Analysis
-
max time kernel
128s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23-06-2024 22:50
Behavioral task
behavioral1
Sample
706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe
Resource
win10v2004-20240508-en
General
-
Target
706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe
-
Size
5.6MB
-
MD5
095db264f03dba2cb16f1e3acaf60d27
-
SHA1
2b1bb5b5aedcc0dd95eb694ae53aa4ce108c85bb
-
SHA256
706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6
-
SHA512
7706cdcb52fc5318ee6a14c9ba580980d7af4e851485de8662ac997359dbac140ad1cb8f31d9e71ee9574cb0307e4167c8a5e807cffabca6b093682f4d1232ea
-
SSDEEP
98304:uv9Vu+MMjYAMHlaWnAskRRZfhck06/o/Di+R1MI064hHgjhxCJpGdKeeO53LSNpw:uv988KlaOARRZfCxDbxRj6HgbCbvSLSh
Malware Config
Extracted
\Device\HarddiskVolume1\Boot\Recovery_Instructions.html
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 5 IoCs
resource yara_rule behavioral1/memory/348-5-0x00000000012F0000-0x0000000001C7C000-memory.dmp family_medusalocker behavioral1/memory/348-9-0x00000000012F0000-0x0000000001C7C000-memory.dmp family_medusalocker behavioral1/memory/348-11-0x00000000012F0000-0x0000000001C7C000-memory.dmp family_medusalocker behavioral1/memory/348-630-0x00000000012F0000-0x0000000001C7C000-memory.dmp family_medusalocker behavioral1/memory/2380-638-0x0000000000F50000-0x00000000018DC000-memory.dmp family_medusalocker -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 5 IoCs
resource yara_rule behavioral1/memory/348-5-0x00000000012F0000-0x0000000001C7C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/348-9-0x00000000012F0000-0x0000000001C7C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/348-11-0x00000000012F0000-0x0000000001C7C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/348-630-0x00000000012F0000-0x0000000001C7C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2380-638-0x0000000000F50000-0x00000000018DC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
Detects command variations typically used by ransomware 5 IoCs
resource yara_rule behavioral1/memory/348-5-0x00000000012F0000-0x0000000001C7C000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware behavioral1/memory/348-9-0x00000000012F0000-0x0000000001C7C000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware behavioral1/memory/348-11-0x00000000012F0000-0x0000000001C7C000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware behavioral1/memory/348-630-0x00000000012F0000-0x0000000001C7C000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware behavioral1/memory/2380-638-0x0000000000F50000-0x00000000018DC000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware -
Detects executables packed with VMProtect. 6 IoCs
resource yara_rule behavioral1/memory/348-5-0x00000000012F0000-0x0000000001C7C000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/348-9-0x00000000012F0000-0x0000000001C7C000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/348-11-0x00000000012F0000-0x0000000001C7C000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/348-630-0x00000000012F0000-0x0000000001C7C000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/files/0x000a000000012286-631.dat INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2380-638-0x0000000000F50000-0x00000000018DC000-memory.dmp INDICATOR_EXE_Packed_VMProtect -
Renames multiple (199) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 2380 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/348-5-0x00000000012F0000-0x0000000001C7C000-memory.dmp vmprotect behavioral1/memory/348-9-0x00000000012F0000-0x0000000001C7C000-memory.dmp vmprotect behavioral1/memory/348-11-0x00000000012F0000-0x0000000001C7C000-memory.dmp vmprotect behavioral1/memory/348-630-0x00000000012F0000-0x0000000001C7C000-memory.dmp vmprotect behavioral1/files/0x000a000000012286-631.dat vmprotect behavioral1/memory/2380-638-0x0000000000F50000-0x00000000018DC000-memory.dmp vmprotect -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\desktop.ini 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\J: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\L: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\M: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\O: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\V: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\W: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\E: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\G: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\K: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\U: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\Z: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\I: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\S: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\T: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\N: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\P: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\Q: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\R: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\X: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\A: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\B: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\H: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\Y: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2600 vssadmin.exe 2792 vssadmin.exe 2504 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeBackupPrivilege 2696 vssvc.exe Token: SeRestorePrivilege 2696 vssvc.exe Token: SeAuditPrivilege 2696 vssvc.exe Token: SeIncreaseQuotaPrivilege 2776 wmic.exe Token: SeSecurityPrivilege 2776 wmic.exe Token: SeTakeOwnershipPrivilege 2776 wmic.exe Token: SeLoadDriverPrivilege 2776 wmic.exe Token: SeSystemProfilePrivilege 2776 wmic.exe Token: SeSystemtimePrivilege 2776 wmic.exe Token: SeProfSingleProcessPrivilege 2776 wmic.exe Token: SeIncBasePriorityPrivilege 2776 wmic.exe Token: SeCreatePagefilePrivilege 2776 wmic.exe Token: SeBackupPrivilege 2776 wmic.exe Token: SeRestorePrivilege 2776 wmic.exe Token: SeShutdownPrivilege 2776 wmic.exe Token: SeDebugPrivilege 2776 wmic.exe Token: SeSystemEnvironmentPrivilege 2776 wmic.exe Token: SeRemoteShutdownPrivilege 2776 wmic.exe Token: SeUndockPrivilege 2776 wmic.exe Token: SeManageVolumePrivilege 2776 wmic.exe Token: 33 2776 wmic.exe Token: 34 2776 wmic.exe Token: 35 2776 wmic.exe Token: SeIncreaseQuotaPrivilege 2656 wmic.exe Token: SeSecurityPrivilege 2656 wmic.exe Token: SeTakeOwnershipPrivilege 2656 wmic.exe Token: SeLoadDriverPrivilege 2656 wmic.exe Token: SeSystemProfilePrivilege 2656 wmic.exe Token: SeSystemtimePrivilege 2656 wmic.exe Token: SeProfSingleProcessPrivilege 2656 wmic.exe Token: SeIncBasePriorityPrivilege 2656 wmic.exe Token: SeCreatePagefilePrivilege 2656 wmic.exe Token: SeBackupPrivilege 2656 wmic.exe Token: SeRestorePrivilege 2656 wmic.exe Token: SeShutdownPrivilege 2656 wmic.exe Token: SeDebugPrivilege 2656 wmic.exe Token: SeSystemEnvironmentPrivilege 2656 wmic.exe Token: SeRemoteShutdownPrivilege 2656 wmic.exe Token: SeUndockPrivilege 2656 wmic.exe Token: SeManageVolumePrivilege 2656 wmic.exe Token: 33 2656 wmic.exe Token: 34 2656 wmic.exe Token: 35 2656 wmic.exe Token: SeIncreaseQuotaPrivilege 2916 wmic.exe Token: SeSecurityPrivilege 2916 wmic.exe Token: SeTakeOwnershipPrivilege 2916 wmic.exe Token: SeLoadDriverPrivilege 2916 wmic.exe Token: SeSystemProfilePrivilege 2916 wmic.exe Token: SeSystemtimePrivilege 2916 wmic.exe Token: SeProfSingleProcessPrivilege 2916 wmic.exe Token: SeIncBasePriorityPrivilege 2916 wmic.exe Token: SeCreatePagefilePrivilege 2916 wmic.exe Token: SeBackupPrivilege 2916 wmic.exe Token: SeRestorePrivilege 2916 wmic.exe Token: SeShutdownPrivilege 2916 wmic.exe Token: SeDebugPrivilege 2916 wmic.exe Token: SeSystemEnvironmentPrivilege 2916 wmic.exe Token: SeRemoteShutdownPrivilege 2916 wmic.exe Token: SeUndockPrivilege 2916 wmic.exe Token: SeManageVolumePrivilege 2916 wmic.exe Token: 33 2916 wmic.exe Token: 34 2916 wmic.exe Token: 35 2916 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 348 wrote to memory of 2600 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 28 PID 348 wrote to memory of 2600 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 28 PID 348 wrote to memory of 2600 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 28 PID 348 wrote to memory of 2600 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 28 PID 348 wrote to memory of 2776 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 31 PID 348 wrote to memory of 2776 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 31 PID 348 wrote to memory of 2776 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 31 PID 348 wrote to memory of 2776 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 31 PID 348 wrote to memory of 2792 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 33 PID 348 wrote to memory of 2792 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 33 PID 348 wrote to memory of 2792 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 33 PID 348 wrote to memory of 2792 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 33 PID 348 wrote to memory of 2656 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 35 PID 348 wrote to memory of 2656 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 35 PID 348 wrote to memory of 2656 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 35 PID 348 wrote to memory of 2656 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 35 PID 348 wrote to memory of 2504 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 37 PID 348 wrote to memory of 2504 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 37 PID 348 wrote to memory of 2504 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 37 PID 348 wrote to memory of 2504 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 37 PID 348 wrote to memory of 2916 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 39 PID 348 wrote to memory of 2916 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 39 PID 348 wrote to memory of 2916 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 39 PID 348 wrote to memory of 2916 348 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 39 PID 3024 wrote to memory of 2380 3024 taskeng.exe 45 PID 3024 wrote to memory of 2380 3024 taskeng.exe 45 PID 3024 wrote to memory of 2380 3024 taskeng.exe 45 PID 3024 wrote to memory of 2380 3024 taskeng.exe 45 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe"C:\Users\Admin\AppData\Local\Temp\706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:348 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:2600
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:2792
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:2504
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
C:\Windows\system32\taskeng.exetaskeng.exe {34C2551B-EF1C-4D09-8380-AEEDEA5FD343} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
PID:2380
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.6MB
MD5095db264f03dba2cb16f1e3acaf60d27
SHA12b1bb5b5aedcc0dd95eb694ae53aa4ce108c85bb
SHA256706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6
SHA5127706cdcb52fc5318ee6a14c9ba580980d7af4e851485de8662ac997359dbac140ad1cb8f31d9e71ee9574cb0307e4167c8a5e807cffabca6b093682f4d1232ea
-
Filesize
536B
MD5b0bda30fd38dad6371ec013dfa8581cc
SHA18d61942d74fdd735158dcd86705df3b02f63b095
SHA256ddf8cd0d51c0e91ebb69c13019480862ecf48ad87b05be45bbc6cd7244b9f72c
SHA512a6744dca56518dd8f0e5e1f18ee91a60c65b58abda1952bd6b3a26ecca28a750ce3dd18e221bfe960da3740f9a917442fb5b227c4afa7031dd36d3afbdbbf268
-
Filesize
4KB
MD5bd0954af014b0f99ecaf238863e2e192
SHA1d9224531e440f833d429e96ff4de645824f2c6bb
SHA2562519e5acce537f89c74d017f5b5e1b1abc491c629375a5db927b9f16f34f5ad3
SHA5121a17d705126ce60db880b7bd5be6b856e86b11a5b991f376ac6b636d8b7148a88c6804f66f10be5a1a8fad059f6e2596046a99ea1e589d7792d9b7c244e785a5