Analysis
-
max time kernel
128s -
max time network
56s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 22:50
Behavioral task
behavioral1
Sample
706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe
Resource
win10v2004-20240508-en
General
-
Target
706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe
-
Size
5.6MB
-
MD5
095db264f03dba2cb16f1e3acaf60d27
-
SHA1
2b1bb5b5aedcc0dd95eb694ae53aa4ce108c85bb
-
SHA256
706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6
-
SHA512
7706cdcb52fc5318ee6a14c9ba580980d7af4e851485de8662ac997359dbac140ad1cb8f31d9e71ee9574cb0307e4167c8a5e807cffabca6b093682f4d1232ea
-
SSDEEP
98304:uv9Vu+MMjYAMHlaWnAskRRZfhck06/o/Di+R1MI064hHgjhxCJpGdKeeO53LSNpw:uv988KlaOARRZfCxDbxRj6HgbCbvSLSh
Malware Config
Extracted
\Device\HarddiskVolume1\Recovery_Instructions.html
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 4 IoCs
resource yara_rule behavioral2/memory/968-1-0x0000000000E70000-0x00000000017FC000-memory.dmp family_medusalocker behavioral2/memory/968-6-0x0000000000E70000-0x00000000017FC000-memory.dmp family_medusalocker behavioral2/memory/968-554-0x0000000000E70000-0x00000000017FC000-memory.dmp family_medusalocker behavioral2/memory/1864-558-0x00000000006B0000-0x000000000103C000-memory.dmp family_medusalocker -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe -
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 4 IoCs
resource yara_rule behavioral2/memory/968-1-0x0000000000E70000-0x00000000017FC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/968-6-0x0000000000E70000-0x00000000017FC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/968-554-0x0000000000E70000-0x00000000017FC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/memory/1864-558-0x00000000006B0000-0x000000000103C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
Detects command variations typically used by ransomware 4 IoCs
resource yara_rule behavioral2/memory/968-1-0x0000000000E70000-0x00000000017FC000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware behavioral2/memory/968-6-0x0000000000E70000-0x00000000017FC000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware behavioral2/memory/968-554-0x0000000000E70000-0x00000000017FC000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware behavioral2/memory/1864-558-0x00000000006B0000-0x000000000103C000-memory.dmp INDICATOR_SUSPICIOUS_GENRansomware -
Detects executables packed with VMProtect. 5 IoCs
resource yara_rule behavioral2/memory/968-1-0x0000000000E70000-0x00000000017FC000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/968-6-0x0000000000E70000-0x00000000017FC000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/memory/968-554-0x0000000000E70000-0x00000000017FC000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral2/files/0x000800000002341f-555.dat INDICATOR_EXE_Packed_VMProtect behavioral2/memory/1864-558-0x00000000006B0000-0x000000000103C000-memory.dmp INDICATOR_EXE_Packed_VMProtect -
Renames multiple (175) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 1864 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/968-1-0x0000000000E70000-0x00000000017FC000-memory.dmp vmprotect behavioral2/memory/968-6-0x0000000000E70000-0x00000000017FC000-memory.dmp vmprotect behavioral2/memory/968-554-0x0000000000E70000-0x00000000017FC000-memory.dmp vmprotect behavioral2/files/0x000800000002341f-555.dat vmprotect behavioral2/memory/1864-558-0x00000000006B0000-0x000000000103C000-memory.dmp vmprotect -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\Z: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\F: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\N: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\E: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\G: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\J: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\K: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\L: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\U: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\W: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\A: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\I: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\O: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\P: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\S: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\T: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\B: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\M: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\Q: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\V: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\X: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\Y: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe File opened (read-only) \??\H: 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3568 wmic.exe Token: SeSecurityPrivilege 3568 wmic.exe Token: SeTakeOwnershipPrivilege 3568 wmic.exe Token: SeLoadDriverPrivilege 3568 wmic.exe Token: SeSystemProfilePrivilege 3568 wmic.exe Token: SeSystemtimePrivilege 3568 wmic.exe Token: SeProfSingleProcessPrivilege 3568 wmic.exe Token: SeIncBasePriorityPrivilege 3568 wmic.exe Token: SeCreatePagefilePrivilege 3568 wmic.exe Token: SeBackupPrivilege 3568 wmic.exe Token: SeRestorePrivilege 3568 wmic.exe Token: SeShutdownPrivilege 3568 wmic.exe Token: SeDebugPrivilege 3568 wmic.exe Token: SeSystemEnvironmentPrivilege 3568 wmic.exe Token: SeRemoteShutdownPrivilege 3568 wmic.exe Token: SeUndockPrivilege 3568 wmic.exe Token: SeManageVolumePrivilege 3568 wmic.exe Token: 33 3568 wmic.exe Token: 34 3568 wmic.exe Token: 35 3568 wmic.exe Token: 36 3568 wmic.exe Token: SeIncreaseQuotaPrivilege 4236 wmic.exe Token: SeSecurityPrivilege 4236 wmic.exe Token: SeTakeOwnershipPrivilege 4236 wmic.exe Token: SeLoadDriverPrivilege 4236 wmic.exe Token: SeSystemProfilePrivilege 4236 wmic.exe Token: SeSystemtimePrivilege 4236 wmic.exe Token: SeProfSingleProcessPrivilege 4236 wmic.exe Token: SeIncBasePriorityPrivilege 4236 wmic.exe Token: SeCreatePagefilePrivilege 4236 wmic.exe Token: SeBackupPrivilege 4236 wmic.exe Token: SeRestorePrivilege 4236 wmic.exe Token: SeShutdownPrivilege 4236 wmic.exe Token: SeDebugPrivilege 4236 wmic.exe Token: SeSystemEnvironmentPrivilege 4236 wmic.exe Token: SeRemoteShutdownPrivilege 4236 wmic.exe Token: SeUndockPrivilege 4236 wmic.exe Token: SeManageVolumePrivilege 4236 wmic.exe Token: 33 4236 wmic.exe Token: 34 4236 wmic.exe Token: 35 4236 wmic.exe Token: 36 4236 wmic.exe Token: SeIncreaseQuotaPrivilege 3888 wmic.exe Token: SeSecurityPrivilege 3888 wmic.exe Token: SeTakeOwnershipPrivilege 3888 wmic.exe Token: SeLoadDriverPrivilege 3888 wmic.exe Token: SeSystemProfilePrivilege 3888 wmic.exe Token: SeSystemtimePrivilege 3888 wmic.exe Token: SeProfSingleProcessPrivilege 3888 wmic.exe Token: SeIncBasePriorityPrivilege 3888 wmic.exe Token: SeCreatePagefilePrivilege 3888 wmic.exe Token: SeBackupPrivilege 3888 wmic.exe Token: SeRestorePrivilege 3888 wmic.exe Token: SeShutdownPrivilege 3888 wmic.exe Token: SeDebugPrivilege 3888 wmic.exe Token: SeSystemEnvironmentPrivilege 3888 wmic.exe Token: SeRemoteShutdownPrivilege 3888 wmic.exe Token: SeUndockPrivilege 3888 wmic.exe Token: SeManageVolumePrivilege 3888 wmic.exe Token: 33 3888 wmic.exe Token: 34 3888 wmic.exe Token: 35 3888 wmic.exe Token: 36 3888 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 968 wrote to memory of 3568 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 82 PID 968 wrote to memory of 3568 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 82 PID 968 wrote to memory of 3568 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 82 PID 968 wrote to memory of 4236 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 85 PID 968 wrote to memory of 4236 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 85 PID 968 wrote to memory of 4236 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 85 PID 968 wrote to memory of 3888 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 87 PID 968 wrote to memory of 3888 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 87 PID 968 wrote to memory of 3888 968 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe 87 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe"C:\Users\Admin\AppData\Local\Temp\706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:968 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3568
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3888
-
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe1⤵
- Executes dropped EXE
PID:1864
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.6MB
MD5095db264f03dba2cb16f1e3acaf60d27
SHA12b1bb5b5aedcc0dd95eb694ae53aa4ce108c85bb
SHA256706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6
SHA5127706cdcb52fc5318ee6a14c9ba580980d7af4e851485de8662ac997359dbac140ad1cb8f31d9e71ee9574cb0307e4167c8a5e807cffabca6b093682f4d1232ea
-
Filesize
536B
MD514242da9356ef42c4afead49406a1ad9
SHA14817f82fb5be1d978d5ccd6353081fbd57e4de9e
SHA256c6b265ed7b61d7739bbdfbda28604854498a47689f5755adeab9b4dc4e1875fd
SHA51227a4c37ddb5e5c8e68f30eacd4eae39e341cf38fd4c1eb5910a85480f6030796461028be53ad4dff2434c174b6e405b3807fbe1be30417040ed6601471bfdfd1
-
Filesize
4KB
MD5f6239fb8d7f65d8d88d9245e9adfc8fb
SHA1cabde9c2531346d2d084edc7aaea1af76628cb63
SHA256127aa4c8fb0d66a9159ca9fbf1a1b96b6dbc0d49ae8686a084c04ac324583fe9
SHA512865d1237d15cea981ee6a35200e8ca85e992488c9f8746e663785a466630b1c5e3f15458aca796cbfcd5545dc4958ff6627273e9378a6075c78bd5f563bdd71e