Overview

overview

10

Static

static

B06.exe

windows7_x64

10

B06.exe

windows10_x64

10

Resubmissions

04-10-2021 11:00

211004-m37gpsgccl 10

20-09-2021 11:57

210920-n4q2sagfap 10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    20-09-2021 11:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    B06.exe

  • Size

    4.5MB

  • MD5

    49fb0e5a3415155c24d6839250cd7fed

  • SHA1

    69fa4c797df21b98740368c268cfd1919bf4a6e0

  • SHA256

    f2a155473c06ecad973676f1e2a8d228ab4a8adf32a87477c716f31fddf6cbaf

  • SHA512

    4bcf713b36e0c0bd1e12018cc835a988dbbb2d54556531ebddf97435fd430dab0393fe55e16de5b0c894a49fbea7829f2e6cba5214230f4ee70978a6a87ce397

Score
10/10
medusalockerevasionpersistenceransomwarespywarestealer

Malware Config

Signatures

  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

    ransomwaremedusalocker
  • MedusaLocker Payload 1 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes System State backups 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Drops file in Drivers directory 12 IoCs
  • Modifies extensions of user files 44 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 41 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 49 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 13 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\B06.exe
    "C:\Users\Admin\AppData\Local\Temp\B06.exe"
    1⤵
    • Drops file in Drivers directory
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4648
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
      2⤵
      • Interacts with shadow copies
      PID:4744
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
      2⤵
      • Interacts with shadow copies
      PID:5024
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:5076
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4108
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2024
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3492
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3700
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:740
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4260
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3316
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3132
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4264
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:3344
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe /set {default} recoveryenabled No
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:804
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:64
    • C:\Windows\SYSTEM32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:1112
    • C:\Windows\SYSTEM32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:1432
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1692
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B06.exe >> NUL
      2⤵
        PID:4612
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4840
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ReadMe_Instruction.mht
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4964 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:5072
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k NetworkService -s CryptSvc
      1⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1968

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Command-Line Interface

    1
    T1059

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    File Deletion

    3
    T1107

    Modify Registry

    3
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    4
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      MD5

      afb3184cd6ba3ccd4d11e3caf9605965

      SHA1

      529d9e77549890a7c4c6e3d4c0894894f34036c8

      SHA256

      4cfebe01e11ade084470601ecacf242fb858bfbdecdce1c36044d331dae56083

      SHA512

      4201d07b2b4d87f4a962b535172b51325a798c35257e0ff0d81d5eae77150d49c7d5dca12e04c51c95840980f811132ca79f28b327cfaa7a99566938c8b6a606

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
      MD5

      f7e6f6e31a30dd75de0b05a14b3f301f

      SHA1

      22f532fed7fb4c7d1e8665e9b29bde6eef725336

      SHA256

      874520525ea1c50ea46df66bdabf69f8ee520eb6065aa8077d990b20bd665cdc

      SHA512

      4c28feeb515a3304fc3e60f394963721b05df2b1cfe3851f6ba8413644a72f33fc5e2c305d9e691dfe61a43c1fc261cb760d98dc9630e513bdf24acd5d9e8a93

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      MD5

      7529ebb5e4e902b9e446aec7cf34d37a

      SHA1

      6354d19b357703bcac9469dd1bb8c2061ed8b359

      SHA256

      732bf437c65271b0b89b0b15cb5e4fba94f48dd922b19e3c8274b1419ad0e015

      SHA512

      6d66f4d31a2564e5143a8041806b0d90e00ce3fadcd9f78f1ae16b269e221ba8c60cdbf1c8ad06a13df459bae44ffe676ef713c934cff06b15b84b65b74b868d

      Download Submit
    • C:\Users\Admin\Desktop\ReadMe_Instruction.mht
      MD5

      f6d3a1509576138c7083e35bedd31032

      SHA1

      0bfa0ea13c73a5f1aacf722c7de3ca21352ce2ce

      SHA256

      1ec791f31fe01e688ba0e3f4d0ddc0eeed5d90fec9f3835732afce4c93b5e5f2

      SHA512

      5184bfda955c27d5a8e07fd6c4044219e52d6225afac291c63680d3a094af94878289ee2f19c52392dc0dccd72224525ed8fe99258695ec555d7e936d6dec307

      Download Submit
    • C:\Users\Admin\Favorites\Bing.url.udacha
      MD5

      24c3f1bf6d8c30e7ea4044861124d63b

      SHA1

      1b1a5f23b4b0bafb7eb5e9a7ad15880348388dac

      SHA256

      bfa2cebacc4aaee5a3ab44f735d9ed3b37a991320bfcf37b838252a2b417a80b

      SHA512

      e42e7b9172b198690413326ee6d079208c7ba064b1702d1782bcb8fab5e4f42dd58aa98b1420be6a845a3b66bc93ab8be2a14c8702f02973f87661514ce0b0ef

      Download Submit
    • memory/64-129-0x0000000000000000-mapping.dmp
      Download
    • memory/740-122-0x0000000000000000-mapping.dmp
      Download
    • memory/804-128-0x0000000000000000-mapping.dmp
      Download
    • memory/1112-130-0x0000000000000000-mapping.dmp
      Download
    • memory/1432-131-0x0000000000000000-mapping.dmp
      Download
    • memory/1692-132-0x0000000000000000-mapping.dmp
      Download
    • memory/1968-140-0x0000027BCEED0000-0x0000027BCEF30000-memory.dmp
      Filesize

      384KB

      Download
    • memory/1968-137-0x0000027BCEED0000-0x0000027BCEEE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1968-146-0x0000027BCEF90000-0x0000027BCEFF0000-memory.dmp
      Filesize

      384KB

      Download
    • memory/1968-138-0x0000027BCEF90000-0x0000027BCEFA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2024-119-0x0000000000000000-mapping.dmp
      Download
    • memory/3132-125-0x0000000000000000-mapping.dmp
      Download
    • memory/3316-124-0x0000000000000000-mapping.dmp
      Download
    • memory/3344-127-0x0000000000000000-mapping.dmp
      Download
    • memory/3492-120-0x0000000000000000-mapping.dmp
      Download
    • memory/3700-121-0x0000000000000000-mapping.dmp
      Download
    • memory/4108-118-0x0000000000000000-mapping.dmp
      Download
    • memory/4260-123-0x0000000000000000-mapping.dmp
      Download
    • memory/4264-126-0x0000000000000000-mapping.dmp
      Download
    • memory/4612-133-0x0000000000000000-mapping.dmp
      Download
    • memory/4648-114-0x00007FF7BE690000-0x00007FF7BEF08000-memory.dmp
      Filesize

      8.5MB

      Download
    • memory/4744-115-0x0000000000000000-mapping.dmp
      Download
    • memory/4964-134-0x00007FFA6F760000-0x00007FFA6F7CB000-memory.dmp
      Filesize

      428KB

      Download
    • memory/5024-116-0x0000000000000000-mapping.dmp
      Download
    • memory/5072-135-0x0000000000000000-mapping.dmp
      Download
    • memory/5076-117-0x0000000000000000-mapping.dmp
      Download