Analysis
-
max time kernel
151s -
max time network
140s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
20-10-2021 09:40
Static task
static1
Behavioral task
behavioral1
Sample
B.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
B.exe
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
Build.exe
Resource
win7-en-20211014
Behavioral task
behavioral4
Sample
Build.exe
Resource
win10-en-20210920
Behavioral task
behavioral5
Sample
READ.exe
Resource
win7-en-20211014
Behavioral task
behavioral6
Sample
READ.exe
Resource
win10-en-20210920
Behavioral task
behavioral7
Sample
rb.exe
Resource
win7-en-20211014
Behavioral task
behavioral8
Sample
rb.exe
Resource
win10-en-20210920
General
-
Target
B.exe
-
Size
669KB
-
MD5
c17b2c3980926b02136c0a5fb5dfdaa3
-
SHA1
938eb1b7f1d985d134957443d4c43ad551727b89
-
SHA256
4d2b250eb1691bd116eb0004a6b4526afe62631551d6d31d4da482ab5ec3b021
-
SHA512
f770b1dfd74e58ff9d67f0e91ac070e92251598efc45863acf827098cc52f2868c7e2698fd5b0a3a178ea1d1446d32882dfd0601526dbfb27df1251d76c5881b
Malware Config
Extracted
C:\Boot\HOW_TO_RECOVER_DATA.html
href="behappy123456@cock.li
">behappy123456@cock.li
href="chinchoppa2299gayspilsss@yopmail.com">chinchoppa2299gayspilsss@yopmail.com</a>
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
B.exedescription ioc process File renamed C:\Users\Admin\Pictures\ClearSuspend.raw => C:\Users\Admin\Pictures\ClearSuspend.raw.bbuild B.exe File renamed C:\Users\Admin\Pictures\EnableConfirm.tiff => C:\Users\Admin\Pictures\EnableConfirm.tiff.bbuild B.exe File renamed C:\Users\Admin\Pictures\ExpandSave.crw => C:\Users\Admin\Pictures\ExpandSave.crw.bbuild B.exe File renamed C:\Users\Admin\Pictures\GrantJoin.png => C:\Users\Admin\Pictures\GrantJoin.png.bbuild B.exe File opened for modification C:\Users\Admin\Pictures\ExportExpand.tiff B.exe File renamed C:\Users\Admin\Pictures\InitializeLimit.raw => C:\Users\Admin\Pictures\InitializeLimit.raw.bbuild B.exe File renamed C:\Users\Admin\Pictures\NewHide.crw => C:\Users\Admin\Pictures\NewHide.crw.bbuild B.exe File renamed C:\Users\Admin\Pictures\SaveDeny.png => C:\Users\Admin\Pictures\SaveDeny.png.bbuild B.exe File renamed C:\Users\Admin\Pictures\UnprotectUpdate.raw => C:\Users\Admin\Pictures\UnprotectUpdate.raw.bbuild B.exe File renamed C:\Users\Admin\Pictures\InvokeUndo.crw => C:\Users\Admin\Pictures\InvokeUndo.crw.bbuild B.exe File renamed C:\Users\Admin\Pictures\PingFind.tif => C:\Users\Admin\Pictures\PingFind.tif.bbuild B.exe File opened for modification C:\Users\Admin\Pictures\EnableConfirm.tiff B.exe File renamed C:\Users\Admin\Pictures\ExportExpand.tiff => C:\Users\Admin\Pictures\ExportExpand.tiff.bbuild B.exe File renamed C:\Users\Admin\Pictures\ProtectLimit.raw => C:\Users\Admin\Pictures\ProtectLimit.raw.bbuild B.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
B.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" B.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
B.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2481030822-2828258191-1606198294-1000\desktop.ini B.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
B.exedescription ioc process File opened (read-only) \??\I: B.exe File opened (read-only) \??\N: B.exe File opened (read-only) \??\P: B.exe File opened (read-only) \??\Q: B.exe File opened (read-only) \??\W: B.exe File opened (read-only) \??\Y: B.exe File opened (read-only) \??\E: B.exe File opened (read-only) \??\F: B.exe File opened (read-only) \??\G: B.exe File opened (read-only) \??\M: B.exe File opened (read-only) \??\R: B.exe File opened (read-only) \??\T: B.exe File opened (read-only) \??\B: B.exe File opened (read-only) \??\H: B.exe File opened (read-only) \??\J: B.exe File opened (read-only) \??\L: B.exe File opened (read-only) \??\O: B.exe File opened (read-only) \??\V: B.exe File opened (read-only) \??\X: B.exe File opened (read-only) \??\A: B.exe File opened (read-only) \??\S: B.exe File opened (read-only) \??\U: B.exe File opened (read-only) \??\Z: B.exe File opened (read-only) \??\K: B.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 3260 vssadmin.exe 1524 vssadmin.exe 1288 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
B.exepid process 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe 1812 B.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exewmic.exewmic.exewmic.exedescription pid process Token: SeBackupPrivilege 1492 vssvc.exe Token: SeRestorePrivilege 1492 vssvc.exe Token: SeAuditPrivilege 1492 vssvc.exe Token: SeIncreaseQuotaPrivilege 772 wmic.exe Token: SeSecurityPrivilege 772 wmic.exe Token: SeTakeOwnershipPrivilege 772 wmic.exe Token: SeLoadDriverPrivilege 772 wmic.exe Token: SeSystemProfilePrivilege 772 wmic.exe Token: SeSystemtimePrivilege 772 wmic.exe Token: SeProfSingleProcessPrivilege 772 wmic.exe Token: SeIncBasePriorityPrivilege 772 wmic.exe Token: SeCreatePagefilePrivilege 772 wmic.exe Token: SeBackupPrivilege 772 wmic.exe Token: SeRestorePrivilege 772 wmic.exe Token: SeShutdownPrivilege 772 wmic.exe Token: SeDebugPrivilege 772 wmic.exe Token: SeSystemEnvironmentPrivilege 772 wmic.exe Token: SeRemoteShutdownPrivilege 772 wmic.exe Token: SeUndockPrivilege 772 wmic.exe Token: SeManageVolumePrivilege 772 wmic.exe Token: 33 772 wmic.exe Token: 34 772 wmic.exe Token: 35 772 wmic.exe Token: 36 772 wmic.exe Token: SeIncreaseQuotaPrivilege 604 wmic.exe Token: SeSecurityPrivilege 604 wmic.exe Token: SeTakeOwnershipPrivilege 604 wmic.exe Token: SeLoadDriverPrivilege 604 wmic.exe Token: SeSystemProfilePrivilege 604 wmic.exe Token: SeSystemtimePrivilege 604 wmic.exe Token: SeProfSingleProcessPrivilege 604 wmic.exe Token: SeIncBasePriorityPrivilege 604 wmic.exe Token: SeCreatePagefilePrivilege 604 wmic.exe Token: SeBackupPrivilege 604 wmic.exe Token: SeRestorePrivilege 604 wmic.exe Token: SeShutdownPrivilege 604 wmic.exe Token: SeDebugPrivilege 604 wmic.exe Token: SeSystemEnvironmentPrivilege 604 wmic.exe Token: SeRemoteShutdownPrivilege 604 wmic.exe Token: SeUndockPrivilege 604 wmic.exe Token: SeManageVolumePrivilege 604 wmic.exe Token: 33 604 wmic.exe Token: 34 604 wmic.exe Token: 35 604 wmic.exe Token: 36 604 wmic.exe Token: SeIncreaseQuotaPrivilege 1008 wmic.exe Token: SeSecurityPrivilege 1008 wmic.exe Token: SeTakeOwnershipPrivilege 1008 wmic.exe Token: SeLoadDriverPrivilege 1008 wmic.exe Token: SeSystemProfilePrivilege 1008 wmic.exe Token: SeSystemtimePrivilege 1008 wmic.exe Token: SeProfSingleProcessPrivilege 1008 wmic.exe Token: SeIncBasePriorityPrivilege 1008 wmic.exe Token: SeCreatePagefilePrivilege 1008 wmic.exe Token: SeBackupPrivilege 1008 wmic.exe Token: SeRestorePrivilege 1008 wmic.exe Token: SeShutdownPrivilege 1008 wmic.exe Token: SeDebugPrivilege 1008 wmic.exe Token: SeSystemEnvironmentPrivilege 1008 wmic.exe Token: SeRemoteShutdownPrivilege 1008 wmic.exe Token: SeUndockPrivilege 1008 wmic.exe Token: SeManageVolumePrivilege 1008 wmic.exe Token: 33 1008 wmic.exe Token: 34 1008 wmic.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
B.exedescription pid process target process PID 1812 wrote to memory of 3260 1812 B.exe vssadmin.exe PID 1812 wrote to memory of 3260 1812 B.exe vssadmin.exe PID 1812 wrote to memory of 3260 1812 B.exe vssadmin.exe PID 1812 wrote to memory of 772 1812 B.exe wmic.exe PID 1812 wrote to memory of 772 1812 B.exe wmic.exe PID 1812 wrote to memory of 772 1812 B.exe wmic.exe PID 1812 wrote to memory of 1524 1812 B.exe vssadmin.exe PID 1812 wrote to memory of 1524 1812 B.exe vssadmin.exe PID 1812 wrote to memory of 1524 1812 B.exe vssadmin.exe PID 1812 wrote to memory of 604 1812 B.exe wmic.exe PID 1812 wrote to memory of 604 1812 B.exe wmic.exe PID 1812 wrote to memory of 604 1812 B.exe wmic.exe PID 1812 wrote to memory of 1288 1812 B.exe vssadmin.exe PID 1812 wrote to memory of 1288 1812 B.exe vssadmin.exe PID 1812 wrote to memory of 1288 1812 B.exe vssadmin.exe PID 1812 wrote to memory of 1008 1812 B.exe wmic.exe PID 1812 wrote to memory of 1008 1812 B.exe wmic.exe PID 1812 wrote to memory of 1008 1812 B.exe wmic.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
B.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" B.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" B.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" B.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\B.exe"C:\Users\Admin\AppData\Local\Temp\B.exe"1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/604-118-0x0000000000000000-mapping.dmp
-
memory/772-116-0x0000000000000000-mapping.dmp
-
memory/1008-120-0x0000000000000000-mapping.dmp
-
memory/1288-119-0x0000000000000000-mapping.dmp
-
memory/1524-117-0x0000000000000000-mapping.dmp
-
memory/3260-115-0x0000000000000000-mapping.dmp