Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-08-2024 01:04
Behavioral task
behavioral1
Sample
2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe
Resource
win7-20240704-en
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe
-
Size
1.2MB
-
MD5
2b50a6e9c09437dd1a5b17f86410c232
-
SHA1
e98158c75973fd3166c33029da347d565ca6f3bd
-
SHA256
1b0afa3285edab717aea40c6213e11a95ea3881173280a63bbda2d254d194217
-
SHA512
0174063243f8b31bcf7faee05b46b87d095aec248197b5b32a88c016de743aca2231ee683908541da02c72cd72a4400988fe04517937f6049b4e71bb4b666f8f
-
SSDEEP
12288:zmHAIqyfF/5ebyz1dpPlRnMRTD410ALP68kG3Jz4S9FUmnyJtgoiOHmabd8ornXb:qHRFfauvpPXnMKqJtfiOHmUd8QTHL
Malware Config
Extracted
Path
\Device\HarddiskVolume1\Boot\da-DK\!!!HOW_TO_DECRYPT!!!.mht
Ransom Note
From: =?utf-8?B?0RFQctTF0YDQcNC60IXQvdC+IEludGVybmV0IED4cGxvseVyIDEz?=
Subject:
Date: San, 00 Jan 2000 00:00:00 +0000
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft MimeOLE
=EF=BB=BF<!DOCTYPE HTML>
<!DOCTYPE html PUBLIC "" "">=20
<HTML lang=3D"ru">=20
<HEAD>=20
<META = content=3D"IE = 3D11.0000" http-equiv=3D"X - UA - Compatible">=20
<META charset=3D"utf-8">=20
<TITLE>!!!HOW_TO_DECRYPT!!!</TITLE>=20
<LINK href=3D"style.css" rel=3D"stylesheet">=20
<META name=3D"GENERATOR" content=3D"MSHTML 11.00.10570.1001">=20
</HEAD>=20
<BODY>=20
<p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><span class=3DSpellE><b>=20
<span lang=3DEN-US style=3D'font-size:20.0pt;font-family:"Times New Roman","serif";mso-bidi-font-family:Arial;color:#C9211E'>=20
All your valiable data has been encrypted!</span></b></span></p><BR><BR>=20
<p class=3DMsoNormal style=3D'text-align:justify;text-justify:inter-ideograph'>=20
<span class=3DSpellE><span lang=3DEN-US style=3D'font-size:13.0pt;font-family:"Times New Roman","serif";mso-bidi-font-family:Arial'>=20
Hello!<BR>Sorry, but we have inform you that your order has been blocked due to the issue of securities. Make sure your data is not blocked.=20
All your valuable files were encrypted with strong encryption algorithms AES-256 + RSA-2048 + CHACHA and renamed. You can read about these algorithms in Google.=20
Your unique encryption key is stored securely on our server and your data can be decrypted quickly and securely.<BR><BR>=20
We can prove that we can decrypt all of your data. Please just send us 3 small encrypted files which are randomly stored on your server.=20
We will decrypt these files and send them to you as a proof. Please note that files for free test decryption should not contain valuable information.<BR><BR>=20
As you know information is the most valuable resource in the world. That's why all of your confidential data was uploaded to our servers.=20
If you need proof, just write us and we will show you that we have your files. If you will not start a dialogue with us in 72 hours=20
we will be forced to publish your files in the Darknet. Your customers and partners will be informed about the data leak by email or phone.<BR><BR>=20
This way, your reputation will be ruined. If you will not react, we will be forced to sell the most important information such as databases=20
to interested parties to generate some profit.<BR><BR>Please understand that we are just doing our job. We don't want to harm your company.=20
Think of this incident as an opportunity to improve your security. We are opened for dialogue and ready to help you. We are professionals,=20
please don't try to fool us.<BR></span></span></p><BR><BR><p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><b>=20
<span lang=3DEN-US style=3D'font-size:14.0pt;font-family:"Times New Roman","serif";mso-bidi-font-family:Arial'>=20
If you want to resolve this situation,<BR>please write to ALL of these 2 email addresses:<BR>=20
[email protected]<BR>[email protected]<BR>In subject line please write your ID: 15741359033988283749</span></b></p><BR><BR>=20
<p class=3DMsoNormal style=3D'text-align:justify;text-justify:inter-ideograph'><b>=20
<span lang=3DEN-US style=3D'font-family:"Times New Roman","serif";mso-bidi-font-family: Arial;color:#C9211E'>=20
Important!<BR>=20
* We asking to send your message to ALL of our 2 email adresses because for various reasons, your email may not be delivered.<BR>=20
* Our message may be recognized as spam, so be sure to check the spam folder.<BR>=20
* If we do not respond to you within 24 hours, write to us from another email address. Use Gmail, Yahoo, Hotmail, or any other well-known email service.<BR>=20
Important<BR>=20
* Please don't waste the time, it will result only additinal damage to your company!<BR>=20
* Please do not try to decrypt the files yourself. We will not be able to help you if files will be modified.<BR>=20
</span></b></p>=20
<BR>=20
</BODY><BR>=20
</HTML>
Emails
[email protected]<BR>[email protected]<BR>In
URLs
http-equiv=3D"X
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3744 bcdedit.exe 1348 bcdedit.exe -
Renames multiple (648) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 1344 wbadmin.exe 2036 wbadmin.exe -
Drops file in Drivers directory 13 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Windows\System32\drivers\etc\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\drivers\etc\protocol.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\drivers\etc\hosts.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\drivers\etc\networks.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\drivers\etc\services.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\drivers\etc\networks 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\drivers\etc\protocol 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\drivers\etc\services.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\drivers\etc\services 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\drivers\etc\hosts 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\drivers\etc\networks.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\drivers\etc\protocol.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe\" e" 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe -
Enumerates connected drives 3 TTPs 39 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\J: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\L: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\M: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\F: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\X: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\G: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\N: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\Q: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\A: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\H: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\D: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\K: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\T: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\V: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\W: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\I: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\O: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\P: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\R: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\S: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\E: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\B: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\U: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\Y: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\Z: 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.jfm svchost.exe File created C:\Windows\System32\Microsoft\Protect\S-1-5-18\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\dd98bda8-5cdc-4771-bb6a-1d60ca4acc16 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\dd98bda8-5cdc-4771-bb6a-1d60ca4acc16.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\COMPONENTS.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\system32\CatRoot2\edb.log svchost.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\a55933fd-0442-4920-81dc-b338e11dfc81.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\ELAM 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\dd98bda8-5cdc-4771-bb6a-1d60ca4acc16.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Windows\system32\CatRoot2\edbres00001.jrs svchost.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\SECURITY 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt svchost.exe File created C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.jfm svchost.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\system32\CatRoot2\edb.chk svchost.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\ELAM.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\system32\CatRoot2\edb.jtx svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Report policies 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\ELAM.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\SOFTWARE 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\system32\CatRoot2\edb.jcp svchost.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\ResPriHMImageListLowCost 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\BBI 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\SYSTEM 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\a55933fd-0442-4920-81dc-b338e11dfc81.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Mozilla Firefox\removed-files 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f4\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Mozilla Firefox\precomplete.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f7\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f14\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Program Files\Crashpad\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Mozilla Firefox\precomplete.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f2\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f3\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Crashpad\metadata 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Program Files\Mozilla Firefox\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Mozilla Firefox\removed-files.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Program Files\Google\Chrome\Application\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Crashpad\metadata.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Mozilla Firefox\postSigningData.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Google\Chrome\Application\initial_preferences.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Google\Chrome\Application\initial_preferences 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Mozilla Firefox\postSigningData.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Mozilla Firefox\precomplete 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Mozilla Firefox\removed-files.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f33\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_w1\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Mozilla Firefox\postSigningData 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Google\Chrome\Application\initial_preferences.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{F6080405-9FA8-4CAA-9982-14E95D1A3DAC} 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Boot\PCAT\bootnxt 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\SoftwareDistribution\Download\SharedFileCache\e1ea7b2e20a22fbee6e9dd5d883e9f3cc75fdee790ea383a755da4381088ec52.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{2BB73336-4F69-4141-9797-E9BD6FE3980A} 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE} 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{9F51D16B-42E8-4A4A-8228-75045541A2AE}.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Boot\DVD\EFI\BCD 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\SoftwareDistribution\Download\SharedFileCache\ffb218cb78a2ca5b027e463f2a6bbb9c7036730212098e4fb7c330c70dcdfda4.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{2BB73336-4F69-4141-9797-E9BD6FE3980A}.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{662A0088-6FCD-45DD-9EA7-68674058AED5}.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{7DAD0258-515C-3DD4-8964-BD714199E0F7} 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe File opened for modification C:\Windows\Installer\SourceHash{01B2627D-8443-41C0-97F0-9F72AC2FD6A0} 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\SoftwareDistribution\Download\SharedFileCache\e1ea7b2e20a22fbee6e9dd5d883e9f3cc75fdee790ea383a755da4381088ec52.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C} 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{77924AE4-039E-4CA4-87B4-2F64180381F0} 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{662A0088-6FCD-45DD-9EA7-68674058AED5} 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Windows\Panther\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00} 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{E634F316-BEB6-4FB3-A612-F7102F576165}.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Boot\DVD\PCAT\BCD 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Windows\SoftwareDistribution\Download\SharedFileCache\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Installer\SourceHash{79043ED0-7ED1-4227-A5E5-04C5594D21F7}.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{BF08E976-B92E-4336-B56F-2171179476C4} 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_30dd1cc1-5c25-4745-b2f5-cffa52b1a886.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180381}.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3} 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{79043ED0-7ED1-4227-A5E5-04C5594D21F7}.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE} 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797} 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{E30D8B21-D82D-3211-82CC-0F0A5D1495E8} 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{E634F316-BEB6-4FB3-A612-F7102F576165}.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Windows\Boot\PCAT\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{9F51D16B-42E8-4A4A-8228-75045541A2AE}.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{E634F316-BEB6-4FB3-A612-F7102F576165} 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\!!!HOW_TO_DECRYPT!!!.mht 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.1btc 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe File opened for modification C:\Windows\Installer\SourceHash{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}.inprocess 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 13 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2392 vssadmin.exe 2488 vssadmin.exe 2456 vssadmin.exe 1232 vssadmin.exe 1516 vssadmin.exe 2936 vssadmin.exe 2060 vssadmin.exe 228 vssadmin.exe 2884 vssadmin.exe 1808 vssadmin.exe 2396 vssadmin.exe 1288 vssadmin.exe 884 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeBackupPrivilege 3868 vssvc.exe Token: SeRestorePrivilege 3868 vssvc.exe Token: SeAuditPrivilege 3868 vssvc.exe Token: SeIncreaseQuotaPrivilege 4776 wmic.exe Token: SeSecurityPrivilege 4776 wmic.exe Token: SeTakeOwnershipPrivilege 4776 wmic.exe Token: SeLoadDriverPrivilege 4776 wmic.exe Token: SeSystemProfilePrivilege 4776 wmic.exe Token: SeSystemtimePrivilege 4776 wmic.exe Token: SeProfSingleProcessPrivilege 4776 wmic.exe Token: SeIncBasePriorityPrivilege 4776 wmic.exe Token: SeCreatePagefilePrivilege 4776 wmic.exe Token: SeBackupPrivilege 4776 wmic.exe Token: SeRestorePrivilege 4776 wmic.exe Token: SeShutdownPrivilege 4776 wmic.exe Token: SeDebugPrivilege 4776 wmic.exe Token: SeSystemEnvironmentPrivilege 4776 wmic.exe Token: SeRemoteShutdownPrivilege 4776 wmic.exe Token: SeUndockPrivilege 4776 wmic.exe Token: SeManageVolumePrivilege 4776 wmic.exe Token: 33 4776 wmic.exe Token: 34 4776 wmic.exe Token: 35 4776 wmic.exe Token: 36 4776 wmic.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 3960 wrote to memory of 2392 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 85 PID 3960 wrote to memory of 2392 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 85 PID 3960 wrote to memory of 2936 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 90 PID 3960 wrote to memory of 2936 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 90 PID 3960 wrote to memory of 2456 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 92 PID 3960 wrote to memory of 2456 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 92 PID 3960 wrote to memory of 2060 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 94 PID 3960 wrote to memory of 2060 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 94 PID 3960 wrote to memory of 2396 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 96 PID 3960 wrote to memory of 2396 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 96 PID 3960 wrote to memory of 1288 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 98 PID 3960 wrote to memory of 1288 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 98 PID 3960 wrote to memory of 228 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 100 PID 3960 wrote to memory of 228 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 100 PID 3960 wrote to memory of 884 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 102 PID 3960 wrote to memory of 884 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 102 PID 3960 wrote to memory of 2488 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 104 PID 3960 wrote to memory of 2488 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 104 PID 3960 wrote to memory of 1232 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 106 PID 3960 wrote to memory of 1232 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 106 PID 3960 wrote to memory of 1516 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 108 PID 3960 wrote to memory of 1516 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 108 PID 3960 wrote to memory of 2884 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 110 PID 3960 wrote to memory of 2884 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 110 PID 3960 wrote to memory of 1808 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 112 PID 3960 wrote to memory of 1808 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 112 PID 3960 wrote to memory of 3744 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 114 PID 3960 wrote to memory of 3744 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 114 PID 3960 wrote to memory of 1348 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 116 PID 3960 wrote to memory of 1348 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 116 PID 3960 wrote to memory of 1344 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 118 PID 3960 wrote to memory of 1344 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 118 PID 3960 wrote to memory of 2036 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 120 PID 3960 wrote to memory of 2036 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 120 PID 3960 wrote to memory of 4776 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 123 PID 3960 wrote to memory of 4776 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 123 PID 3960 wrote to memory of 2456 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 134 PID 3960 wrote to memory of 2456 3960 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe 134 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-21_2b50a6e9c09437dd1a5b17f86410c232_medusalocker.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3960 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:2392
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:2936
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2456
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2060
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2396
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1288
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:228
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:884
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2488
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1232
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1516
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2884
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1808
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
PID:3744
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:1348
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:1344
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:2036
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4776
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE >> NUL2⤵PID:2456
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:4584
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
4File Deletion
4Modify Registry
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2367C848C1C8A11F6F3502EDA2855348.1btc
Filesize824B
MD512ea8fbe15e1529d58b4da268152ecd3
SHA1f5770e56bf22bcb64a104d32a2d4b8a4eda1513a
SHA25657166cd89cba8bc77ea484839676269b7cc5a9ce10c4ab0f98709b9ce1fb2b18
SHA512a3f6896b2d37b79cfd7f4aca341b4f606f29ac682a4f7f8ae405cdc6c31f4b1941123c4bf0084f958c3a768effa0c4d6e96baba7e716c25f928652eed5d09e91
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.1btc
Filesize814B
MD5ac5a0d0cb1848a625b328690c837a5bb
SHA18404066c71c1e4f7035d33a32b59e683368ab246
SHA256d342853f365cdf33cfa0e11e55a34d63ac2c380c3432aa7f136fd90b847a1309
SHA5124227680ca2773dc4c4e0ff99022c0e718cd7fa48a66084c6b5f4729499bfb11febf9d1622070a28185aecd527b01830ce455d09211cbc3f61aa05e4957a41118
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.1btc
Filesize840B
MD547a82caf58492c89294220c38126d887
SHA19c0f1c5232dc0bc99a3012cd7f04850ff36840c3
SHA256997f3733dcba21b3468c720cf240552255ac38fad0dc93e23add5c9a00d153e1
SHA5123e9188a7518f5f3adc5569982e3fadd1479f42d6522b097fbffc52519db2ce04df6ebf341dd98e76a93facf41e2940662d972e11c2342628ee8ed56a7b2740b0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F.1btc
Filesize700B
MD52c81b68aab54e8f6f49a415de9a43aa6
SHA19706964996a1da993d10f9f37acdf923b6acac45
SHA2569cde5751f542e7d9e93e07857497bfff054d8eaaa6a7f8b20c439a8f6a9acfb1
SHA5122c30d157e8ada2d5a50a058a7f463500b15417e5d6aabb3e8a77fe0036d227eeea256ecc1fa7940328300ebc29ad08c817fb6dc852d809982a09d27cd609bb5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7.1btc
Filesize770B
MD5e46e08186d810bc7c67707f2c3edd555
SHA1abd6d65cc134714ef89cdf79db23957902268b3d
SHA2564014bf47b154363147b612411a29c74baec0fa4925da2afee0a20d8cfda6ee2d
SHA5126fbf371b0a3d856c72a6a8f73e40fc52b97c85d8fb85faf2320fde0d7b15d9aa7c303b7322e2ff371eefe80b303d4d46714342a3b8786172926821d44c7e4cf4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
Filesize290B
MD57dc723053273c50c099d271bf3fb17a0
SHA1c9ecc8f0e03da233fb2ddea4c44ff8f24759ad4e
SHA2565419f6c2e4e0982c955397ede39ffb6ece5238763884b726b4ad4d0d62183b49
SHA51239f671c3c7ee72e3e9550978039d72e0dc9af162b7dc8b77831f053c17b2c1ea669660fe49ba6e6633db5c1d26ef3275b5cfaa589562e4f76b9767a4a63cfbdd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.1btc
Filesize842B
MD55b9ab857d49b068ad4e965bf661f2179
SHA125d245208e1d25c4a0be036ddb0fcbd1a6e01517
SHA256f52add12fb30c9a9a4ac2f67c37f3ee152071acab2edef663933101b1e3576e6
SHA51241e69e2788cf297d5f6720369430bbfc47ab6fbb689e8dba981e8f9819f5392daab89606895500dd154fa665a8571156b450392f13c09346f081df4cb7d95567
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB5E2F83CE9B8330B0590B7CD2E5FF2E.1btc
Filesize782B
MD55860e73e4d4172e8b009226d6035611b
SHA1e0a5046360ded450ef84e215533992cbc34aae9e
SHA256ae2b4135c852d13c4346c89176dd242bfa0ade000ce2c52fa7969476f2b28fe0
SHA512599efb550c01fa18a194c8f38fc8eab3bbfa985aac9604ed0afbcd44b32b944fb8547d3be94e875c872e5ec836a55f465edc3c9f62898aafb10a6047eb7909c4
-
Filesize
19KB
MD5cc8ffb2019f15d84d89f7aa4087e338e
SHA1752871aceab86effdac2b938e81e4bd92766de9c
SHA256f6ebbdb31360737da7905a7c0dfa7dd10e8b65e28240c0bcbafe650d3200577b
SHA5126aa93adc0849df1c97e5261e090341b0399933e4de5b23e04f9a6b721151b08aab8a44b28eb6447e81a9cec8ac018c406c522c15ba959e4bb75cee958d51fa7d
-
Filesize
2.0MB
MD59746f3e222b030dcc813ce5e2a05ed65
SHA1479e8ce2ae1e45ac4d1a199797ebd12d78ab83bc
SHA256107dcc85947a7007a9b1d04bfa57756072e34164aba7e766b48309cf7e64775d
SHA51213532ddd54c49f7b8bc919986191283c170b2d8232f6e0dcf3e12e504b6695da7039f037237e82761d1e05254f174193d07823f6780240a30b26ffbd735c4298
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.1btc
Filesize850B
MD58aeb80c5c5371397bd4437114f66e491
SHA1683fc3f5ec87969bd45601473d0ddae46c8ed779
SHA256e9f117b06b72277916f4ee4b73e800dce8124d294d57a3d729bd883d17779fb5
SHA5129f04110149560a7d28aa4a509878804cf3d006861322e863fdb522412b1148d039dd5c0e0a606d2176af467638de5309da22efd8f7cf2c107dc69a1126f5d35b
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.1btc
Filesize802B
MD50a838abd157a26e1b27759bdf4f8ed7b
SHA10a6c17868944097ff7c4a16799cbadcb0182735d
SHA256286813b160f4577898a649b3797d901660a1b4323874b30c7f6e2cbfda7efeaf
SHA512c79355119c787633ac51e3f728e9676b85d06c50444984149b3eab22e079853822eb56f59351bbc47c9bd4c90a077deb1141fd2bb1f0ac9cbd9bafe2955a8bbf
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.1btc
Filesize842B
MD5776bb7c34a0f4634b438a16b2b95a6d2
SHA1b2fa612b7b8db0962d98660cac64a08c49db16b5
SHA256d4fec12bdbb8096d6c89be1d3f0c5c926e0580d99a2e6c44246f045b96075858
SHA51202596bdc4333dd37736a78f1c644ea8ac6cfa77d1f9453132eb5b8662cc5fbb936140331386aa30fc88bcdd722be6d6c346eae9f8e77043f927b9891317fc2ce
-
Filesize
4KB
MD5d8cf6d542722188785d60e487c3061d6
SHA14ed090215f1fe14a74ec0050f368b3ea69288f8b
SHA256da25f7dc79519fd53d471f0321a609bb605710e2013868ffaee66736f62b3ad6
SHA512d0426cb15593c7d7782747a3e93f138552387d022333690ccb2a74f04a56a3e610be4d2b33cfab5fc674fec1625c59aa6684cf87a757a47510b0f55892a3c05d