Malware Analysis Report

2024-09-11 01:46

Sample ID 240327-eg7atafb4x
Target 220201-tb2kpshagn
SHA256 02f250a3df59dec575f26679ebd25de7c1d5b4d9d08016685f87a3628a393f92
Tags
medusalocker evasion ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

02f250a3df59dec575f26679ebd25de7c1d5b4d9d08016685f87a3628a393f92

Threat Level: Known bad

The file 220201-tb2kpshagn was found to be: Known bad.

Malicious Activity Summary

medusalocker evasion ransomware spyware stealer trojan

MedusaLocker

MedusaLocker payload

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

UAC bypass

Medusalocker family

Detects command variations typically used by ransomware

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Detects command variations typically used by ransomware

Renames multiple (178) files with added filename extension

Deletes shadow copies

Renames multiple (261) files with added filename extension

Reads user/profile data of web browsers

Executes dropped EXE

Drops desktop.ini file(s)

Checks whether UAC is enabled

Enumerates connected drives

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

System policy modification

Interacts with shadow copies

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Modify Registry
T1112
Indicator Removal
T1070
File Deletion
T1070.004
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-03-27 03:55

Signatures

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A

Detects command variations typically used by ransomware

Description Indicator Process Target
N/A N/A N/A N/A

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Medusalocker family

medusalocker

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-27 03:55

Reported

2024-03-27 03:58

Platform

win7-20240220-en

Max time kernel

126s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe"

Signatures

MedusaLocker

ransomware medusalocker

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A

Deletes shadow copies

ransomware

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects command variations typically used by ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (261) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchostt.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 840 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\vssadmin.exe
PID 840 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\vssadmin.exe
PID 840 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\vssadmin.exe
PID 840 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\vssadmin.exe
PID 840 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 840 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 840 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 840 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 840 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\vssadmin.exe
PID 840 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\vssadmin.exe
PID 840 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\vssadmin.exe
PID 840 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\vssadmin.exe
PID 840 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 840 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 840 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 840 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 840 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\vssadmin.exe
PID 840 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\vssadmin.exe
PID 840 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\vssadmin.exe
PID 840 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\vssadmin.exe
PID 840 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 840 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 840 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 840 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2692 wrote to memory of 1576 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchostt.exe
PID 2692 wrote to memory of 1576 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchostt.exe
PID 2692 wrote to memory of 1576 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchostt.exe
PID 2692 wrote to memory of 1576 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchostt.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe

"C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe"

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\taskeng.exe

taskeng.exe {F8DB6D99-47F3-496A-9174-9CF4C311FD86} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\svchostt.exe

C:\Users\Admin\AppData\Roaming\svchostt.exe

Network

N/A

Files

memory/840-0-0x0000000000870000-0x0000000000C02000-memory.dmp

\Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html

MD5 fda6a70452bcee475f64d404b56f4a78
SHA1 666d45894a0af56be78e52ce824fba344582de06
SHA256 cd51c89403adb89ac2c762ca2eae52d81a417e769c751c0af602877963fb26e4
SHA512 684024ce1dc9ecac29552b3522675f3f7e19da6f89e85e2fc8ff0d85c9be8d5254b2ccb707d78484fc0f8abacb62e182625dc9f1dcb51f47c961f9a8aa314fd6

C:\Users\Admin\AppData\Local\Temp\log.txt

MD5 5266fb450f107fed45864290ee45bbd6
SHA1 7783de2bbee0b27f4a575cbd498713807402aade
SHA256 5f54954fff01e3d22f8a80ac2e9f6f9157ce4337e13f5bc7944173fce0a3164f
SHA512 54cec87b103f6abb9343a04a382b7aa9d0bffb899d1cf642cf3bae518ba98dcad713a3f1cf3f501a2cebdcd42675eef3233e4d0891b90c162af5edc312df96e2

C:\Users\Default\NTUSER.DAT.LOG2

MD5 3648f03da64d16f6f9e9db7d8e0ee726
SHA1 a08b43a05422735f328ba26ad4d697958921e270
SHA256 fca6e47c229a78a1e3721dca8d700e169eadea2f10f41d92b4b2fe930730ea11
SHA512 27488a10e7cb02a9542fc1b86dbe399232c0b28da4c5446d8455a71739dd1fbb135c3345c7e794a4f8e3cfa3a56a010953efa1230ca39c43fbe771342a9159a4

memory/840-1065-0x0000000000870000-0x0000000000C02000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchostt.exe

MD5 aa3684dd93b13628b626723bfe313dbc
SHA1 d2a08733f52ba0187dd43a45b7ea6953f69522bd
SHA256 02f250a3df59dec575f26679ebd25de7c1d5b4d9d08016685f87a3628a393f92
SHA512 22ffb71722f5afd6925d37628585dc182e3f2cfd6f472a522e8a418dcf7adf76c16aed6313c9a477e2cfa3b646bf450f2cffee8d37a51a63c926c5ef18450ac0

memory/1576-1068-0x00000000008C0000-0x0000000000C52000-memory.dmp

memory/1576-1069-0x00000000008C0000-0x0000000000C52000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-27 03:55

Reported

2024-03-27 03:58

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe"

Signatures

MedusaLocker

ransomware medusalocker

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects command variations typically used by ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (178) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchostt.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-513485977-2495024337-1260977654-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4788 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4788 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4788 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4788 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4788 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4788 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4788 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4788 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4788 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe C:\Windows\SysWOW64\Wbem\wmic.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe

"C:\Users\Admin\AppData\Local\Temp\220201-tb2kpshagn.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Users\Admin\AppData\Roaming\svchostt.exe

C:\Users\Admin\AppData\Roaming\svchostt.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

memory/4788-0-0x0000000000BF0000-0x0000000000F82000-memory.dmp

\Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html

MD5 042b48ec7ac5788c49bd74248bc8ea60
SHA1 3a91f9c2541c2cc22fcbc0bbc43b005f642881b7
SHA256 ceaf2ea8d8283e81af8f86a50f509d8847bd577520e7631a2fc50a8fa216fae8
SHA512 9f25da11e594937fc1abf799abf8fe75952f0a49f21cb69c7ce18fd513a0e006c92de80279140b58833f31982b5ef7a36e0d161aebdae6b6dbc5fb4c2e65c0fc

memory/4788-131-0x0000000000BF0000-0x0000000000F82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\log.txt

MD5 eca8eb9c5b6458f2d08f8a61cbde1e2e
SHA1 7df0c367f5e45e22724e45265c7b0cd5aaa15651
SHA256 991dfe71da3ea65d2bae56825e1557728abdca494dc3dce9cc721dc3127ded21
SHA512 a57b373422861da74cd85f7442bf9f47590aecbeb2bd6cd238b38ebab9d66240c0979898f30c000acc58bbe6c17511fe12d52ca172beba8fddb0635df5fc1db2

C:\Users\Default\ntuser.dat.LOG2

MD5 c02e5bb605abf49a21cdacd7e9b15bf2
SHA1 a9bd4c03199b12e50d368b2469556ba3af44e32b
SHA256 ffa944568884617d23309993ba2721abb98a64095885b60e9abd05b2fd754c93
SHA512 f7326d9d94610771db085a465d7f169864bc151e01ad002fa0f7117069632a4fa00e83e8d0342b6fa03c4bf0880be7b9fd6e97ce443ad0c35df53f7c248e05b0

C:\Users\Admin\AppData\Roaming\svchostt.exe

MD5 aa3684dd93b13628b626723bfe313dbc
SHA1 d2a08733f52ba0187dd43a45b7ea6953f69522bd
SHA256 02f250a3df59dec575f26679ebd25de7c1d5b4d9d08016685f87a3628a393f92
SHA512 22ffb71722f5afd6925d37628585dc182e3f2cfd6f472a522e8a418dcf7adf76c16aed6313c9a477e2cfa3b646bf450f2cffee8d37a51a63c926c5ef18450ac0

memory/3836-740-0x0000000000790000-0x0000000000B22000-memory.dmp

memory/3836-742-0x0000000000790000-0x0000000000B22000-memory.dmp