Windows
Analysis Report
98j0BL6iLT.exe
Overview
General Information
Detection
MedusaLocker, Babuk, Conti, Marlock
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected Conti ransomware
Yara detected UAC Bypass using CMSTP
Contains functionality to bypass UAC (CMSTPLUA)
Multi AV Scanner detection for submitted file
Yara detected MedusaLocker Ransomware
Malicious sample detected (through community Yara rule)
Yara detected Babuk Ransomware
Antivirus / Scanner detection for submitted sample
Sigma detected: MedusaLocker
Yara detected Marlock Ransomware
Yara detected RansomwareGeneric
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Contains functionality to modify Windows User Account Control (UAC) settings
Spreads via windows shares (copies files to share folders)
Machine Learning detection for sample
Writes many files with high entropy
Machine Learning detection for dropped file
Writes a notice file (html or txt) to demand a ransom
Deletes shadow drive data (may be related to ransomware)
Disables UAC (registry)
May use bcdedit to modify the Windows boot settings
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Creates COM task schedule object (often to register a task for autostart)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks for available system drives (often done to infect USB drives)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to delete services
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
98j0BL6iLT.exe (PID: 6072 cmdline:
C:\Users\u ser\Deskto p\98j0BL6i LT.exe MD5: 646698572AFBBF24F50EC5681FEB2DB7) vssadmin.exe (PID: 2304 cmdline:
vssadmin.e xe Delete Shadows /A ll /Quiet MD5: 7E30B94672107D3381A1D175CF18C147) conhost.exe (PID: 2464 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) WMIC.exe (PID: 5876 cmdline:
wmic.exe S HADOWCOPY /nointerac tive MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8) conhost.exe (PID: 5884 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) vssadmin.exe (PID: 5908 cmdline:
vssadmin.e xe Delete Shadows /A ll /Quiet MD5: 7E30B94672107D3381A1D175CF18C147) conhost.exe (PID: 4976 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) WMIC.exe (PID: 4924 cmdline:
wmic.exe S HADOWCOPY /nointerac tive MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8) conhost.exe (PID: 4920 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) vssadmin.exe (PID: 5932 cmdline:
vssadmin.e xe Delete Shadows /A ll /Quiet MD5: 7E30B94672107D3381A1D175CF18C147) conhost.exe (PID: 5456 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) WMIC.exe (PID: 68 cmdline:
wmic.exe S HADOWCOPY /nointerac tive MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8) conhost.exe (PID: 5772 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
svhost.exe (PID: 6088 cmdline:
C:\Users\u ser\AppDat a\Roaming\ svhost.exe MD5: 646698572AFBBF24F50EC5681FEB2DB7)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
JoeSecurity_MedusaLocker | Yara detected MedusaLocker Ransomware | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
MALWARE_Win_MedusaLocker | Detects MedusaLocker ransomware | ditekshen |
| |
RAN_MedusaLocker_Aug_2021_1 | Detect MedusaLocker ransomware | Arkbird_SOLG |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
MALWARE_Win_MedusaLocker | Detects MedusaLocker ransomware | ditekshen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
JoeSecurity_MedusaLocker | Yara detected MedusaLocker Ransomware | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
JoeSecurity_MedusaLocker | Yara detected MedusaLocker Ransomware | Joe Security | ||
JoeSecurity_MedusaLocker | Yara detected MedusaLocker Ransomware | Joe Security | ||
Click to see the 13 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
JoeSecurity_MedusaLocker | Yara detected MedusaLocker Ransomware | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
MALWARE_Win_MedusaLocker | Detects MedusaLocker ransomware | ditekshen |
| |
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Click to see the 7 entries |
Spam, unwanted Advertisements and Ransom Demands |
---|
Source: | Author: Joe Security: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Avira: |
Source: | Avira: |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Code function: | 1_2_00E660F0 | |
Source: | Code function: | 1_2_00E660D0 | |
Source: | Code function: | 1_2_00E66090 | |
Source: | Code function: | 1_2_00E661A0 | |
Source: | Code function: | 1_2_00E66150 | |
Source: | Code function: | 1_2_00E66210 | |
Source: | Code function: | 1_2_00E65CB0 | |
Source: | Code function: | 1_2_00E655A0 | |
Source: | Code function: | 1_2_00E65DA0 | |
Source: | Code function: | 1_2_00E65D30 |
Exploits |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Privilege Escalation |
---|
Source: | Code function: | 1_2_00E70C80 |
Source: | Static PE information: |
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Spreading |
---|
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: |