Analysis
-
max time kernel
151s -
max time network
139s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
20-10-2021 09:40
General
-
Target
Build.exe
-
Size
669KB
-
MD5
b446b1c86f3d27bb39783f9d3a112a40
-
SHA1
d9f66f8db27686f4f3b2c7d17557c84077ac801f
-
SHA256
1f5eefc1feb47e11e53f82055ca0921fc1b1299dffa7972c6faeff1904fdad1d
-
SHA512
c2b7682c265060c1c62be0b4dceba7fed6882b9fdc9cbbd1d379608a482bf215d81a2a3c03cc2df709bc936ee7d06ff1250dde92808bd0e0d1f1ee3410c35d9a
Score
10/10
Malware Config
Extracted
Path
C:\Boot\HOW_TO_RECOVER_DATA.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">7D369EE23A7C569863D9278D2E930E9CB0B1B5400AD42CF6FF4516A402EB9D73C7EB59B10D3378A412C95CB138BC0DAFB7121C5C0B45CCD0EB1BCA1B513902F8<br>AB7FB539E844BB03BD2C74C71B2B907C365652DA62B6730B8A4317CD079B912C99466D8C9CF9ED1BF4EC958B6800F4B086635A1F5E3DDD3FDA9FBC7DABFB<br>D1E7488117BAD12B3C810473EFE95328D33DE81EDE400F552E81F3E5D0C3189584C66902240315ED2BFF551D462E59A3D3B5AEFCEB73BEBF37E236DAD52C<br>C032F61B68572122B10FB9B3E4F784AED5B9B7336EA8869C08FFD3B68BD76F70DDF382C46A97636F21072964DD733C7042E804F2D7833232BF5C7CA442ED<br>C9171BD6A34A7327F1A584D70C59E519F314763B088F8ADC538F07B41657A5EAA30051B87E68AD90C146FE237506130CD008FBC40277300C90D3E808E729<br>19AE9493F60CB5F0125E8CEA30D60F59FF754C2CF3C55E59B61F0776748C4A7EF124EB2CF909C8C2C3EE34B66D41A9F94DDAF043E4201C42C552ABFD7ED0<br>FD865DE3DA8175E0088A34AB06BC9F76A6E678B1A9D0962AAC3B0447B3A20F89B2C71C726AF8F823D30743C3080EE3078E7C581A5A7B5292607B8AE49922<br>352F9260F3CC16CF98C10767D4AACB499FF93F7A3B97FBC63302A2933CBCFE27FADDC939E4B56A9F43C5062EDB3114FE8AA20BA44D4C0829E611ABC57FC2<br>BC9745B5515F2E94B04695E86C8E</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
</a><br>
4. Start a chat and follow the further instructions. <br><br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="ithelp05@decorous.cyou ">ithelp05@decorous.cyou </a>
<br><a href="ithelp05@wholeness.business">ithelp05@wholeness.business</a>
<br>
<b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
href="ithelp05@decorous.cyou
">ithelp05@decorous.cyou
href="ithelp05@wholeness.business">ithelp05@wholeness.business</a>
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
UAC bypass 3 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Build.exe"C:\Users\Admin\AppData\Local\Temp\Build.exe"1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/412-119-0x0000000000000000-mapping.dmp
-
memory/1020-115-0x0000000000000000-mapping.dmp
-
memory/1148-117-0x0000000000000000-mapping.dmp
-
memory/1396-118-0x0000000000000000-mapping.dmp
-
memory/2888-116-0x0000000000000000-mapping.dmp
-
memory/3604-120-0x0000000000000000-mapping.dmp