Extracted

• • Target

    c72719f7a27e043e16f452ce87ea8bf0f89fcca520721aa59820f7b1efdc01b7

  • Size

    212KB

  • MD5

    a2b0efc0a408c73e6a3501b3a5a0c627

  • SHA1

    492af61143910c55bdebc87bbad30bede3605f1c

  • SHA256

    c72719f7a27e043e16f452ce87ea8bf0f89fcca520721aa59820f7b1efdc01b7

  • SHA512

    561ff63e4a125ce6bf8f79db5d451fdbd81e9fb36e92bcea2cdd3879d6ed8957cb7243ededf1e68ec61a6703eef96f1228d1667f8d660c32ad2585afe93131fd

  Score

  10^/10

  medusalockerraccoonsmokeloaderbackdoorevasionpersistenceransomwarespywarestealertrojan

  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

    ransomwaremedusalocker

  • MedusaLocker Payload

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Deletes System State backups

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Deletes itself

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1