4744 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4744 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4744 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4744 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4744 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe C:\Windows\SysWOW64\Wbem\wmic.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe

"C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 51.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 56.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

\Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html

MD5 1d99835832ba292935e46c6fa8b24c81
SHA1 a999cac3fd4e901ad17d638b5e0ba560b074a12c
SHA256 7480a8a69e4a5d78d2ddd323508a60eb139e59125dbe2b63057cc261b542a880
SHA512 1097b7dc7bb149c3288fbc18c39cc12cc7c19045d93764b08801e3843a993a4630785c2978123370e3cc72428d8f8024698c3abd1d01b8557943631798598b8b

C:\Users\Default\ntuser.dat.LOG2

MD5 eaf665a7a450556a213fc92d2e3b4f3d
SHA1 eb3497538df186d625992ac7ba3137eccec64895
SHA256 6692462013a22690557d989c456d8908fc88dfdc3e90b986f39558f5d69599d1
SHA512 a4046582df16288fbcf8a487a1f972bf9157fe895e3e3eb4dd89af3b054051a8778557320feef1645e746716d203543e898deae5235f4ab76f583f5ae2277f8b

C:\Users\Admin\AppData\Roaming\svhost.exe

MD5 4ef811b784b985769645e03bc0b9cd24
SHA1 2e04a37b215dd2a95694b1c18dbe1dd35be5aa9f
SHA256 4f9a833e79092006c06203a66b41fc9250bcebcee148fea404db75d52035131c
SHA512 34e9a5a015b04ae904b50a0b2e466788db16d7eb43769fec156cab830932032174b3a43a206016332f99eb16571225dc1a0a0042ce2bca67de1821bbc08c039c