Analysis
-
max time kernel
128s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 23:09
Behavioral task
behavioral1
Sample
20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe
Resource
win10v2004-20240802-en
General
-
Target
20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe
-
Size
669KB
-
MD5
ed858a19f5881d5b4c1d291fc3c50bde
-
SHA1
2becf1d3b743ecf638568065aeb631653f69d003
-
SHA256
f6e687b576ad52361379864e8065da6fb698df4ec6e0a1f664670229717eb230
-
SHA512
7c6c83e63ff207b4957b58f076304724007b0b886388f07142264f516dfcda1d12f73ec8e71bba0cce6ed6d2a31d055c61f5df4bb95442bef88e9c16f1c57906
-
SSDEEP
12288:dQA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8DOKD/KeX:Tuf4wTuV2Ux3uIZeUBi2Te6HWnKrKe
Malware Config
Extracted
\Device\HarddiskVolume1\Boot\HOW_TO_BACK_FILES.html
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 1 IoCs
resource yara_rule behavioral1/files/0x000b000000012260-886.dat family_medusalocker -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (288) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 2564 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\L: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\M: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\S: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\A: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\G: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\H: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\I: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\X: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\R: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\T: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\V: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\J: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\U: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\Z: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\P: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\Q: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\W: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\Y: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\B: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\E: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\N: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\O: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\F: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe -
Interacts with shadow copies 3 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2788 vssadmin.exe 2608 vssadmin.exe 2692 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeBackupPrivilege 2716 vssvc.exe Token: SeRestorePrivilege 2716 vssvc.exe Token: SeAuditPrivilege 2716 vssvc.exe Token: SeIncreaseQuotaPrivilege 2732 wmic.exe Token: SeSecurityPrivilege 2732 wmic.exe Token: SeTakeOwnershipPrivilege 2732 wmic.exe Token: SeLoadDriverPrivilege 2732 wmic.exe Token: SeSystemProfilePrivilege 2732 wmic.exe Token: SeSystemtimePrivilege 2732 wmic.exe Token: SeProfSingleProcessPrivilege 2732 wmic.exe Token: SeIncBasePriorityPrivilege 2732 wmic.exe Token: SeCreatePagefilePrivilege 2732 wmic.exe Token: SeBackupPrivilege 2732 wmic.exe Token: SeRestorePrivilege 2732 wmic.exe Token: SeShutdownPrivilege 2732 wmic.exe Token: SeDebugPrivilege 2732 wmic.exe Token: SeSystemEnvironmentPrivilege 2732 wmic.exe Token: SeRemoteShutdownPrivilege 2732 wmic.exe Token: SeUndockPrivilege 2732 wmic.exe Token: SeManageVolumePrivilege 2732 wmic.exe Token: 33 2732 wmic.exe Token: 34 2732 wmic.exe Token: 35 2732 wmic.exe Token: SeIncreaseQuotaPrivilege 2572 wmic.exe Token: SeSecurityPrivilege 2572 wmic.exe Token: SeTakeOwnershipPrivilege 2572 wmic.exe Token: SeLoadDriverPrivilege 2572 wmic.exe Token: SeSystemProfilePrivilege 2572 wmic.exe Token: SeSystemtimePrivilege 2572 wmic.exe Token: SeProfSingleProcessPrivilege 2572 wmic.exe Token: SeIncBasePriorityPrivilege 2572 wmic.exe Token: SeCreatePagefilePrivilege 2572 wmic.exe Token: SeBackupPrivilege 2572 wmic.exe Token: SeRestorePrivilege 2572 wmic.exe Token: SeShutdownPrivilege 2572 wmic.exe Token: SeDebugPrivilege 2572 wmic.exe Token: SeSystemEnvironmentPrivilege 2572 wmic.exe Token: SeRemoteShutdownPrivilege 2572 wmic.exe Token: SeUndockPrivilege 2572 wmic.exe Token: SeManageVolumePrivilege 2572 wmic.exe Token: 33 2572 wmic.exe Token: 34 2572 wmic.exe Token: 35 2572 wmic.exe Token: SeIncreaseQuotaPrivilege 740 wmic.exe Token: SeSecurityPrivilege 740 wmic.exe Token: SeTakeOwnershipPrivilege 740 wmic.exe Token: SeLoadDriverPrivilege 740 wmic.exe Token: SeSystemProfilePrivilege 740 wmic.exe Token: SeSystemtimePrivilege 740 wmic.exe Token: SeProfSingleProcessPrivilege 740 wmic.exe Token: SeIncBasePriorityPrivilege 740 wmic.exe Token: SeCreatePagefilePrivilege 740 wmic.exe Token: SeBackupPrivilege 740 wmic.exe Token: SeRestorePrivilege 740 wmic.exe Token: SeShutdownPrivilege 740 wmic.exe Token: SeDebugPrivilege 740 wmic.exe Token: SeSystemEnvironmentPrivilege 740 wmic.exe Token: SeRemoteShutdownPrivilege 740 wmic.exe Token: SeUndockPrivilege 740 wmic.exe Token: SeManageVolumePrivilege 740 wmic.exe Token: 33 740 wmic.exe Token: 34 740 wmic.exe Token: 35 740 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2664 wrote to memory of 2788 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 30 PID 2664 wrote to memory of 2788 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 30 PID 2664 wrote to memory of 2788 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 30 PID 2664 wrote to memory of 2788 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 30 PID 2664 wrote to memory of 2732 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 33 PID 2664 wrote to memory of 2732 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 33 PID 2664 wrote to memory of 2732 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 33 PID 2664 wrote to memory of 2732 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 33 PID 2664 wrote to memory of 2608 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 35 PID 2664 wrote to memory of 2608 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 35 PID 2664 wrote to memory of 2608 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 35 PID 2664 wrote to memory of 2608 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 35 PID 2664 wrote to memory of 2572 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 37 PID 2664 wrote to memory of 2572 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 37 PID 2664 wrote to memory of 2572 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 37 PID 2664 wrote to memory of 2572 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 37 PID 2664 wrote to memory of 2692 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 39 PID 2664 wrote to memory of 2692 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 39 PID 2664 wrote to memory of 2692 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 39 PID 2664 wrote to memory of 2692 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 39 PID 2664 wrote to memory of 740 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 41 PID 2664 wrote to memory of 740 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 41 PID 2664 wrote to memory of 740 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 41 PID 2664 wrote to memory of 740 2664 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 41 PID 824 wrote to memory of 2564 824 taskeng.exe 46 PID 824 wrote to memory of 2564 824 taskeng.exe 46 PID 824 wrote to memory of 2564 824 taskeng.exe 46 PID 824 wrote to memory of 2564 824 taskeng.exe 46 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe"C:\Users\Admin\AppData\Local\Temp\20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2664 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2788
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2608
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2692
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:740
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
C:\Windows\system32\taskeng.exetaskeng.exe {C1885F41-BA4E-4F4D-993E-61C2658F2877} S-1-5-21-457978338-2990298471-2379561640-1000:WOUOSVRD\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
PID:2564
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
669KB
MD5ed858a19f5881d5b4c1d291fc3c50bde
SHA12becf1d3b743ecf638568065aeb631653f69d003
SHA256f6e687b576ad52361379864e8065da6fb698df4ec6e0a1f664670229717eb230
SHA5127c6c83e63ff207b4957b58f076304724007b0b886388f07142264f516dfcda1d12f73ec8e71bba0cce6ed6d2a31d055c61f5df4bb95442bef88e9c16f1c57906
-
Filesize
536B
MD5bc4891aa7b38a63743a30b20c1a42bac
SHA1c0bfd7b8de4a0581be5a5142c260ee02b488f268
SHA25693c1be835fc6156ee4f63964ce7da4599ac3730fa3e94f30d7072b398bebb54a
SHA5126a3b4a35d17153b9659800e4ff2f17eede8a5b21d8e9823c3884eb0bc966b7367e58010161994307639be6f7a2d6bf925e18a8ea56e3cb06228a1723825ba295
-
Filesize
4KB
MD5a0194e790cf3dc5517e9f17769ea853e
SHA1b6aa635c73277caecee2e2ae89a512480bc332c3
SHA2566f9299c47ad6c8e51e241b0ef725a63a81231eae735ad96d5df89f771f5d5971
SHA512958851c2ecd4ee21b43b3ac57189572ecfe1cc3ffa230847aa56aa40502fc60be4e0920b5bc831f04ae9dd6dc70906985a6aeaeb34c5a87dc81902557df98f7a