Overview

overview

10

Static

static

B06.exe

windows7_x64

10

B06.exe

windows10_x64

10

Resubmissions

04-10-2021 11:00

211004-m37gpsgccl 10

20-09-2021 11:57

210920-n4q2sagfap 10

Analysis

  • max time kernel
    149s
  • max time network
    63s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    04-10-2021 11:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    B06.exe

  • Size

    4.5MB

  • MD5

    49fb0e5a3415155c24d6839250cd7fed

  • SHA1

    69fa4c797df21b98740368c268cfd1919bf4a6e0

  • SHA256

    f2a155473c06ecad973676f1e2a8d228ab4a8adf32a87477c716f31fddf6cbaf

  • SHA512

    4bcf713b36e0c0bd1e12018cc835a988dbbb2d54556531ebddf97435fd430dab0393fe55e16de5b0c894a49fbea7829f2e6cba5214230f4ee70978a6a87ce397

Score
10/10
medusalockerevasionpersistenceransomwarespywarestealer

Malware Config

Signatures

  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

    ransomwaremedusalocker
  • MedusaLocker Payload 1 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes System State backups 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Drops file in Drivers directory 12 IoCs
  • Modifies extensions of user files 37 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 41 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 42 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 13 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 61 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\B06.exe
    "C:\Users\Admin\AppData\Local\Temp\B06.exe"
    1⤵
    • Drops file in Drivers directory
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1272
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
      2⤵
      • Interacts with shadow copies
      PID:976
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
      2⤵
      • Interacts with shadow copies
      PID:1540
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1820
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:772
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1644
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1664
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1556
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1888
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1716
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1632
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1116
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1532
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:236
    • C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} recoveryenabled No
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1348
    • C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1592
    • C:\Windows\system32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:1828
    • C:\Windows\system32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:1244
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:632
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B06.exe >> NUL
      2⤵
      • Deletes itself
      PID:1244
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:548
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ReadMe_Instruction.mht
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1608 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:220
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ReadMe_Instruction.mht
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1840 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1604
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UseMount.mpeg.udacha
    1⤵
    • Modifies registry class
    PID:436
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UseMount.mpeg.udacha
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1372
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Music\HideTest.bmp.udacha
    1⤵
    • Modifies registry class
    PID:1840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

File Deletion

3
T1107

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5A5234F1-2502-11EC-826A-5A38D35B81CE}.dat
    MD5

    6ab9527553980003b077e5de90836b95

    SHA1

    cf0038e0bee18fbc1951e4c583d611c01ad72024

    SHA256

    45260f947ac3d6b2071264e0a78913f7f7205d8c00f1b7b8bd386c590e9d203c

    SHA512

    c8f95cd9b27d29ce44a673ec8ee66ef2107088b1346cb4213539f1418c267fa0b056720f2e28e239fe75fdd562e959cb471821953db6a11d7c5c5a0d8af62455

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{69D70280-1A16-11EC-9C67-C222D480BBA6}.dat
    MD5

    70c1baae4b60c0b4f93be993dd319c3c

    SHA1

    f8eea14d9fb3d33ff7d973d4de54a782ebb41d14

    SHA256

    f1ee70b65c0d4ddeba97363f042436ab016070f649945d1fbf06bb1187424d98

    SHA512

    d3e8b1c5ab578a22b26a17e9faccc2a65c93deece090880f3ccb1658c031b807f3e31d50295537499e7352a7d023a99aef454ad958667bf8a88e375a656917c7

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{61EFBB11-2502-11EC-826A-5A38D35B81CE}.dat
    MD5

    41334ba84202a3ec6f94df41dc687fd2

    SHA1

    447ef04ab707f17e0cdff9b06a9c58cc4ea1c64e

    SHA256

    b94612d984bb2a5a36eb6e0a1905b78ff8a6517f0d1d850d12800b3c5218228d

    SHA512

    333c9a27381aa4227a95d916963e32923b763ee1ba2824bf7a5cb637dd3a28afac665f6888a61817ae8d74215992d18b838093a7c80cc97b2876d8b98a8493d2

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wkz58mr\imagestore.dat
    MD5

    fda3094d71751a2b5a95277c398c934c

    SHA1

    11411a51cf7a88a280c4bbf6f57409a5c34b562d

    SHA256

    823bd3b3c732fb00af405eb50231d3e26e0024cebb7dbc0d4732d8f74625a6e0

    SHA512

    a7cd53baffb78efa1a86d35fa9b292ed7e75cdef23d6ac84634055657311fc5c96054a9199076567281ccd36fc8374224cefc9316fea35c3aa6153b78e9e31c3

    Download Submit
  • C:\Users\Admin\Desktop\ReadMe_Instruction.mht
    MD5

    f6d3a1509576138c7083e35bedd31032

    SHA1

    0bfa0ea13c73a5f1aacf722c7de3ca21352ce2ce

    SHA256

    1ec791f31fe01e688ba0e3f4d0ddc0eeed5d90fec9f3835732afce4c93b5e5f2

    SHA512

    5184bfda955c27d5a8e07fd6c4044219e52d6225afac291c63680d3a094af94878289ee2f19c52392dc0dccd72224525ed8fe99258695ec555d7e936d6dec307

    Download Submit
  • C:\Users\Admin\Desktop\UseMount.mpeg.udacha
    MD5

    73120867ccc9985201253a7c453f1a04

    SHA1

    4f9f3a0da4497765164f7840f3030b76771d8169

    SHA256

    fa03ee78cc03a1b3151f4062b3c9405b5a3fafafcd807d2c2c0272dc49ff30c9

    SHA512

    9646b1b5f09ffe35efee964fbe44014d0f27e15a8d2760990fbc543ff007c69a385b56c1e966c007cddcf30a21fd32cfd7226130001b19d25f4b6633f2e0a68e

    Download Submit
  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • memory/220-74-0x0000000000000000-mapping.dmp
    Download
  • memory/236-66-0x0000000000000000-mapping.dmp
    Download
  • memory/632-73-0x0000000000000000-mapping.dmp
    Download
  • memory/772-57-0x0000000000000000-mapping.dmp
    Download
  • memory/976-54-0x0000000000000000-mapping.dmp
    Download
  • memory/1116-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1244-71-0x0000000000000000-mapping.dmp
    Download
  • memory/1244-76-0x0000000000000000-mapping.dmp
    Download
  • memory/1272-53-0x000000013FE00000-0x0000000140678000-memory.dmp
    Filesize

    8.5MB

    Download
  • memory/1348-67-0x0000000000000000-mapping.dmp
    Download
  • memory/1372-85-0x0000000000000000-mapping.dmp
    Download
  • memory/1532-65-0x0000000000000000-mapping.dmp
    Download
  • memory/1540-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1556-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1592-68-0x0000000000000000-mapping.dmp
    Download
  • memory/1604-78-0x0000000000000000-mapping.dmp
    Download
  • memory/1604-79-0x0000000075331000-0x0000000075333000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1632-63-0x0000000000000000-mapping.dmp
    Download
  • memory/1644-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1664-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1716-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1820-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1828-69-0x0000000000000000-mapping.dmp
    Download
  • memory/1828-70-0x000007FEFB931000-0x000007FEFB933000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1888-61-0x0000000000000000-mapping.dmp
    Download