medusalocker | 02f250a3df59dec575f26679ebd25de7c1d5b4d9d08016685f87a3628a393f92

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2024 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

220201-tb2kpshagn.exe
Size

2.6MB
MD5

aa3684dd93b13628b626723bfe313dbc
SHA1

d2a08733f52ba0187dd43a45b7ea6953f69522bd
SHA256

02f250a3df59dec575f26679ebd25de7c1d5b4d9d08016685f87a3628a393f92
SHA512

22ffb71722f5afd6925d37628585dc182e3f2cfd6f472a522e8a418dcf7adf76c16aed6313c9a477e2cfa3b646bf450f2cffee8d37a51a63c926c5ef18450ac0
SSDEEP

24576:3z6+t2x6zy+jerMRSFJZLIMMXXKIdwjP3rWFhtCMzGkx8W9GTjneJN9U:3pMx6jKF7eXKYwj/e0kxTGT6JN2

Score

10^/10

medusalocker evasion ransomware spyware stealer trojan

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html

Ransom Note

<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=Edge"> <meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1, user-scalable=yes"> <title>Title</title> <style> /* http://meyerweb.com/eric/tools/css/reset/ v2.0 | 20110126 License: none (public domain) */ html, body, div, span, applet, object, iframe, h1, h2, h3, h4, h5, h6, p, blockquote, pre, a, abbr, acronym, address, big, cite, code, del, dfn, em, img, ins, kbd, q, s, samp, small, strike, strong, sub, sup, tt, var, b, u, i, center, dl, dt, dd, ol, ul, li, fieldset, form, label, legend, table, caption, tbody, tfoot, thead, tr, th, td, article, aside, canvas, details, embed, figure, figcaption, footer, header, hgroup, menu, nav, output, ruby, section, summary, time, mark, audio, video { margin: 0; padding: 0; border: 0; font-size: 100%; font: inherit; vertical-align: baseline; } /* HTML5 display-role reset for older browsers */ article, aside, details, figcaption, figure, footer, header, hgroup, menu, nav, section { display: block; } body { line-height: 1; } ol, ul { list-style: none; } blockquote, q { quotes: none; } blockquote:before, blockquote:after, q:before, q:after { content: ''; content: none; } table { border-collapse: collapse; border-spacing: 0; } body { background: #2b3d49; background-size: auto 100%; background-position: top center; background-repeat: no-repeat; font-family: Arial, Helvetica, sans-serif; } .all { overflow: hidden; padding: 54px 0; } .container { max-width: 1092px; margin: 0 auto; } .head { padding: 0 20px; display: -webkit-box; display: -ms-flexbox; display: flex; -webkit-box-align: center; -ms-flex-align: center; align-items: center; -webkit-box-pack: center; -ms-flex-pack: center; justify-content: center; margin-bottom: 35px; } .head-img { margin-right: 30px; } .head-text { color: #ffffff; font-family: Arial, Helvetica, sans-serif; font-size: 35px; font-weight: 500; border-bottom: 3px #fff solid; } .content { position: relative; color: #ffffff; padding: 0 20px; font-family: Arial, Helvetica, sans-serif; font-size: 14px; font-weight: 500; line-height: 21px; } .content a { color: #9676fd; font-style: italic; line-height: 30px; font-size: 18px; } .content b { color: #f25252; font-weight: 500; } .content c { color: #f25252; font-weight: 500; font-size: 20px;} .content d { font-weight: 500; font-size: 8px;} .content:after { content: ''; background: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAjAAAAGhCAMAAABI/X4mAAAC+lBMVEUAAAAwDh8/GCkA6eHlc4tFxucA6eGJRUTihIQdx+GpXV4A6uENAjEA5uIA4OHJdXUA6eHckXzfmHoA5uEA5eEA5uEA6eIA6eHmkIHedYYA5uEOBmvCb3AA5+EA5+EA5+EA6OEC6OEA6OEA4uEKBWXbgX9Tct+eV1ZbHh5dc+Bec9t9Ozu3aGYlAwUA2eEC5eFXat0A5OFabt8A4uI1CgkB5uJTZ91NatvIyPsxBgRRZ93AwfgJpN48eN3PzfsMotzExPpRadsGkN5SZNwFr93Hx/knhN0NnNzKyfrRz/vW1PsAt+DQzfsAu98Az+AAv99mc+INk9p8iOl4gunMyvoAxOAAq98AoN4Bzt+Biuw4e9wGl94kCmwjCWsYitokCmwkCWx8h+ukrviRmfKmq/oCu9+ir/kkCWwUi94kCmzCwfg3IokkCmxINpZEMpXFw/kzHoRHNJbLyfqss/XIx/rPzfvNy/vS0PwiBmo2IIhTYtzV1Pw3E4IfBGZALpHAyv84J4xJK5IHAFULAFgAiLVLOZZYZ96xt/kAl704G4fX1/0VAF83GIQA6eJueuYaAWNJMZRLJ5C9xv/b2vxodeQAnsIAkbs9Ko4QAFt1gOnh4P0AmsC+vve3vf65wf8Ai7hjceN8huuzuvzd3f2Eje5cauDm5f5gbeEBea8AkLgAgLONlfGutPmWnfMyMY8AlL0AlLovPJSeo/YyG3xMO5wlDHBDP5qmq/qorfGFkdg2Dn4qEXQtFniJlNoAcao/SZ5EI42fpOian+QBaKejqOw5I4FsYbEqRphiVag6UqKOmN0xXaeVnOEmaKu5uveQjdUAo8N7dMAkT5yDfshAK4ZaS6BzarnEzv8dVp9TQ5lHNI2WldsYcq8XXaKJhc8Al79KatxNXNsArt8LYaQAqsapreoA0OC4uPAAnd6xs+4AxuDt7f8AvN4Aiq9DVtccLH0MRooA/O1I3O1n3u8AX5epo91X8fkBOZ1VV8M+Tbsw8PcfSLGG6fkAAEc5jB+NAAAAanRSTlMACRKRTAZ/HEwMJYQcHhQsjTNMM0AplYlMMVVHTEtmb59eef0yPxtMS0UwTDMq/sGG0VusOea0b0JL5xg6/ndRK539zWhb/SexlL5+2Z/mttmUbqXtz+HIkMbFr9CqenPr6LeB3O6Ujtz7glQwKAAAbipJREFUeNrs3d1qpDAUB/A/HHJAQkLAmICQGN0HKEPpY/rO23Wq0bbOzvV4fpeDdwZzvpKB+El5CyGeN5FXEOJZOdDUQognDcTOZQMhnpKImEmnBkI8oxvIsabJQ4intBNpjmHoIMQzVNLETDRKKCOeY0fnWFOUUEY8pmwNZaKEMuJ/1DA2uPMcNEeSUEY8kgt73DV9JM2BZVsS57KLYWhxZzK5yBaNdAvEiVw0O9pKve1QdAMjoYw4Yft7ftQ3uEuThXUlSygjftflJT/idYU0CoYjuVEGH8SDUm9I2FhHrIOWLrb4XZMiUQK8wUK1U4gcMoQ4Ult+VHpgoKRqt4BGoJVQRuypbSdqW2AMYWq3aLhkoA+9lGXEzsdcOqwysatd69YDngLLDKeobvM866074O5da4tVCuyCbEti94X59DFuoYxzrHcDeJ0mHWXBiM00Lxy2Um+IHKmGMiPJF0bsdO/zpzeslNek2YVxe0BOFYiDdJvnd0DH2i0gdhNWSvIkcTTMN6DMN1u7BWEATJL8SPyqHQGa57b+wFqhK7IbiSNlsCrz3MGsdbrGK3SRKFscmCxfnStTw2Bw529zC1O4xaoLmovHQTffEsR15bKNwqipg9FE2xKymVzwsPtSr/nzGSHLcZTrGpwm9lgZ0lwSVn569zA0dfWB+dMfmfu9rFzi/qhAMy4flU0zelgOdZrK3uav2rC4pCYtdTo31qne94QdBRMjlx5fbJwXbzL2e1FmPPaPVO9x0OQQKR1qw4siLYOLup96DOzPZzhLj530Ni8klLkqz6TZnZ96VGPCQf6Y/5G63tWo3VSvZnK9ffhgZaMsmCtS/f7U4xLKqKfb3LJgLmgoW37U1VGYh2yHu/4mmdLlZEe11Os5LAdnOzxiwrpxKTnrdjlDYF3nvG0fiZlib3HOOBkMv652CppjSfg+1atwxhBvNz5UXqoy16CSJk0joOrB2cgxnIcylmm78aEagtx3dhF2dKUH0tjslhC7kHCi6R0xk+sbVGMIMm51FZ3OQCq7U49ETOP/LvcNk8UmB7nv7DqaDkhulx91mZavTsIJP4Woo9n94EizXBLy6lSn8KUvep8ftS7/+21oz9vcQVusauVPJsdf2sTd1rVeX3itz/XO0WhOYx8y2NRDcIOEMi8sl/0Fd9/zo748vO65s783MeXfUV7X4PQu3fEcDi/cLEuotPjGmNMEKt4TKAllXlQf9qMwP1+4Z4quxTeevMKROYQyQUst+DWp7xeAm3zMmJvkfn5h2vCj1JsHW4vHUVLs13UfhXFu3L9wrQ3Uti/9XDD0I1IZi05qPydMWralF/WXvesJbaQK49EwCyEmDKRJIdI2ST1bpBQEYfEirOLRo6K3RSeHRajN0AmGNoeZdkIPpbG0QsCFkukhTVhyMC25BI03a1zXuFgvWRTMLm3Tbg+lB7/35s97M/njHifL+8HCFtJe8uO93/d9v+/3rPqIfOEx+LbDFiN8fWrXi2eUdAU9zfvpkBDoyqBIcTYteHnw9p0P3iadWyxlqC8cenKBCEiZUa3eSW+APmFsJs8wOMeDMHZijpmXBK++3+3u7Xzwrr0gjoSoijng50dk9cKMkvcHbDebPe9sAmSQjz309pLgtc9Sf/zT7e7szdveMuFDlCkqACV1JD5izE1OGFou8yGSKxP0+3n20NvLgE9TGyvrPy53uzfXMao+igBh5mI+wghv1NMHa28pQKhAOSPojRQfnDrQ52H30tjjbjKZ3FhJ/tq96V30EtYX7oevdo7KSIzH4oOaw5Ya5gYU6ZEp5KaixZF3xsMw5vgkibC+8rB3dXVxfecd80QIAmHoPdjQgMMh7iU2YAKSBx1FnKJ9wsgoMc2WsccZr3yc1LFa1XJX1193bxNxO/d/e7AzsUGPQ06FqEjxaIREQgSjKP4slptnM8nxxWtJE+n1s+McqN+LiBUspDNm9hY3rKROeMlQmt5XCVJuKvoDYeCOH/6kl3XyxhWvJy2kNtYvv9/r3lwsJHz2Pdi3osPHCaiTa2/1xr1UHnTI75xaR3IAdi2NKz7VuZIyKLP68PnN1cWFxRCfP4cxMcIGjF9Uclg0ofPH0Q+9UUPM6AIjzBjjbhKhmkzppEmtbmevQf32YvZIj6iH44a3eu0WzZDe+YvSvWB65SkQY4QZX+AiKXUkHibPDtMpXco8QZT58D067nnKw01PjHL1Bp27BODrtKDPwSNxzkpdZC92jSmgSMKE+UZ4UH92lkKUSW1sXP57fXO/+8GMqVQSs3GkZZ29fZohAY+j1Yv6NhNRjpqDTyY4D8c2a8cbr32OCfMgIwrF8rPGaTqNflyvFnvd7lpvbsq8VcJoCE3izPoQcDIg5Ae6Tc3P+MgcPDLDeSZibDow1ngd8yV5LyOK+3JWe3Z5ZNxLpz992QUpMx+mFhpJnBlBIDxiX2UiwgeoGhxiqiZyC+w2Gmd8iglTFQVR6cgHBaDMWVW/l1ZSv1xDvbTgD9rizOyJZYgTfcYHsq8yFfODN8JKeAgBYVCRHnJwLsEuqLHBXUyYw4wAjGkW5Xw2q9WRlMHTgst/rxBlpjlKuzpnkKH+l/1mboWJcxwIQ7l6gTAAr6MyZ9Gt4wND8wJhBFFSWllZy2qUlNmfRZSZo4wPMSdhSCeXGKgo5ziyTvFUpPgcSlD0BOmbLbgAIys2LRgLvPKZoXkFBEXKdPJyAUmZQ1PKHKN7qcd7rDMj7rh/eLyOEqcIMO3FJk/aTBObokMUeY+PTrcK5nJsWjAmeONzQhhFFARVqtSxlCmegRTGJfbZ0+ur3g3xcAb7bcBeu0UzGgOtQxjhg31+Otw3GEl4fPQ4gdNHVgvM+uB+GJOkexlBzJQkFWgjKc19LGUuUwB0L6Ubf1/fbG7eeXd4gEPES1s0ObL1aH7AeZH5eD9lr+ISeGTFXkdxP6wiSYA+TCMjKeheEtogZfLFalqfFqS3T5+hrszybW6oq/eWOeEeknc2NeFM+/XyPCYMmRYAmPHB7fiEFEli8TjbFiURKFMrNfK7+0L1VJcyKZAyP37Z3VmGaYEDQZ/ZySWEoQMcSAE1IlKcWCkAESZl3AxSJAFh8nl5v6lKApYyxew3UqUMUsboylR/3exuLhMpYxba/UfCC+adcVHHBRTVX0dhrl8XgyqSRKW4VciW5UYJ3Utw0jQzUqWgafXTVNrwcD5H99L77zgWZfvzGThTyhArzOhIcSJlGGHcjTd0F8w9XCSV6nI5W5AL7YyIflQFqSLnUYltdGVWt3/7oru3/NFtmjD8gAyQ6ASJjcFS5oUzEgMxRhhXgxRJAFXF9VFhqyMJioI4k2kcyGRaAJRJPVru3qelTCiiKxXnLgG1KsA7bL+jI8Un5lil5GIYRZKAgO8hqI8K5YYqZhQJMQakjFwukGnBxsrRXzvdNSJluFCCJD7YdgmCRMqQDwxFgFxcbAfbxSBFkmC2ehv5444kdYqGlFFa+NQxpwUgZR4/h3sJSxk6n2EySJ8waKw94bN9YPTWYwBMnizc1/0gRRJWLXp9tN9QaydPTCkjCScFfVpwlMKfXln97Z/uzhJIGeodNz/duAvrYVXx/ofehhMG/kIkweSLy0FPksRMu2LURyVBOpG1rY5qTAtKjTI2Ppymk7iRt5J6tNTdXLIlPvBBZ8Adsmj6KAphKcMN0zDoZuNZ8pDL8Qbmi14kIQNVW8CtXkWodY6RlBFK+NSRJKSGC7uX6VR6Q5cyD34GKbN0h0p8CDi2Hnl0wkxNkwAHVGLHoiOzjFginsth2u0ETJi6LO+3FAlfRHCoHDckpVGHaYGphrdODlPPLjc2koDtVSxllm4bZ0h/XlAggSyaMWj1EmM4echgaJZRhIVVuRh0kYQtmnm5WJEsKSOpDWtaAMaHrbpae3r+5HRdL7E3wMN5f4mU2E5wASCM1/TKEGP4VJSmjDPc18+zW8m9oIskUTmR5Wz2QGuUavhQESqi2pA1PC3AUqbZUtUn5+e5IowksZQ5/GWtuwZShnMOFsOURfMWlQoT8uNI8URoRCwjz0zi7oWtSBLVShFV0HK2LeBDRQXCHKNpQb1iGB9E6el57vz8MG16OH/4eWdv7fe3HJ6qhdlpshapT6191EMG3hEPvQWjXnbCuBakSMIQJbW1jyya5ggSSxk0Lch3Mor+iTrwZfZe+vQUGANYRV2ZtYue/W38ORISQh7Cph4yGBn3HGYaxrUgRZIBpSa0CzJ1qKgSPnW0rbYkYNRKW+fnpdpZ2fBwpiC86tsrSCKKeAjw1Hk+bGv1RhzpvwMixdld5HYYRZIo6FDNpks5CwaqToa0erWySRihBj29Sq1VNjyceFqAPJw9yvhgmKEmSd6Z3uol04JBkeIh9o6b20GKJIwSvockyZQyLVEyjOHasUUYQaypGam9m9U06ONhrKfqf19f/b4E0wJ7SMjCNG37hYrZZ4nbASdM2MvecXM5jCLJIIJQrGNXL5TR+rYJlNiKPmAqFU8kwYIC8liT81oFLqV0Wt8tyM52dxbJtCDI5wBOKQPzJs78QP9mfwhZyaeZ5HUx7EWSCAYqo9UrZU40kDJyoaSIiDOSCHMlAqyG5d1m7bB6dmR4OM8efdldWyRdmdB8DiMWsCU8BCwpw/WdMKig4iej7F5yK+giSbdoUk2XUv2grGVLakafWsM/GyRo7DUV8d6+lfiwcvTr/b2lxTtvexx5ZwkflfAQjBApQ0Cp4ckI075uBW230y2apD4SYX4EP5eAF7jV2wcRnTpKpljWiPHh4fOdncWv+qTMjMUIHO/snRwdKc4I41aQSRKGCKsCqD7KNzKqvjjb3gfC5LfwtKAfigiWvOwB9nAahjwwPuxtLn40P2WFOecACcoUFQQpMyDwl7O2t/3shHEt7tJFEmm6QCOmaYjdDPaBHxyAMVwYBFHslEniA5oWpB8t7m3ezMbCJO8MESYe95Edt8igSHGTY0GWLu9akCIJw2q6ZHc7KrBHr4dKeRkopLVU57VEjxOyaLcglTSNDzc9yOG0qLAwiT14JKs3Nj0oUtxSw+z5NreCFEk6RLM+kqGIbuv3kCg2EYXkoiIoQ6RMO7uLdguOzK7M6uMe7O+/6ecof3ecR67ekZHiPHvn2uUgRZIBxayPtsAJU5SNVi9enJUbitpqSn0Xk9nYA3uVrmOwlKkWoPX73YfvhakDxPbQ26AThr1z7XaQIsk4XzpNfSittlqqUpdxq1fEfbvGVlGRGlt4x80O0eCYfFCpHaYMymxsnx6f32wuXngDL+LqJc96sVavm6EXSVWLMOL+rrn1qIhwwmSpxdkm1NZglym0gVc2ZFTTw1lRMg+qZj70OkSKb4KWWZihXb0k7nlgdCt759rdcEySwKJ5gBghiej/aiuPp9bmtEARpM5uNr/btN9KaqtucEyAXnBGOLIixbe3Hz+/ub7ovRV1PPQWHu7q9SPvDDNQuRWOnSQ9RVNG/Vtc/pTq2AqjnQiYEYLahHpbcxBGah0X2lj74N8C1hwBY1JpbHzY+DOHwqvmPc6H3nwjWr3+SUYYl8JRJImKfqjsnqgiKBNR0hdnNSRlMBlUPD9yEiaPbMBEDWf+Y+9qQlspo6g/4EpF8Gcj/rt24UIEwY0bde1SQQQRGmOdR7UdrM+MjDJTR0x4ZBRHGLCbScD8IM0iSlIIGkMIjlG0YmuQRkWhWEU3rjzf/eabm0xGd7azmLt6r026Otx77r3nnq/0/N7WKRHgvbfegaU4tDKP3s+IuOl2AOa2f1f13plLNLMaVySbJN0R90em1cPIhU8FfNShno4gKlNfAYxYJ7SocCnIFLq9k8gk5I23jn6F8OGlp2KfoOuFPcht/6HqvSUXgWc0uElaHvVWB45zdKzb0eFsy/Jds2AXmKkkttZNWbig4Yyj1zrpYcFEkHk2+GP30vvCJ4jPUW677j/I7TX5NCabETVJugQMj3rdwNkehAEAoDwSvTqMP46l8GEZL5R1Agz2fK8eIwYdlmeekEkI+Z3BvOqVJctDZBi2M+O4Jm+pMx2Ro3OBw7Fp6DIUh7JuG9sBOZUZmn6hO6zixi2xglwsXD6+EAPmoMXWrWJb0P0SxynK8pBVvUnD39vzNVKWI2ncoBfa1FIDJsgwJvbUyiOxNMUO0m1aQWMJMXpjWlA3bmig+Je6qGxNk6xbCTLvvHMCxCSF4VeuGP7mBg5ZjtVNUr0e6Rjsdh2D27bnI6lIA4ftoeeb4VEXNWuBv7h16o+k3IoyDN+rkHUrqMxWpOGcS8hcdy2reu9YlWjmo97MxtWJJokkmm40/Mf+CBnGb6mkAnBgKW0ddBs02FOAMb3WQJn7ThsMJTYJISpDgryX//xJ1qVYGXPbrSsWMTTqzZNMJuPu2KyMAeP6ljqldlBXQGbD426EAAgf5gfddhPbAkcBxq8BFNFgz9FXyNCgRZA53duibcFW8CYQcxc7PiDZJB0fxOP5OZHJZKgmieuI3avS1WO0lLZL8Ej0DrY5Z/Sm3QYW170ol0Cf6dVMJQPm0GESQoVKUZkB9gVbVJc8JJkLF1L8oZkNX5lLNLMZq02SXqIq0mpGV4+2MwzmyDAqkFmctlvzw0GED7sg+iN2fOC2mv3OoJWp1fde3pNU5q3T+e+7L23wbUGa3XM+uMtkcJOkgqqIS6fUA+UKMxAZhouWXsLQxTp29AUpDHJIs0Xch1NVuHCv4lfN57d+i6nM6dcb7764gW1Bsh4pNnxLnmEyGdwkqeCrR6YyDBemMpRheDbca4ov1CB8YMC0RKGK9Vj+29uN+KG3N1798Pud3Y315FMXN1yZG9xlOeK3QRdrknpjy4+pjB5Dg6nMgDIMd9Ck4WxZPLhzemLBpAoVPoAxDlu3knnV7s76+oMPLI/tcoO7LMfN8SaJI7aaqgkqozrmZDg2f4c76JovAMMLpqa8V7EJQNgseJjKsKX4G5/9/O7mOlEZPsXPDe6yHPzsDeeXwZSvHqONIjMTjsUrSFtpOC3OMHyvUu3ZuuTP8qG3k/iht1f3vth898X1BSpz4+3SUjxX9WYzUpokvV7txVVEUhnlkZgMziVUuGgFGQOGX49s9Wy7bXclpuiht5NoW7CHM8nPL13aWOczyetJw4l33HLIZDGeYM7Lg7uWRaNelsKwOCo9UGpk4dL5XJ/vVfywZ3etX6fdbQnCOurSidoWYMH07V+7L60/RlMZ1nBemQ/uMhlPpgCm7kmDOzs+HjEllbH/HTAuCteK8MFWC6ZA79Z+/93DfkHdq9SIykSW4m+ByrxAVIbfccslmpmMlCZJt6ndqUFApduKyrhMZdIBg9PqZOHSC0fDaMHUKHRrcFEMu7YdcZ2afB1lS56jgMq8IFrsRQ1nnmGyGOoOf6nhkQtDIdEs2ZGBQ+SRSKrelHAaiVGvsoGQR3C2IwEz79oNJBj1Zq3ZgqW48uH86rtLO+uLVOaqvLnOYHCTxCEN7prhwNk+ZgNwXyCiekRZZzXs0sAV5r7gPjzppSO42FLc+h2A2e4FkusQlfGOP9o6PY1f7fpldxNUJr4tyLfVGQxukhI1xmmbAQATmtO4YwYirIEUhnOsOD6YjSWJZq0p6LKOv9gd/gTADELFdZDHLJDh45YyCXn15U/Xdl8UVCaPzAY3SSuKy1IbN2st1R+xMPz4uMBMZcXxwa9xW+0cuC3f97ygQ9SlWxjCIbolKpsjQdie2vagdXLCPpxfbu5urD18f55cshrJJomW1cOSlMJAolnlUS8QMaz1hDBc2T1z8KjX8xkwOkwUPc9tVr2JJiCDbzn4i8x1HBwh9Kogv8pSHI4P3+3uXFiDpXgeWYz0TVLdVAbg8dVjpOptUI4gO7P0utToLYjA9dK+MTKrM0DGHRu2LlDIa21bfmVoWs06LMVPt6JtAajMNziTzFeQWYy0JgmDO49SAB+P1BR3dRyRI0xTesgvR/SiUrthK7g899pr5Up57Fabrlc1R/uADPVHLXCd8Gg7bslaLlmKfxybVwlL8XtuuiyPzMVyk8QSTdNqHZfSR712tB6abifw0lbvuEV56mLxNaNcLJYrxYlVdV1BZfYFlZFrbXgVMV1GzZvWhPBBmVc9/fcff/wB4UMeGYu0Jkm3B1Vqd1R/JDvmlqoiDq2H3CRgtg+sA9AcBbq3tdeKxX65ohWLRqVfrwoqY02eE0nGxqiXMgyTbHxbsCVhKU7Ch7cGP/39x/sXHszXSRmL1CbJjg3Ah6o/opfPPVPYOysP+RXATC2p6lXVqFgu181+xSgWixVj7IPKWFV/dBG/lZbizmJSQxfvuZawFN+KziTdN7/ZXMtb7IxFqtxOGYDzcb2sIj4aoFIkn2sHU2cFMKZLbJiqUbEIwATz5qRYiepSU1CZWad80dZXxTQkfAiH3b1nyfEBdemN0y82LokW+7I8MhNXP8tN0uqol/sjWhiiY25020o+Z5f0BGCGlkVsuPC2gAsBpu41q/4YxFfUpc7hzJu5HaNDVEa3Vyd/SFCFDwPWcH7y+Us762s5lclOsKPzUthK1VsjKgMCK4UsNVxBwhZR7pyX8MJsuGb1AQ+KshGETXeG/sgwihGVsTqVThNUxtbTLcX1Ur1GGk75AOlrf+1urq09mM/xMhLcJCX86mxW9boe2Iot65C4goSOYbg6g9HVqNdq9o2iQkxnYnkuWuqgI36mgcqA1HSs0JctdjJE4imYFjs+kPDh0os5lclKpG6S9EIPw39W9aIfiiDkgJsiiXi9lPywbQtIXZzMqgwYUYcC6o+8caWoEZVBSWo2vWq9vy9AliL7PEo4Pjz7xYWcymQlUpskzGFCuoONfFSRYfTeAIiQEpcaitIKYOzBERSYF4GIfsCAoaQyEv1ReFgplon9lo2OmMpgW2C8vZpk2PHhRD30JqjMDqgMhA95nHNc/rjivMnBnUt3sJErzMG20wvjhWFjEK5mGCcIe23qoDGr46D+SMOoN5xUypMxfUAr07agWi8XjXQqIwRcQsOpHnp7h4QPaxA+5HGuwZukRFWARNPEW31qa92wbUzzm/FzodMDfQUwSETeYUcgQtMYMDKpoD+aH1aMeig/UKRtAQBjjMf7jp4GGSwxlyzFX9369D1QmUfzunSewU1SAjDU7ljTbiHyCbLFRZoURxGEUlzA7fpcbBjl0IXzy+HYqBCVGY0NI6iqDwBCk6pZrhzO6/0V9qurexVv0VL81Y++fHFnPacy5xrcJCViW1p6FMyFrTWJo5Tdc5Ilv10GU7HEJJcQErfV9XnQp6yDQoUM487oA3JbAOxMqqAyxWUqg9ZavVA6hKW4dK6KNJw7m2s5lTnPeGb1Dp8tPUB1g6rFo1718nmyhmBt9NxrSBxykov2p6wpwJSRVGaTjkgqWtEYqw8YBrFhAAYQCseV5zB+YbBOA75XEf7QRH2VhhN16b2cypxTpDdJbOmBcxMXVEL4qLKTVBOHjTykjddGkql4HtqfWceIAVMPSQqjUZ1SH/AOJYQ0Y4RPeyOkpIuADFuK870K+UPHdellUJm1Sxs5lTmn4CYpBS20IuxVMbn1goKteEWr6btDPM/GS2laG6mhC9ofr8mDOyCCkkp4WNbKZd5aA0L4L8IAhOYjUaK0twt6vJJatiYq8VMXUsOZbwvOJbhJUpyXWcRBoyuHLmLU65tYBbCTlNXeLvWOUDBYxKBCQ/vjh7MIMCqpVF2vDnwYhvxATXCdMNDKEYTMcUUTjdVzoDLq0QJaYvK9Cj91QRpOsS14Lxc+nEOkN0miFNUOYgMHF07N3Xb8lsnUh2d8vSqED1SNiktBYikGTJRUwqBsTA7RNMVb65nfiSBkaB2NQtUlG57jQn1Djg8U6qkLRWWwLdjNtwXnEckmiZ+/IWWLSirYUTc8X92GNJBvApeED/tEXhgthmx/gIXlUa+LDnoyB0a0aGvthWax0pdUBolGiyFDhZDVNyrHJKnM3tfrO/m24OyDm6RkhmktPpCEG4KG7ypeIYazYrBnNQ8JGYyX0ciIOug4DDl0GYmGyEPmibbWI9/tVPohqIxR1DjwZRI+ROqbVpta+jQqA/OqF15ay6nMGQerp5L7P4sM7o6jUwGxcqzxbYjQMbRcdzY/RErhqIxDyhkcWnFEPzAMzZjMm33smTqRmmoEwGAFafYNbSGw3S4CkMqaiAGTpDJkXrWz+d7ag/lU5uyC3wZNhO7EUhhJbu3CsdsUSUWNegtjN7S8oLwMmGo10tfFbbXpIuvQP0FlABioeouGrF7GCA1UOME/OMsYnVlztO88H9nI8As7KVTm1TcgfLjw3mM5lTmzuDu1SWIbIJ9VvTaojBr1CgUmDV3mgZEAjJjkjowyAyYIcSoQ7STHAAzmdn6/HO0NIHzwJpUODfYUYPyqED448raAr7RTqMyeMK+6sLP+Xk5lzirSmyT2UWVVb7QtEO7N3sCGAlM2xMsZxhjNaJIbUDvEEk2l6jXKRp+EDhHMyhA+zAEYzx2rJGN0XAuy30O6rF2yFE+nMkLDCSrzyGV5nEXw26DJUK4wRGX8I2UsBF5h1uqaAojWT/TUHbqLBbmN26bDcOYqVS8tI0VSMTTuwceVjut5WCdIDqMFoRzsXUwRPjCVIcRE5lU/ijneZXmcQbCjc3Jw13Big7taYtQbmgsJpLgchjHCJHdRoqlFV4/1UYWoCz7AVFlSmY6HrBNI7os/iXMUIQNmDWdKcF0SGs4v4RFy72V5pMcZNEkY8AbKFcYWV4+1esmWxkLO/sj3AZi0KFP7YwAhDBhaMAl9ndLKlIWMigsZCpGkMgARBZ+jeKAyySSTOpV5463vPnj9vsvy+H8j+TZoUqLp86gXGaaEWRq2BVgbiYZYS8VLX3XMkwgwPOpFoWIqs9x4a5LKBNxdGxVZ2RLCh3+nMu88/8MPD12Wxz/sXUtvG1UYzYYFv4EtQoIVYgGoFagV4lWxQIUNSCx4CKQYTzzBSXAexgN2MMEKDolrGgNxadLYDkmcpLitS5OBUoobHEJ5FWhJUYIQQmKHBDvO/e69vp7xOI8CHVvqoYVSUh7y4XznfN937/2fYX8b1L6iWd3qDWM2kMpe0oaoingdYZRnxaaLUU0jnbV6aSUzSlYGf24hDImKfhHTSQn8giFUtjXUpZKBxYctrUzfBz9fU5j/HSokBeyEoavpKB/Ji1fpxvfoaraE5ah6MJZXEYjFiqa91at2ZcjKKOgMfKikQDNKLD7ADIlpgR3qYWwizB/9t7ZcgyOuUkiifAT3IlZhYr7Y0uqa/MCdoGnmcmqWBWL6AtWHKRtyqzelrIyCLqAEBhImf8Hqklp8cETyQzqI4uvuvmZ6rwKcQxIhJi4AT6z3soAUSMYj+MBn5e6THVowGDRLfNOlrONTVn2YDeSjIRmgeGKu7gXrNYgvVXY4cyVDLT44IXSSLq0KTXTf3HINjvjfQ5I6tcpavXlcgTgTeI3dC6R2n3QbZTTGF3wvyUBcvaKZSlGrl596FGu/JTCiLmGMUorpmE5DTMvigwM+IIUpTHTf1HINzvh/J0n2CxxW13uL62F5NoQ+cHFSWoHowmAGywdIhaoad7lVykcFuQqjrExdwizNrq6RjlXXKWcrQx7mxb6/J66FpKuAG4kvMiQ531eXOR0zyxvRcsT+gRuKLoDGYZiFxahlRTPO89FGRqxoysRMjKinMGuzXMcgMooxEQcrE/K9SP8Jf01cC0nO+P9Dkn0Eqek4ChJFc9Zr+cATy4aFLvhIuciYSzmlMAC/4I6taBYojxuUmLmViTsTpjBWufFBBxRlaqxMaIFC0smfr4Wkerg6IUkdHzHikSEssqRAGPGBG2zPmw0QITiaJugCjxH0SsosjynCiLizkcOKZk62epezzOuschLqdmAxvExDTHgfZobYtzpWJiRCUn9/Y4ekW27ev3//LU1vs0RIqk8XT5BtYMbxgbNzrhn6wEWLBGssmBuaJuOLjhTj8/mSGqdM0CxoQc3a6h3LsRXNA+ouKjCClmmUiCioGx9Q2zSN/gkOVkaFpJnJRglJ1+25s4YX1+1/7BDDwYOP7G9uzqiQ5MwXeY2UYSyNZQzj4kbVMdfVDDspnSmYGpAM+BgCSVDHYJQBJGUM4ph3CY3ghMxHcjHcMMoZ/B31WpCOrWHsbQa5ihFlRMT2BOwhKd0YIWn3s8/MT09PP/V09RLgbU+OHxKEAR65paVpoUKSM110teCNDxyLCgk6ByuMyHLQXEyl1sqapgd9Ep5gYckAZeSHjHKyzAdMtKLJJ4pDorIdyBk4Wi2mBTaAYzpb6UNtY6zVGP8UZWRdCvmeb6CQdP3T88D0/DRQoczNj42PjxNdOGEGBx9pCG7/hyFJHWa0DqKhMCoQayhGZi7Bbjg0DAMVSQCPJqHpUqEMW9FMyVUYeSzyYmWrl/nptUQO5tbBycRNbTFVIjMUiYAy8NUWK9NoIeneZ44RYQhTU/tbgJseGSe+EIgvYMz

Emails

href="mailto:[email protected]">[email protected]</a><br>

href="mailto:[email protected]">[email protected]</a>

URLs

http-equiv="X-UA-Compatible"

http://meyerweb.com/eric/tools/css/reset/

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker

MedusaLocker payload 5 IoCs

resource	yara_rule
behavioral2/memory/4788-0-0x0000000000BF0000-0x0000000000F82000-memory.dmp	family_medusalocker
behavioral2/memory/4788-131-0x0000000000BF0000-0x0000000000F82000-memory.dmp	family_medusalocker
behavioral2/files/0x000800000002320c-739.dat	family_medusalocker
behavioral2/memory/3836-740-0x0000000000790000-0x0000000000B22000-memory.dmp	family_medusalocker
behavioral2/memory/3836-742-0x0000000000790000-0x0000000000B22000-memory.dmp	family_medusalocker

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	220201-tb2kpshagn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	220201-tb2kpshagn.exe

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 5 IoCs

resource	yara_rule
behavioral2/memory/4788-0-0x0000000000BF0000-0x0000000000F82000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/4788-131-0x0000000000BF0000-0x0000000000F82000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/files/0x000800000002320c-739.dat	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3836-740-0x0000000000790000-0x0000000000B22000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3836-742-0x0000000000790000-0x0000000000B22000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Detects command variations typically used by ransomware 5 IoCs

resource	yara_rule
behavioral2/memory/4788-0-0x0000000000BF0000-0x0000000000F82000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware
behavioral2/memory/4788-131-0x0000000000BF0000-0x0000000000F82000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware
behavioral2/files/0x000800000002320c-739.dat	INDICATOR_SUSPICIOUS_GENRansomware
behavioral2/memory/3836-740-0x0000000000790000-0x0000000000B22000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware
behavioral2/memory/3836-742-0x0000000000790000-0x0000000000B22000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware

Renames multiple (178) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
3836	svchostt.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	220201-tb2kpshagn.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-513485977-2495024337-1260977654-1000\desktop.ini	220201-tb2kpshagn.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	220201-tb2kpshagn.exe
File opened (read-only)	\??\Q:	220201-tb2kpshagn.exe
File opened (read-only)	\??\S:	220201-tb2kpshagn.exe
File opened (read-only)	\??\E:	220201-tb2kpshagn.exe
File opened (read-only)	\??\G:	220201-tb2kpshagn.exe
File opened (read-only)	\??\J:	220201-tb2kpshagn.exe
File opened (read-only)	\??\K:	220201-tb2kpshagn.exe
File opened (read-only)	\??\M:	220201-tb2kpshagn.exe
File opened (read-only)	\??\V:	220201-tb2kpshagn.exe
File opened (read-only)	\??\Y:	220201-tb2kpshagn.exe
File opened (read-only)	\??\Z:	220201-tb2kpshagn.exe
File opened (read-only)	\??\F:	220201-tb2kpshagn.exe
File opened (read-only)	\??\A:	220201-tb2kpshagn.exe
File opened (read-only)	\??\B:	220201-tb2kpshagn.exe
File opened (read-only)	\??\I:	220201-tb2kpshagn.exe
File opened (read-only)	\??\T:	220201-tb2kpshagn.exe
File opened (read-only)	\??\U:	220201-tb2kpshagn.exe
File opened (read-only)	\??\W:	220201-tb2kpshagn.exe
File opened (read-only)	\??\X:	220201-tb2kpshagn.exe
File opened (read-only)	\??\H:	220201-tb2kpshagn.exe
File opened (read-only)	\??\L:	220201-tb2kpshagn.exe
File opened (read-only)	\??\N:	220201-tb2kpshagn.exe
File opened (read-only)	\??\P:	220201-tb2kpshagn.exe
File opened (read-only)	\??\R:	220201-tb2kpshagn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe
4788	220201-tb2kpshagn.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4240	wmic.exe
Token: SeSecurityPrivilege	4240	wmic.exe
Token: SeTakeOwnershipPrivilege	4240	wmic.exe
Token: SeLoadDriverPrivilege	4240	wmic.exe
Token: SeSystemProfilePrivilege	4240	wmic.exe
Token: SeSystemtimePrivilege	4240	wmic.exe
Token: SeProfSingleProcessPrivilege	4240	wmic.exe
Token: SeIncBasePriorityPrivilege	4240	wmic.exe
Token: SeCreatePagefilePrivilege	4240	wmic.exe
Token: SeBackupPrivilege	4240	wmic.exe
Token: SeRestorePrivilege	4240	wmic.exe
Token: SeShutdownPrivilege	4240	wmic.exe
Token: SeDebugPrivilege	4240	wmic.exe
Token: SeSystemEnvironmentPrivilege	4240	wmic.exe
Token: SeRemoteShutdownPrivilege	4240	wmic.exe
Token: SeUndockPrivilege	4240	wmic.exe
Token: SeManageVolumePrivilege	4240	wmic.exe
Token: 33	4240	wmic.exe
Token: 34	4240	wmic.exe
Token: 35	4240	wmic.exe
Token: 36	4240	wmic.exe
Token: SeIncreaseQuotaPrivilege	752	wmic.exe
Token: SeSecurityPrivilege	752	wmic.exe
Token: SeTakeOwnershipPrivilege	752	wmic.exe
Token: SeLoadDriverPrivilege	752	wmic.exe
Token: SeSystemProfilePrivilege	752	wmic.exe
Token: SeSystemtimePrivilege	752	wmic.exe
Token: SeProfSingleProcessPrivilege	752	wmic.exe
Token: SeIncBasePriorityPrivilege	752	wmic.exe
Token: SeCreatePagefilePrivilege	752	wmic.exe
Token: SeBackupPrivilege	752	wmic.exe
Token: SeRestorePrivilege	752	wmic.exe
Token: SeShutdownPrivilege	752	wmic.exe
Token: SeDebugPrivilege	752	wmic.exe
Token: SeSystemEnvironmentPrivilege	752	wmic.exe
Token: SeRemoteShutdownPrivilege	752	wmic.exe
Token: SeUndockPrivilege	752	wmic.exe
Token: SeManageVolumePrivilege	752	wmic.exe
Token: 33	752	wmic.exe
Token: 34	752	wmic.exe
Token: 35	752	wmic.exe
Token: 36	752	wmic.exe
Token: SeIncreaseQuotaPrivilege	3372	wmic.exe
Token: SeSecurityPrivilege	3372	wmic.exe
Token: SeTakeOwnershipPrivilege	3372	wmic.exe
Token: SeLoadDriverPrivilege	3372	wmic.exe
Token: SeSystemProfilePrivilege	3372	wmic.exe
Token: SeSystemtimePrivilege	3372	wmic.exe
Token: SeProfSingleProcessPrivilege	3372	wmic.exe
Token: SeIncBasePriorityPrivilege	3372	wmic.exe
Token: SeCreatePagefilePrivilege	3372	wmic.exe
Token: SeBackupPrivilege	3372	wmic.exe
Token: SeRestorePrivilege	3372	wmic.exe
Token: SeShutdownPrivilege	3372	wmic.exe
Token: SeDebugPrivilege	3372	wmic.exe
Token: SeSystemEnvironmentPrivilege	3372	wmic.exe
Token: SeRemoteShutdownPrivilege	3372	wmic.exe
Token: SeUndockPrivilege	3372	wmic.exe
Token: SeManageVolumePrivilege	3372	wmic.exe
Token: 33	3372	wmic.exe
Token: 34	3372	wmic.exe
Token: 35	3372	wmic.exe
Token: 36	3372	wmic.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 4240	4788	220201-tb2kpshagn.exe	92
PID 4788 wrote to memory of 4240	4788	220201-tb2kpshagn.exe	92
PID 4788 wrote to memory of 4240	4788	220201-tb2kpshagn.exe	92
PID 4788 wrote to memory of 752	4788	220201-tb2kpshagn.exe	95
PID 4788 wrote to memory of 752	4788	220201-tb2kpshagn.exe	95
PID 4788 wrote to memory of 752	4788	220201-tb2kpshagn.exe	95
PID 4788 wrote to memory of 3372	4788	220201-tb2kpshagn.exe	97
PID 4788 wrote to memory of 3372	4788	220201-tb2kpshagn.exe	97
PID 4788 wrote to memory of 3372	4788	220201-tb2kpshagn.exe	97

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	220201-tb2kpshagn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	220201-tb2kpshagn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	220201-tb2kpshagn.exe

C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe
"C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4788
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4240
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3372

C:\Users\Admin\AppData\Roaming\svchostt.exe
C:\Users\Admin\AppData\Roaming\svchostt.exe
1⤵
- Executes dropped EXE
PID:3836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\log.txt

Filesize
4KB

MD5
eca8eb9c5b6458f2d08f8a61cbde1e2e

SHA1
7df0c367f5e45e22724e45265c7b0cd5aaa15651

SHA256
991dfe71da3ea65d2bae56825e1557728abdca494dc3dce9cc721dc3127ded21

SHA512
a57b373422861da74cd85f7442bf9f47590aecbeb2bd6cd238b38ebab9d66240c0979898f30c000acc58bbe6c17511fe12d52ca172beba8fddb0635df5fc1db2

Download Submit
C:\Users\Admin\AppData\Roaming\svchostt.exe

Filesize
2.6MB

MD5
aa3684dd93b13628b626723bfe313dbc

SHA1
d2a08733f52ba0187dd43a45b7ea6953f69522bd

SHA256
02f250a3df59dec575f26679ebd25de7c1d5b4d9d08016685f87a3628a393f92

SHA512
22ffb71722f5afd6925d37628585dc182e3f2cfd6f472a522e8a418dcf7adf76c16aed6313c9a477e2cfa3b646bf450f2cffee8d37a51a63c926c5ef18450ac0

Download Submit
C:\Users\Default\ntuser.dat.LOG2

Filesize
536B

MD5
c02e5bb605abf49a21cdacd7e9b15bf2

SHA1
a9bd4c03199b12e50d368b2469556ba3af44e32b

SHA256
ffa944568884617d23309993ba2721abb98a64095885b60e9abd05b2fd754c93

SHA512
f7326d9d94610771db085a465d7f169864bc151e01ad002fa0f7117069632a4fa00e83e8d0342b6fa03c4bf0880be7b9fd6e97ce443ad0c35df53f7c248e05b0

Download Submit
\Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html

Filesize
47KB

MD5
042b48ec7ac5788c49bd74248bc8ea60

SHA1
3a91f9c2541c2cc22fcbc0bbc43b005f642881b7

SHA256
ceaf2ea8d8283e81af8f86a50f509d8847bd577520e7631a2fc50a8fa216fae8

SHA512
9f25da11e594937fc1abf799abf8fe75952f0a49f21cb69c7ce18fd513a0e006c92de80279140b58833f31982b5ef7a36e0d161aebdae6b6dbc5fb4c2e65c0fc

Download Submit
memory/3836-740-0x0000000000790000-0x0000000000B22000-memory.dmp

Filesize
3.6MB

Download
memory/3836-742-0x0000000000790000-0x0000000000B22000-memory.dmp

Filesize
3.6MB

Download
memory/4788-0-0x0000000000BF0000-0x0000000000F82000-memory.dmp

Filesize
3.6MB

Download
memory/4788-131-0x0000000000BF0000-0x0000000000F82000-memory.dmp

Filesize
3.6MB

Download