Overview

overview

10

Static

static

10

svhost.exe

windows7_x64

10

svhost.exe

windows10_x64

10

Analysis

  • max time kernel
    300s
  • max time network
    282s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    18/09/2021, 11:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svhost.exe

  • Size

    669KB

  • MD5

    5ec29d96f5fefb2d726f9e120786eaa9

  • SHA1

    3f8d050bd4e823b1f2c681856d1ae6d9007d5861

  • SHA256

    8ee1f51602f957fa82c7e9c0d834d28873307a0c576ab8c7cc99ca85fcf43b2e

  • SHA512

    e21682f2bfee29cd0c0765a10463b2f57bde5996fa367ee2b8b6f7fae9bf5703aec24319ddf2e33890b352331f8fedda41d79ff04ec8a881a6469f6bdba0d5ff

Score
10/10
medusalockerevasionransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_RECOVER_DATA.html

Family

medusalocker

Ransom Note
Your personal ID: 6E62911231724EFB640514F02BC7153B5D015DD08FEF741BC674499CB24932B5F4EB14622314007E3764B11EF82DBBC42EA41CF76AD782BB9C2197A9BB68F734 CAEE29B251BB44CC4E26002F6EF933200AA830AB8CC806986A253FB5C61C87C24E1129131D98FE649DE327D92E74D0714D354A4C40C710609F7E6EEE1060 DD1D3CE1DB4F0176BBA57E49ACD22D24F84BBC66069396AFE8308427CA552546248DF65E5971952C07DD6A4AF13C5536A1182BB16C462F0DCBA3590E26A1 B97ED67A5DB132D67CE468B50FDC5731F9A1E39CBB1E99F54CC87F07D973DB0A22264258F003B3443AC6211DE6E3CC49117A2DDD106C9E18588676E7EDC9 DE97E1221059D3418712EECC28BD810BB0F48801D849B4CFFAC6A662C08B28D3DFA1EAC880F8D3A18A6205391BC6DC17B0222CE21E67FD22EE17B507AB35 5B4B57DE9E9C1FFE24EC8E46C656536BB1D13402440ABEB55481B4AAB9EF7ECD55C70B1916D47A6DB9CC4F83276D1D57089272BB8BE9355C5D7D5FC5959B EFF50C34323BF8FCAB55D22E96CF88F3E63FE652F1215BD89B6672B26DFF18C3F6CA7B599FA68731C8D2AAFE0876E02E7A09B22AE1E6CBD7120D37CBC74B 2F849B9DD94226E71016BDCD388E18B65751BE196751EEFEEC1E693BE2B019E0D971D1315061F5676D0C8B0B8B89CE4F8D2CC770ACF035C882DD3FCB9E54 6A6F5D03DCE38C44772285E43C33 /!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\ All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. Contact us for price and get decryption software. .onion * Note that this server is available via Tor browser only Follow the instructions to open the link: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. 3. Now you have Tor browser. In the Tor Browser open .onion 4. Start a chat and follow the further instructions. If you can not use the above link, use the email: [email protected] [email protected] * To contact us, create a new free email account on the site: protonmail.com IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.

Signatures

  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

    ransomwaremedusalocker
  • UAC bypass 3 TTPs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 11 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\svhost.exe
    "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
    1⤵
    • Modifies extensions of user files
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4720
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:4784
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4916
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:4976
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5028
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:5084
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1704
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4868
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4024
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:4344
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3292
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    PID:2660
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:4968

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads