Malware Analysis Report

2024-09-11 01:50

Sample ID 240121-wkgb8sgaf4
Target 6da9c76a6e319c17f1d39e0ae2eaf2af
SHA256 461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078
Tags
medusalocker evasion ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078

Threat Level: Known bad

The file 6da9c76a6e319c17f1d39e0ae2eaf2af was found to be: Known bad.

Malicious Activity Summary

medusalocker evasion ransomware spyware stealer trojan

MedusaLocker payload

MedusaLocker

UAC bypass

Medusalocker family

Deletes shadow copies

Renames multiple (317) files with added filename extension

Renames multiple (218) files with added filename extension

Reads user/profile data of web browsers

Executes dropped EXE

Drops desktop.ini file(s)

Enumerates connected drives

Checks whether UAC is enabled

Unsigned PE

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

System policy modification

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Modify Registry
T1112
Indicator Removal
T1070
File Deletion
T1070.004
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-01-21 17:58

Signatures

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Medusalocker family

medusalocker

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-21 17:58

Reported

2024-01-21 18:01

Platform

win10v2004-20231215-en

Max time kernel

128s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe"

Signatures

MedusaLocker

ransomware medusalocker

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A

Renames multiple (218) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1815711207-1844170477-3539718864-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1116 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1116 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1116 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1116 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1116 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1116 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1116 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1116 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1116 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\Wbem\wmic.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe

"C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

\Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html

MD5 0ca3a13f42c34068e0f757b5994910ee
SHA1 9f860932035883b9a6f17d234bf62e31759b9c03
SHA256 4e72a0afa5834feec43108b99ea35dcf5b45796c1e9e7be398c18fa22aef0ee4
SHA512 924a454c7e32eba3701f500a76b4c73219a2d7bbce7db1be7d4eff5aedf8443f592a0d44df1e0f11e2f9588fec45d41d5fe9422f0954b95505f439fd0404134f

C:\Users\Default\ntuser.dat.LOG2

MD5 40ae0dfb228adc94cb96e22397cb369e
SHA1 184a2124d54b50c8ff736b0e0279a41422c4cf40
SHA256 4c14e92f0bc270597fad8950e143a5714b228b72febf88eb7a1bdcb4935e1fcf
SHA512 d5639291321e277c4c32a083e551961642e35563392c45ea3ee517108c24a65c77c07d06ca4809e1b43cd73a176e6f65b12d8328019e64e6259f16c482adfc3f

C:\Users\Admin\AppData\Roaming\svhost.exe

MD5 6da9c76a6e319c17f1d39e0ae2eaf2af
SHA1 d8743d22c816de1b1807a64d2bdde6baea838cd0
SHA256 461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078
SHA512 70c3e123f887556ac42bb58d730b59d8d2df1cca4d3e895f79fb6cfa5c1a63a64d46bc6fdc23c711be7b966aaf80d2fb7e83f52bdf4c096cbc946f5a6c976db0

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-21 17:58

Reported

2024-01-21 18:01

Platform

win7-20231215-en

Max time kernel

131s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe"

Signatures

MedusaLocker

ransomware medusalocker

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A

Deletes shadow copies

ransomware

Renames multiple (317) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1603059206-2004189698-4139800220-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2512 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2512 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2512 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2512 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2512 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2512 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2512 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2512 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2512 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2512 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2512 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2512 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2512 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2512 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2512 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2512 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2512 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2512 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2512 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2512 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2512 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2512 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2512 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2448 wrote to memory of 3036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 2448 wrote to memory of 3036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 2448 wrote to memory of 3036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 2448 wrote to memory of 3036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe

"C:\Users\Admin\AppData\Local\Temp\6da9c76a6e319c17f1d39e0ae2eaf2af.exe"

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\taskeng.exe

taskeng.exe {9558CD91-5235-4072-9669-E226C71EA613} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

Network

N/A

Files

\Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html

MD5 c74ca8a7a2efac28c517a8423e24a967
SHA1 00b0124cb4486bf7d62ee1f3820309e0576e389e
SHA256 edf9898d417227fbfc3c2ad3b33fd9ff6c809c0b801423710fa8038c0712e847
SHA512 2f7cba421f759308b88df8ba30fb243a56108332b5df34eb27d6c63bbc66342f0b6c34213c79f9e241eba4cb2e05432ff8df749701f2e7c8b23a2c99be0efb6e

C:\Users\Default\NTUSER.DAT.LOG2

MD5 fe827c79bcb4efc3ead73ddffbcb4710
SHA1 ff7420a852c36d7ba25ce3df8a0edb9d6e1ca5db
SHA256 91a0742eae42baec3c938d6779645c4384d5c944d6cc3a832b1f8976efcc856e
SHA512 06810ac19cbf1895669bcb4f6c60279ee3310a633737d32a6028bc0e629a73c3dd853b157fe0666ab13b0db03c0c65b6b7eca2c447cf4b7384306364d2e17f8e

C:\Users\Admin\AppData\Roaming\svhost.exe

MD5 6da9c76a6e319c17f1d39e0ae2eaf2af
SHA1 d8743d22c816de1b1807a64d2bdde6baea838cd0
SHA256 461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078
SHA512 70c3e123f887556ac42bb58d730b59d8d2df1cca4d3e895f79fb6cfa5c1a63a64d46bc6fdc23c711be7b966aaf80d2fb7e83f52bdf4c096cbc946f5a6c976db0