Analysis
-
max time kernel
151s -
max time network
139s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
20/10/2021, 09:40
Static task
static1
Behavioral task
behavioral1
Sample
B.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
B.exe
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
Build.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
Build.exe
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
READ.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
READ.exe
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
rb.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
rb.exe
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
Build.exe
-
Size
669KB
-
MD5
b446b1c86f3d27bb39783f9d3a112a40
-
SHA1
d9f66f8db27686f4f3b2c7d17557c84077ac801f
-
SHA256
1f5eefc1feb47e11e53f82055ca0921fc1b1299dffa7972c6faeff1904fdad1d
-
SHA512
c2b7682c265060c1c62be0b4dceba7fed6882b9fdc9cbbd1d379608a482bf215d81a2a3c03cc2df709bc936ee7d06ff1250dde92808bd0e0d1f1ee3410c35d9a
Malware Config
Extracted
Path
C:\Boot\HOW_TO_RECOVER_DATA.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">7D369EE23A7C569863D9278D2E930E9CB0B1B5400AD42CF6FF4516A402EB9D73C7EB59B10D3378A412C95CB138BC0DAFB7121C5C0B45CCD0EB1BCA1B513902F8<br>AB7FB539E844BB03BD2C74C71B2B907C365652DA62B6730B8A4317CD079B912C99466D8C9CF9ED1BF4EC958B6800F4B086635A1F5E3DDD3FDA9FBC7DABFB<br>D1E7488117BAD12B3C810473EFE95328D33DE81EDE400F552E81F3E5D0C3189584C66902240315ED2BFF551D462E59A3D3B5AEFCEB73BEBF37E236DAD52C<br>C032F61B68572122B10FB9B3E4F784AED5B9B7336EA8869C08FFD3B68BD76F70DDF382C46A97636F21072964DD733C7042E804F2D7833232BF5C7CA442ED<br>C9171BD6A34A7327F1A584D70C59E519F314763B088F8ADC538F07B41657A5EAA30051B87E68AD90C146FE237506130CD008FBC40277300C90D3E808E729<br>19AE9493F60CB5F0125E8CEA30D60F59FF754C2CF3C55E59B61F0776748C4A7EF124EB2CF909C8C2C3EE34B66D41A9F94DDAF043E4201C42C552ABFD7ED0<br>FD865DE3DA8175E0088A34AB06BC9F76A6E678B1A9D0962AAC3B0447B3A20F89B2C71C726AF8F823D30743C3080EE3078E7C581A5A7B5292607B8AE49922<br>352F9260F3CC16CF98C10767D4AACB499FF93F7A3B97FBC63302A2933CBCFE27FADDC939E4B56A9F43C5062EDB3114FE8AA20BA44D4C0829E611ABC57FC2<br>BC9745B5515F2E94B04695E86C8E</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
</a><br>
4. Start a chat and follow the further instructions. <br><br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a>
<br><a href="[email protected]">[email protected]</a>
<br>
<b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\PingUnblock.raw => C:\Users\Admin\Pictures\PingUnblock.raw.LOCK Build.exe File renamed C:\Users\Admin\Pictures\SetSwitch.crw => C:\Users\Admin\Pictures\SetSwitch.crw.LOCK Build.exe File renamed C:\Users\Admin\Pictures\StepEnable.tif => C:\Users\Admin\Pictures\StepEnable.tif.LOCK Build.exe File renamed C:\Users\Admin\Pictures\UnregisterRestart.tif => C:\Users\Admin\Pictures\UnregisterRestart.tif.LOCK Build.exe File opened for modification C:\Users\Admin\Pictures\WaitUninstall.tiff Build.exe File renamed C:\Users\Admin\Pictures\ConvertDismount.raw => C:\Users\Admin\Pictures\ConvertDismount.raw.LOCK Build.exe File renamed C:\Users\Admin\Pictures\DisconnectMerge.png => C:\Users\Admin\Pictures\DisconnectMerge.png.LOCK Build.exe File renamed C:\Users\Admin\Pictures\EditReceive.png => C:\Users\Admin\Pictures\EditReceive.png.LOCK Build.exe File renamed C:\Users\Admin\Pictures\ExportClear.tif => C:\Users\Admin\Pictures\ExportClear.tif.LOCK Build.exe File renamed C:\Users\Admin\Pictures\ExportRemove.png => C:\Users\Admin\Pictures\ExportRemove.png.LOCK Build.exe File renamed C:\Users\Admin\Pictures\WaitUninstall.tiff => C:\Users\Admin\Pictures\WaitUninstall.tiff.LOCK Build.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Build.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2481030822-2828258191-1606198294-1000\desktop.ini Build.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: Build.exe File opened (read-only) \??\V: Build.exe File opened (read-only) \??\W: Build.exe File opened (read-only) \??\O: Build.exe File opened (read-only) \??\X: Build.exe File opened (read-only) \??\Y: Build.exe File opened (read-only) \??\B: Build.exe File opened (read-only) \??\H: Build.exe File opened (read-only) \??\L: Build.exe File opened (read-only) \??\M: Build.exe File opened (read-only) \??\N: Build.exe File opened (read-only) \??\E: Build.exe File opened (read-only) \??\F: Build.exe File opened (read-only) \??\K: Build.exe File opened (read-only) \??\U: Build.exe File opened (read-only) \??\Z: Build.exe File opened (read-only) \??\R: Build.exe File opened (read-only) \??\S: Build.exe File opened (read-only) \??\T: Build.exe File opened (read-only) \??\A: Build.exe File opened (read-only) \??\I: Build.exe File opened (read-only) \??\J: Build.exe File opened (read-only) \??\P: Build.exe File opened (read-only) \??\Q: Build.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1148 vssadmin.exe 412 vssadmin.exe 1020 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 2224 vssvc.exe Token: SeRestorePrivilege 2224 vssvc.exe Token: SeAuditPrivilege 2224 vssvc.exe Token: SeIncreaseQuotaPrivilege 2888 wmic.exe Token: SeSecurityPrivilege 2888 wmic.exe Token: SeTakeOwnershipPrivilege 2888 wmic.exe Token: SeLoadDriverPrivilege 2888 wmic.exe Token: SeSystemProfilePrivilege 2888 wmic.exe Token: SeSystemtimePrivilege 2888 wmic.exe Token: SeProfSingleProcessPrivilege 2888 wmic.exe Token: SeIncBasePriorityPrivilege 2888 wmic.exe Token: SeCreatePagefilePrivilege 2888 wmic.exe Token: SeBackupPrivilege 2888 wmic.exe Token: SeRestorePrivilege 2888 wmic.exe Token: SeShutdownPrivilege 2888 wmic.exe Token: SeDebugPrivilege 2888 wmic.exe Token: SeSystemEnvironmentPrivilege 2888 wmic.exe Token: SeRemoteShutdownPrivilege 2888 wmic.exe Token: SeUndockPrivilege 2888 wmic.exe Token: SeManageVolumePrivilege 2888 wmic.exe Token: 33 2888 wmic.exe Token: 34 2888 wmic.exe Token: 35 2888 wmic.exe Token: 36 2888 wmic.exe Token: SeIncreaseQuotaPrivilege 1396 wmic.exe Token: SeSecurityPrivilege 1396 wmic.exe Token: SeTakeOwnershipPrivilege 1396 wmic.exe Token: SeLoadDriverPrivilege 1396 wmic.exe Token: SeSystemProfilePrivilege 1396 wmic.exe Token: SeSystemtimePrivilege 1396 wmic.exe Token: SeProfSingleProcessPrivilege 1396 wmic.exe Token: SeIncBasePriorityPrivilege 1396 wmic.exe Token: SeCreatePagefilePrivilege 1396 wmic.exe Token: SeBackupPrivilege 1396 wmic.exe Token: SeRestorePrivilege 1396 wmic.exe Token: SeShutdownPrivilege 1396 wmic.exe Token: SeDebugPrivilege 1396 wmic.exe Token: SeSystemEnvironmentPrivilege 1396 wmic.exe Token: SeRemoteShutdownPrivilege 1396 wmic.exe Token: SeUndockPrivilege 1396 wmic.exe Token: SeManageVolumePrivilege 1396 wmic.exe Token: 33 1396 wmic.exe Token: 34 1396 wmic.exe Token: 35 1396 wmic.exe Token: 36 1396 wmic.exe Token: SeIncreaseQuotaPrivilege 3604 wmic.exe Token: SeSecurityPrivilege 3604 wmic.exe Token: SeTakeOwnershipPrivilege 3604 wmic.exe Token: SeLoadDriverPrivilege 3604 wmic.exe Token: SeSystemProfilePrivilege 3604 wmic.exe Token: SeSystemtimePrivilege 3604 wmic.exe Token: SeProfSingleProcessPrivilege 3604 wmic.exe Token: SeIncBasePriorityPrivilege 3604 wmic.exe Token: SeCreatePagefilePrivilege 3604 wmic.exe Token: SeBackupPrivilege 3604 wmic.exe Token: SeRestorePrivilege 3604 wmic.exe Token: SeShutdownPrivilege 3604 wmic.exe Token: SeDebugPrivilege 3604 wmic.exe Token: SeSystemEnvironmentPrivilege 3604 wmic.exe Token: SeRemoteShutdownPrivilege 3604 wmic.exe Token: SeUndockPrivilege 3604 wmic.exe Token: SeManageVolumePrivilege 3604 wmic.exe Token: 33 3604 wmic.exe Token: 34 3604 wmic.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1952 wrote to memory of 1020 1952 Build.exe 74 PID 1952 wrote to memory of 1020 1952 Build.exe 74 PID 1952 wrote to memory of 1020 1952 Build.exe 74 PID 1952 wrote to memory of 2888 1952 Build.exe 76 PID 1952 wrote to memory of 2888 1952 Build.exe 76 PID 1952 wrote to memory of 2888 1952 Build.exe 76 PID 1952 wrote to memory of 1148 1952 Build.exe 78 PID 1952 wrote to memory of 1148 1952 Build.exe 78 PID 1952 wrote to memory of 1148 1952 Build.exe 78 PID 1952 wrote to memory of 1396 1952 Build.exe 80 PID 1952 wrote to memory of 1396 1952 Build.exe 80 PID 1952 wrote to memory of 1396 1952 Build.exe 80 PID 1952 wrote to memory of 412 1952 Build.exe 82 PID 1952 wrote to memory of 412 1952 Build.exe 82 PID 1952 wrote to memory of 412 1952 Build.exe 82 PID 1952 wrote to memory of 3604 1952 Build.exe 84 PID 1952 wrote to memory of 3604 1952 Build.exe 84 PID 1952 wrote to memory of 3604 1952 Build.exe 84 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Build.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Build.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" Build.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Build.exe"C:\Users\Admin\AppData\Local\Temp\Build.exe"1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1952 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1020
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1148
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:412
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2224