Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18-07-2024 10:00
Behavioral task
behavioral1
Sample
1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
out.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
out.exe
Resource
win10v2004-20240709-en
General
-
Target
1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
-
Size
235KB
-
MD5
f6f120d1262b88f79debb5d848ac7db9
-
SHA1
1339282f9b2d2a41326daf3cf284ec2ae8f0f93c
-
SHA256
1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281
-
SHA512
1067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd
-
SSDEEP
6144:c5vMUmRTTgwnfeP+Jx1cLNAIyBcc9WrEWUC4wQh/6BeX:/U8Tgufnx1cLNncgQWUUQh/+e
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW_TO_RECOVER_DATA.html
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 5 IoCs
resource yara_rule behavioral1/memory/2980-869-0x00000000002D0000-0x0000000000382000-memory.dmp family_medusalocker behavioral1/memory/2980-873-0x00000000002D0000-0x0000000000382000-memory.dmp family_medusalocker behavioral1/memory/2980-874-0x00000000002D0000-0x0000000000382000-memory.dmp family_medusalocker behavioral1/memory/896-881-0x00000000001D0000-0x0000000000282000-memory.dmp family_medusalocker behavioral1/memory/2980-883-0x00000000002D0000-0x0000000000382000-memory.dmp family_medusalocker -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (283) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 896 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2980-0-0x00000000002D0000-0x0000000000382000-memory.dmp upx behavioral1/memory/2980-869-0x00000000002D0000-0x0000000000382000-memory.dmp upx behavioral1/memory/2980-873-0x00000000002D0000-0x0000000000382000-memory.dmp upx behavioral1/memory/2980-874-0x00000000002D0000-0x0000000000382000-memory.dmp upx behavioral1/files/0x0009000000012286-877.dat upx behavioral1/memory/896-879-0x00000000001D0000-0x0000000000282000-memory.dmp upx behavioral1/memory/896-881-0x00000000001D0000-0x0000000000282000-memory.dmp upx behavioral1/memory/2980-883-0x00000000002D0000-0x0000000000382000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\U: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\V: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\Z: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\N: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\O: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\P: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\S: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\A: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\B: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\E: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\I: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\T: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\X: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\R: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\Y: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\F: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\J: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\K: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\L: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\Q: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\G: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\M: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe File opened (read-only) \??\W: 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2104 vssadmin.exe 2800 vssadmin.exe 2172 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeBackupPrivilege 2908 vssvc.exe Token: SeRestorePrivilege 2908 vssvc.exe Token: SeAuditPrivilege 2908 vssvc.exe Token: SeIncreaseQuotaPrivilege 2328 wmic.exe Token: SeSecurityPrivilege 2328 wmic.exe Token: SeTakeOwnershipPrivilege 2328 wmic.exe Token: SeLoadDriverPrivilege 2328 wmic.exe Token: SeSystemProfilePrivilege 2328 wmic.exe Token: SeSystemtimePrivilege 2328 wmic.exe Token: SeProfSingleProcessPrivilege 2328 wmic.exe Token: SeIncBasePriorityPrivilege 2328 wmic.exe Token: SeCreatePagefilePrivilege 2328 wmic.exe Token: SeBackupPrivilege 2328 wmic.exe Token: SeRestorePrivilege 2328 wmic.exe Token: SeShutdownPrivilege 2328 wmic.exe Token: SeDebugPrivilege 2328 wmic.exe Token: SeSystemEnvironmentPrivilege 2328 wmic.exe Token: SeRemoteShutdownPrivilege 2328 wmic.exe Token: SeUndockPrivilege 2328 wmic.exe Token: SeManageVolumePrivilege 2328 wmic.exe Token: 33 2328 wmic.exe Token: 34 2328 wmic.exe Token: 35 2328 wmic.exe Token: SeIncreaseQuotaPrivilege 2740 wmic.exe Token: SeSecurityPrivilege 2740 wmic.exe Token: SeTakeOwnershipPrivilege 2740 wmic.exe Token: SeLoadDriverPrivilege 2740 wmic.exe Token: SeSystemProfilePrivilege 2740 wmic.exe Token: SeSystemtimePrivilege 2740 wmic.exe Token: SeProfSingleProcessPrivilege 2740 wmic.exe Token: SeIncBasePriorityPrivilege 2740 wmic.exe Token: SeCreatePagefilePrivilege 2740 wmic.exe Token: SeBackupPrivilege 2740 wmic.exe Token: SeRestorePrivilege 2740 wmic.exe Token: SeShutdownPrivilege 2740 wmic.exe Token: SeDebugPrivilege 2740 wmic.exe Token: SeSystemEnvironmentPrivilege 2740 wmic.exe Token: SeRemoteShutdownPrivilege 2740 wmic.exe Token: SeUndockPrivilege 2740 wmic.exe Token: SeManageVolumePrivilege 2740 wmic.exe Token: 33 2740 wmic.exe Token: 34 2740 wmic.exe Token: 35 2740 wmic.exe Token: SeIncreaseQuotaPrivilege 2768 wmic.exe Token: SeSecurityPrivilege 2768 wmic.exe Token: SeTakeOwnershipPrivilege 2768 wmic.exe Token: SeLoadDriverPrivilege 2768 wmic.exe Token: SeSystemProfilePrivilege 2768 wmic.exe Token: SeSystemtimePrivilege 2768 wmic.exe Token: SeProfSingleProcessPrivilege 2768 wmic.exe Token: SeIncBasePriorityPrivilege 2768 wmic.exe Token: SeCreatePagefilePrivilege 2768 wmic.exe Token: SeBackupPrivilege 2768 wmic.exe Token: SeRestorePrivilege 2768 wmic.exe Token: SeShutdownPrivilege 2768 wmic.exe Token: SeDebugPrivilege 2768 wmic.exe Token: SeSystemEnvironmentPrivilege 2768 wmic.exe Token: SeRemoteShutdownPrivilege 2768 wmic.exe Token: SeUndockPrivilege 2768 wmic.exe Token: SeManageVolumePrivilege 2768 wmic.exe Token: 33 2768 wmic.exe Token: 34 2768 wmic.exe Token: 35 2768 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2104 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 30 PID 2980 wrote to memory of 2104 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 30 PID 2980 wrote to memory of 2104 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 30 PID 2980 wrote to memory of 2104 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 30 PID 2980 wrote to memory of 2328 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 33 PID 2980 wrote to memory of 2328 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 33 PID 2980 wrote to memory of 2328 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 33 PID 2980 wrote to memory of 2328 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 33 PID 2980 wrote to memory of 2800 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 35 PID 2980 wrote to memory of 2800 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 35 PID 2980 wrote to memory of 2800 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 35 PID 2980 wrote to memory of 2800 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 35 PID 2980 wrote to memory of 2740 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 37 PID 2980 wrote to memory of 2740 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 37 PID 2980 wrote to memory of 2740 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 37 PID 2980 wrote to memory of 2740 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 37 PID 2980 wrote to memory of 2172 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 39 PID 2980 wrote to memory of 2172 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 39 PID 2980 wrote to memory of 2172 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 39 PID 2980 wrote to memory of 2172 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 39 PID 2980 wrote to memory of 2768 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 41 PID 2980 wrote to memory of 2768 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 41 PID 2980 wrote to memory of 2768 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 41 PID 2980 wrote to memory of 2768 2980 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe 41 PID 2388 wrote to memory of 896 2388 taskeng.exe 46 PID 2388 wrote to memory of 896 2388 taskeng.exe 46 PID 2388 wrote to memory of 896 2388 taskeng.exe 46 PID 2388 wrote to memory of 896 2388 taskeng.exe 46 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe"C:\Users\Admin\AppData\Local\Temp\1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2980 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:2104
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:2800
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:2172
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
C:\Windows\system32\taskeng.exetaskeng.exe {357D4D85-432F-4996-9888-F5282D2EA105} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
PID:896
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5bfad23d9503e20d051531c3ce83ef00f
SHA108f9d2cb96872ea1e36bcf7f3b5fc89ee23fd6e4
SHA256eee5b95ef9a3919d043822d16630349d0feee275072f62629296ee96451ea1d7
SHA512a1d8270644a60deead846cb9c1e7d260dff94d1b2a62bc90c4b265992022d05857139224cb909d06ca161600058608fb37a232f97a6b9f4ffe69fdd378d1ff24
-
Filesize
235KB
MD5f6f120d1262b88f79debb5d848ac7db9
SHA11339282f9b2d2a41326daf3cf284ec2ae8f0f93c
SHA2561bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281
SHA5121067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd
-
Filesize
16KB
MD55a03e19cb0d7cd12a74b99566ab6af46
SHA11042fad4368fefb6e3867103343c819ddde1f374
SHA2569d04a364fbf098fc1e309de889b111c732058688924429ed4d826edb50856cb0
SHA512d5f1e21fe9a7d4f9e9c3e7a75f1557348d63e9350866c282ad8d0ccf9f98a6c11ba687234afaac269b8a5a3b770895b29cc9bdd8dd21a5e04ed4048c8862970b
-
Filesize
536B
MD53f97004a8bd239e4c45c9c7b3ba1eaa8
SHA1fe40742d4b4283d995142658877209054e9c5a34
SHA2569763dfdb12e7f2bc64cd3d8bf9cea38fdd5063469b8ede34b2030c1dae0c6426
SHA5128eb1906947b7253caf2d7d092d7002a61fa9a503e27a4367c3c0d3f885e77e56271f34b9191e72026ec9a4499fce4ca683999143908699449abc51384d81be07