Analysis
-
max time kernel
140s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 07:47
Behavioral task
behavioral1
Sample
26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe
Resource
win10v2004-20240419-en
General
-
Target
26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe
-
Size
669KB
-
MD5
646698572afbbf24f50ec5681feb2db7
-
SHA1
70530bc23bad38e6aee66cbb2c2f58a96a18fb79
-
SHA256
26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0
-
SHA512
89bad552a3c0d8b28550957872561d03bf239d2708d616f21cbf22e58ae749542b07eee00fedac6fdb83c5969f50ea0f56fc103264a164671a94e156f73f160a
-
SSDEEP
12288:dQA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8D4KD/KeX:Tuf4wTuV2Ux3uIZeUBi2Te6HWdKrKe
Malware Config
Extracted
\Device\HarddiskVolume1\how_to_back_files.html
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 1 IoCs
resource yara_rule behavioral1/files/0x000f000000023b5f-608.dat family_medusalocker -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe -
Renames multiple (195) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 744 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2860750803-256193626-1801997576-1000\desktop.ini 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\V: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\Y: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\A: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\E: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\H: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\L: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\T: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\U: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\N: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\O: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\P: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\Q: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\R: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\S: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\X: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\Z: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\G: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\I: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\J: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\K: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\M: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe File opened (read-only) \??\W: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2176 wmic.exe Token: SeSecurityPrivilege 2176 wmic.exe Token: SeTakeOwnershipPrivilege 2176 wmic.exe Token: SeLoadDriverPrivilege 2176 wmic.exe Token: SeSystemProfilePrivilege 2176 wmic.exe Token: SeSystemtimePrivilege 2176 wmic.exe Token: SeProfSingleProcessPrivilege 2176 wmic.exe Token: SeIncBasePriorityPrivilege 2176 wmic.exe Token: SeCreatePagefilePrivilege 2176 wmic.exe Token: SeBackupPrivilege 2176 wmic.exe Token: SeRestorePrivilege 2176 wmic.exe Token: SeShutdownPrivilege 2176 wmic.exe Token: SeDebugPrivilege 2176 wmic.exe Token: SeSystemEnvironmentPrivilege 2176 wmic.exe Token: SeRemoteShutdownPrivilege 2176 wmic.exe Token: SeUndockPrivilege 2176 wmic.exe Token: SeManageVolumePrivilege 2176 wmic.exe Token: 33 2176 wmic.exe Token: 34 2176 wmic.exe Token: 35 2176 wmic.exe Token: 36 2176 wmic.exe Token: SeIncreaseQuotaPrivilege 2604 wmic.exe Token: SeSecurityPrivilege 2604 wmic.exe Token: SeTakeOwnershipPrivilege 2604 wmic.exe Token: SeLoadDriverPrivilege 2604 wmic.exe Token: SeSystemProfilePrivilege 2604 wmic.exe Token: SeSystemtimePrivilege 2604 wmic.exe Token: SeProfSingleProcessPrivilege 2604 wmic.exe Token: SeIncBasePriorityPrivilege 2604 wmic.exe Token: SeCreatePagefilePrivilege 2604 wmic.exe Token: SeBackupPrivilege 2604 wmic.exe Token: SeRestorePrivilege 2604 wmic.exe Token: SeShutdownPrivilege 2604 wmic.exe Token: SeDebugPrivilege 2604 wmic.exe Token: SeSystemEnvironmentPrivilege 2604 wmic.exe Token: SeRemoteShutdownPrivilege 2604 wmic.exe Token: SeUndockPrivilege 2604 wmic.exe Token: SeManageVolumePrivilege 2604 wmic.exe Token: 33 2604 wmic.exe Token: 34 2604 wmic.exe Token: 35 2604 wmic.exe Token: 36 2604 wmic.exe Token: SeIncreaseQuotaPrivilege 3504 wmic.exe Token: SeSecurityPrivilege 3504 wmic.exe Token: SeTakeOwnershipPrivilege 3504 wmic.exe Token: SeLoadDriverPrivilege 3504 wmic.exe Token: SeSystemProfilePrivilege 3504 wmic.exe Token: SeSystemtimePrivilege 3504 wmic.exe Token: SeProfSingleProcessPrivilege 3504 wmic.exe Token: SeIncBasePriorityPrivilege 3504 wmic.exe Token: SeCreatePagefilePrivilege 3504 wmic.exe Token: SeBackupPrivilege 3504 wmic.exe Token: SeRestorePrivilege 3504 wmic.exe Token: SeShutdownPrivilege 3504 wmic.exe Token: SeDebugPrivilege 3504 wmic.exe Token: SeSystemEnvironmentPrivilege 3504 wmic.exe Token: SeRemoteShutdownPrivilege 3504 wmic.exe Token: SeUndockPrivilege 3504 wmic.exe Token: SeManageVolumePrivilege 3504 wmic.exe Token: 33 3504 wmic.exe Token: 34 3504 wmic.exe Token: 35 3504 wmic.exe Token: 36 3504 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 852 wrote to memory of 2176 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 84 PID 852 wrote to memory of 2176 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 84 PID 852 wrote to memory of 2176 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 84 PID 852 wrote to memory of 2604 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 87 PID 852 wrote to memory of 2604 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 87 PID 852 wrote to memory of 2604 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 87 PID 852 wrote to memory of 3504 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 89 PID 852 wrote to memory of 3504 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 89 PID 852 wrote to memory of 3504 852 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe 89 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe"C:\Users\Admin\AppData\Local\Temp\26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:852 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3504
-
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe1⤵
- Executes dropped EXE
PID:744
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
669KB
MD5646698572afbbf24f50ec5681feb2db7
SHA170530bc23bad38e6aee66cbb2c2f58a96a18fb79
SHA25626af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0
SHA51289bad552a3c0d8b28550957872561d03bf239d2708d616f21cbf22e58ae749542b07eee00fedac6fdb83c5969f50ea0f56fc103264a164671a94e156f73f160a
-
Filesize
536B
MD550c10b3381174918a0371f94a848c7d9
SHA18fb5b222572c67cefbb0647c33811b0efcfc8b4f
SHA256b705a901740eab989efe579047280410d0f4f12c881eaaab3d423818a349dd03
SHA512e120c6537b0bcccdc659eed3817a9926fdc3eb423d385875cfb2fdfa56c2b474059f161ac85b47430f622ff0bde018a858b904862ae5d3b944224d34575654da
-
Filesize
4KB
MD5313854ed265179e7a6ef069897a2e938
SHA147a13d7fd940ab60ddabbb607aabd0652c93c42c
SHA25682ef800da761fcfaacbc9bdffbd8c4ae64caf49cdbd47e69e3ace46fae600a13
SHA5122d601e72cf32c9317e3a904ce7fb152c3f520c56453c28ff64e0caba7408c1998b8444ac7a64b87e2197560d8ebbeb4e0e265a1660e187c64707ec8cbc9f3d5f