Analysis
-
max time kernel
148s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 17:41
Behavioral task
behavioral1
Sample
26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe
Resource
win10v2004-20240419-en
General
-
Target
26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe
-
Size
669KB
-
MD5
646698572afbbf24f50ec5681feb2db7
-
SHA1
70530bc23bad38e6aee66cbb2c2f58a96a18fb79
-
SHA256
26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0
-
SHA512
89bad552a3c0d8b28550957872561d03bf239d2708d616f21cbf22e58ae749542b07eee00fedac6fdb83c5969f50ea0f56fc103264a164671a94e156f73f160a
-
SSDEEP
12288:dQA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8D4KD/KeX:Tuf4wTuV2Ux3uIZeUBi2Te6HWdKrKe
Malware Config
Extracted
\Device\HarddiskVolume1\how_to_back_files.html
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 1 IoCs
resource yara_rule behavioral2/files/0x000d000000023b63-683.dat family_medusalocker -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe -
Renames multiple (220) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 4880 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2860750803-256193626-1801997576-1000\desktop.ini 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\A: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\B: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\K: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\N: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\P: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\V: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\W: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\Y: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\E: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\H: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\I: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\J: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\R: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\G: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\O: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\T: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\Z: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\F: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\L: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\M: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\Q: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\S: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\X: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3936 wmic.exe Token: SeSecurityPrivilege 3936 wmic.exe Token: SeTakeOwnershipPrivilege 3936 wmic.exe Token: SeLoadDriverPrivilege 3936 wmic.exe Token: SeSystemProfilePrivilege 3936 wmic.exe Token: SeSystemtimePrivilege 3936 wmic.exe Token: SeProfSingleProcessPrivilege 3936 wmic.exe Token: SeIncBasePriorityPrivilege 3936 wmic.exe Token: SeCreatePagefilePrivilege 3936 wmic.exe Token: SeBackupPrivilege 3936 wmic.exe Token: SeRestorePrivilege 3936 wmic.exe Token: SeShutdownPrivilege 3936 wmic.exe Token: SeDebugPrivilege 3936 wmic.exe Token: SeSystemEnvironmentPrivilege 3936 wmic.exe Token: SeRemoteShutdownPrivilege 3936 wmic.exe Token: SeUndockPrivilege 3936 wmic.exe Token: SeManageVolumePrivilege 3936 wmic.exe Token: 33 3936 wmic.exe Token: 34 3936 wmic.exe Token: 35 3936 wmic.exe Token: 36 3936 wmic.exe Token: SeIncreaseQuotaPrivilege 3020 wmic.exe Token: SeSecurityPrivilege 3020 wmic.exe Token: SeTakeOwnershipPrivilege 3020 wmic.exe Token: SeLoadDriverPrivilege 3020 wmic.exe Token: SeSystemProfilePrivilege 3020 wmic.exe Token: SeSystemtimePrivilege 3020 wmic.exe Token: SeProfSingleProcessPrivilege 3020 wmic.exe Token: SeIncBasePriorityPrivilege 3020 wmic.exe Token: SeCreatePagefilePrivilege 3020 wmic.exe Token: SeBackupPrivilege 3020 wmic.exe Token: SeRestorePrivilege 3020 wmic.exe Token: SeShutdownPrivilege 3020 wmic.exe Token: SeDebugPrivilege 3020 wmic.exe Token: SeSystemEnvironmentPrivilege 3020 wmic.exe Token: SeRemoteShutdownPrivilege 3020 wmic.exe Token: SeUndockPrivilege 3020 wmic.exe Token: SeManageVolumePrivilege 3020 wmic.exe Token: 33 3020 wmic.exe Token: 34 3020 wmic.exe Token: 35 3020 wmic.exe Token: 36 3020 wmic.exe Token: SeIncreaseQuotaPrivilege 4840 wmic.exe Token: SeSecurityPrivilege 4840 wmic.exe Token: SeTakeOwnershipPrivilege 4840 wmic.exe Token: SeLoadDriverPrivilege 4840 wmic.exe Token: SeSystemProfilePrivilege 4840 wmic.exe Token: SeSystemtimePrivilege 4840 wmic.exe Token: SeProfSingleProcessPrivilege 4840 wmic.exe Token: SeIncBasePriorityPrivilege 4840 wmic.exe Token: SeCreatePagefilePrivilege 4840 wmic.exe Token: SeBackupPrivilege 4840 wmic.exe Token: SeRestorePrivilege 4840 wmic.exe Token: SeShutdownPrivilege 4840 wmic.exe Token: SeDebugPrivilege 4840 wmic.exe Token: SeSystemEnvironmentPrivilege 4840 wmic.exe Token: SeRemoteShutdownPrivilege 4840 wmic.exe Token: SeUndockPrivilege 4840 wmic.exe Token: SeManageVolumePrivilege 4840 wmic.exe Token: 33 4840 wmic.exe Token: 34 4840 wmic.exe Token: 35 4840 wmic.exe Token: 36 4840 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3276 wrote to memory of 3936 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 84 PID 3276 wrote to memory of 3936 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 84 PID 3276 wrote to memory of 3936 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 84 PID 3276 wrote to memory of 3020 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 88 PID 3276 wrote to memory of 3020 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 88 PID 3276 wrote to memory of 3020 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 88 PID 3276 wrote to memory of 4840 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 90 PID 3276 wrote to memory of 4840 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 90 PID 3276 wrote to memory of 4840 3276 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 90 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe"C:\Users\Admin\AppData\Local\Temp\26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3276 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3936
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4840
-
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe1⤵
- Executes dropped EXE
PID:4880
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
669KB
MD5646698572afbbf24f50ec5681feb2db7
SHA170530bc23bad38e6aee66cbb2c2f58a96a18fb79
SHA25626af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0
SHA51289bad552a3c0d8b28550957872561d03bf239d2708d616f21cbf22e58ae749542b07eee00fedac6fdb83c5969f50ea0f56fc103264a164671a94e156f73f160a
-
Filesize
536B
MD52ce7e0ff005e81a47de65fff6170e80f
SHA10318040012735b0679dddcb283b999dab065c60e
SHA25612da7208d88613a309a778742e700479d5fe93b7c48cf947d89bbae9d5c3a308
SHA512bd05a1ed58e8b7975c9100c217867678a9f7855e61e7080a45d40c6b91345efd098ee699244fd2ce30cb16eae76074490ed4889e722c4c5304da8fe093e63eca
-
Filesize
4KB
MD5c17c31bea83d09d07d8603245833a986
SHA174df3cf3fd7099479b5e0e3136b36dba850b851a
SHA256e84a8d65961fdc01359ed1778be18e7f8fa25e1bde1e9ecdbb3cee548c6e47d6
SHA512f22ad1a301bcaa78cf80944324c81a15c096ea10ecde5104def7ecaafde8d8d49ef07bfc53d2e17d0c2273d3e4f925c55eac7266ebea725acc1de007a2656596