Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 06:02
Behavioral task
behavioral1
Sample
46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe
Resource
win7-20241010-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral2
Sample
46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe
-
Size
669KB
-
MD5
f3f4909771e23ec301ae2a2c5945f25c
-
SHA1
0cbbc30d64966d7108f3404979058285d8ed250c
-
SHA256
46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd
-
SHA512
fd928762c0ddc8301092504874b0ff4ad81a65c4cd385a493db2a5dcce786bcb2f915869958a6618ba10ac443ac6af6a458fed5ec2aedc52e0c649d9d72c27ad
-
SSDEEP
12288:dQA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8DEKD/KeX:Tuf4wTuV2Ux3uIZeUBi2Te6HWxKrKe
Malware Config
Extracted
Path
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW_TO_RECOVER_DATA.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">CE41AB83A698B125083605A4E6858E8A4AFADEA9D9BB75E2617503994CCD0AD38BF07B6C1DF0CAECB440C5DABA532DA45F5D578890D9969B95D452CA842E8548<br>8BDC7B74AA60F4B758128E36793B0E6CDA7DA584D6C77C31013A5FD7FC00339BF4AB80EDD1A4C1CE16578D2B7A61B5730D8F3CD24EA6EC7F2229DA102816<br>A946F0EC76FC192E3C07AC64FEA9EE84A7BBC3040F9586F2E0237B46CE5C29C8132CAC0830DD7D035F14269CCB19F73838026022F6662030820C81B59852<br>9A836C1560C5DDB3B412E4706B59719AA770C402CE5A3486CFFFF153CAA99B1EEE99EB131FCBCBBB407D373C63FA8C4AAFD3ED6EE63B51D3A69F852EEA16<br>D2C8F6AFBC8EA638794538A539EAFAAB74226998CEB4B29DD815CE6CC5C68F2914162F66C3D1F820C79BB389D1311FB35823FC58229224D13F191A12F0D7<br>8FA55F5DFCCDD8261E611FCAF159BC7F0ADF051B18C301DD1AB34325808435477AF1A102BBB4D256553CC0C61B1C84737A06D301C5E337C235763EB776DC<br>D0F5BC0C297FFB837F5650B3538133571123ADDAFC35D901AF99000CA71BD3BB3B6300C1E9D1BF4F7DF759E3A72B50B004042511B6B4195270CD2FF59902<br>753A1D58624310FEB40B1247226DFBAF65BB1DDB7AFD5208F902DF72DEC398CAF9F096EE6965D532E4B8C97F2C2675720CE1D08D3000F9ECE3510A99A351<br>E127B93525CFD3801A9E1776B54C</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>.onion<br>
</a>
4. Start a chat and follow the further instructions. <br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 1 IoCs
resource yara_rule behavioral1/files/0x00080000000120fc-1006.dat family_medusalocker -
Medusalocker family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (328) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 3032 svhost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe File opened (read-only) \??\L: 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe File opened (read-only) \??\N: 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe File opened (read-only) \??\X: 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe File opened (read-only) \??\G: 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe File opened (read-only) \??\P: 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe File opened (read-only) \??\F: 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe File opened (read-only) \??\R: 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe File opened (read-only) \??\T: 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe File opened (read-only) \??\U: 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe File opened (read-only) \??\V: 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe File opened (read-only) \??\A: 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe File opened (read-only) \??\B: 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe File opened (read-only) \??\E: 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe File opened (read-only) \??\K: 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe File opened (read-only) \??\Y: 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe File opened (read-only) \??\Z: 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe File opened (read-only) \??\Q: 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe File opened (read-only) \??\S: 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe File opened (read-only) \??\W: 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe File opened (read-only) \??\H: 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe File opened (read-only) \??\I: 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe File opened (read-only) \??\M: 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe File opened (read-only) \??\O: 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe -
Interacts with shadow copies 3 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2096 vssadmin.exe 2940 vssadmin.exe 2884 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeBackupPrivilege 2028 vssvc.exe Token: SeRestorePrivilege 2028 vssvc.exe Token: SeAuditPrivilege 2028 vssvc.exe Token: SeIncreaseQuotaPrivilege 2824 wmic.exe Token: SeSecurityPrivilege 2824 wmic.exe Token: SeTakeOwnershipPrivilege 2824 wmic.exe Token: SeLoadDriverPrivilege 2824 wmic.exe Token: SeSystemProfilePrivilege 2824 wmic.exe Token: SeSystemtimePrivilege 2824 wmic.exe Token: SeProfSingleProcessPrivilege 2824 wmic.exe Token: SeIncBasePriorityPrivilege 2824 wmic.exe Token: SeCreatePagefilePrivilege 2824 wmic.exe Token: SeBackupPrivilege 2824 wmic.exe Token: SeRestorePrivilege 2824 wmic.exe Token: SeShutdownPrivilege 2824 wmic.exe Token: SeDebugPrivilege 2824 wmic.exe Token: SeSystemEnvironmentPrivilege 2824 wmic.exe Token: SeRemoteShutdownPrivilege 2824 wmic.exe Token: SeUndockPrivilege 2824 wmic.exe Token: SeManageVolumePrivilege 2824 wmic.exe Token: 33 2824 wmic.exe Token: 34 2824 wmic.exe Token: 35 2824 wmic.exe Token: SeIncreaseQuotaPrivilege 2688 wmic.exe Token: SeSecurityPrivilege 2688 wmic.exe Token: SeTakeOwnershipPrivilege 2688 wmic.exe Token: SeLoadDriverPrivilege 2688 wmic.exe Token: SeSystemProfilePrivilege 2688 wmic.exe Token: SeSystemtimePrivilege 2688 wmic.exe Token: SeProfSingleProcessPrivilege 2688 wmic.exe Token: SeIncBasePriorityPrivilege 2688 wmic.exe Token: SeCreatePagefilePrivilege 2688 wmic.exe Token: SeBackupPrivilege 2688 wmic.exe Token: SeRestorePrivilege 2688 wmic.exe Token: SeShutdownPrivilege 2688 wmic.exe Token: SeDebugPrivilege 2688 wmic.exe Token: SeSystemEnvironmentPrivilege 2688 wmic.exe Token: SeRemoteShutdownPrivilege 2688 wmic.exe Token: SeUndockPrivilege 2688 wmic.exe Token: SeManageVolumePrivilege 2688 wmic.exe Token: 33 2688 wmic.exe Token: 34 2688 wmic.exe Token: 35 2688 wmic.exe Token: SeIncreaseQuotaPrivilege 2872 wmic.exe Token: SeSecurityPrivilege 2872 wmic.exe Token: SeTakeOwnershipPrivilege 2872 wmic.exe Token: SeLoadDriverPrivilege 2872 wmic.exe Token: SeSystemProfilePrivilege 2872 wmic.exe Token: SeSystemtimePrivilege 2872 wmic.exe Token: SeProfSingleProcessPrivilege 2872 wmic.exe Token: SeIncBasePriorityPrivilege 2872 wmic.exe Token: SeCreatePagefilePrivilege 2872 wmic.exe Token: SeBackupPrivilege 2872 wmic.exe Token: SeRestorePrivilege 2872 wmic.exe Token: SeShutdownPrivilege 2872 wmic.exe Token: SeDebugPrivilege 2872 wmic.exe Token: SeSystemEnvironmentPrivilege 2872 wmic.exe Token: SeRemoteShutdownPrivilege 2872 wmic.exe Token: SeUndockPrivilege 2872 wmic.exe Token: SeManageVolumePrivilege 2872 wmic.exe Token: 33 2872 wmic.exe Token: 34 2872 wmic.exe Token: 35 2872 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2032 wrote to memory of 2096 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 30 PID 2032 wrote to memory of 2096 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 30 PID 2032 wrote to memory of 2096 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 30 PID 2032 wrote to memory of 2096 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 30 PID 2032 wrote to memory of 2824 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 34 PID 2032 wrote to memory of 2824 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 34 PID 2032 wrote to memory of 2824 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 34 PID 2032 wrote to memory of 2824 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 34 PID 2032 wrote to memory of 2940 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 36 PID 2032 wrote to memory of 2940 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 36 PID 2032 wrote to memory of 2940 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 36 PID 2032 wrote to memory of 2940 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 36 PID 2032 wrote to memory of 2688 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 38 PID 2032 wrote to memory of 2688 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 38 PID 2032 wrote to memory of 2688 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 38 PID 2032 wrote to memory of 2688 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 38 PID 2032 wrote to memory of 2884 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 40 PID 2032 wrote to memory of 2884 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 40 PID 2032 wrote to memory of 2884 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 40 PID 2032 wrote to memory of 2884 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 40 PID 2032 wrote to memory of 2872 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 42 PID 2032 wrote to memory of 2872 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 42 PID 2032 wrote to memory of 2872 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 42 PID 2032 wrote to memory of 2872 2032 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe 42 PID 3068 wrote to memory of 3032 3068 taskeng.exe 48 PID 3068 wrote to memory of 3032 3068 taskeng.exe 48 PID 3068 wrote to memory of 3032 3068 taskeng.exe 48 PID 3068 wrote to memory of 3032 3068 taskeng.exe 48 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe"C:\Users\Admin\AppData\Local\Temp\46c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2032 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2096
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2940
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2884
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
C:\Windows\system32\taskeng.exetaskeng.exe {B390AF0D-2021-4F01-92CB-73310B62A680} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
PID:3032
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD58341652095b46c6c48c52648a992c2cd
SHA118030dca0ee27f75ad563883390540e7d80d27ff
SHA2569689c3d1e0b8c6292c0ddefb23194819d88eb79f52047b1b4c85f631e17ef2d5
SHA5124dbb67bf7b55e2ceba410c6b323791c925730851c2067a1f8205b0a3e641a036367b90c53076470ffd9a2d5027549a66cd18e50bf08c9cb112abec50397f68bb
-
Filesize
669KB
MD5f3f4909771e23ec301ae2a2c5945f25c
SHA10cbbc30d64966d7108f3404979058285d8ed250c
SHA25646c9bed88ac58193eb8c1b2ca91cfede01a74dafa4315ff57b7d3bb0c8a779cd
SHA512fd928762c0ddc8301092504874b0ff4ad81a65c4cd385a493db2a5dcce786bcb2f915869958a6618ba10ac443ac6af6a458fed5ec2aedc52e0c649d9d72c27ad
-
Filesize
536B
MD5025a2410651d0d4e535e1689923cceb7
SHA16ae8cc7c360967ef6c3d7616989efedf37020d2b
SHA25679c8a2bad53aa8e2f91d33deefc3223b27ffcd8cd669323d5d416de1c26114f3
SHA51231a889e27844a7fee14107a772094df41d2b0722692417f21fc04eb5f3b346a5e8282c961d595ecfa376cdb179194dff435e2667fdcf762bfaa341158b2b5e2b