Analysis
-
max time kernel
151s -
max time network
139s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
20-10-2021 09:40
Static task
static1
Behavioral task
behavioral1
Sample
B.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
B.exe
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
Build.exe
Resource
win7-en-20211014
Behavioral task
behavioral4
Sample
Build.exe
Resource
win10-en-20210920
Behavioral task
behavioral5
Sample
READ.exe
Resource
win7-en-20211014
Behavioral task
behavioral6
Sample
READ.exe
Resource
win10-en-20210920
Behavioral task
behavioral7
Sample
rb.exe
Resource
win7-en-20211014
Behavioral task
behavioral8
Sample
rb.exe
Resource
win10-en-20210920
General
-
Target
Build.exe
-
Size
669KB
-
MD5
b446b1c86f3d27bb39783f9d3a112a40
-
SHA1
d9f66f8db27686f4f3b2c7d17557c84077ac801f
-
SHA256
1f5eefc1feb47e11e53f82055ca0921fc1b1299dffa7972c6faeff1904fdad1d
-
SHA512
c2b7682c265060c1c62be0b4dceba7fed6882b9fdc9cbbd1d379608a482bf215d81a2a3c03cc2df709bc936ee7d06ff1250dde92808bd0e0d1f1ee3410c35d9a
Malware Config
Extracted
C:\Boot\HOW_TO_RECOVER_DATA.html
href="ithelp05@decorous.cyou
">ithelp05@decorous.cyou
href="ithelp05@wholeness.business">ithelp05@wholeness.business</a>
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Build.exedescription ioc process File renamed C:\Users\Admin\Pictures\PingUnblock.raw => C:\Users\Admin\Pictures\PingUnblock.raw.LOCK Build.exe File renamed C:\Users\Admin\Pictures\SetSwitch.crw => C:\Users\Admin\Pictures\SetSwitch.crw.LOCK Build.exe File renamed C:\Users\Admin\Pictures\StepEnable.tif => C:\Users\Admin\Pictures\StepEnable.tif.LOCK Build.exe File renamed C:\Users\Admin\Pictures\UnregisterRestart.tif => C:\Users\Admin\Pictures\UnregisterRestart.tif.LOCK Build.exe File opened for modification C:\Users\Admin\Pictures\WaitUninstall.tiff Build.exe File renamed C:\Users\Admin\Pictures\ConvertDismount.raw => C:\Users\Admin\Pictures\ConvertDismount.raw.LOCK Build.exe File renamed C:\Users\Admin\Pictures\DisconnectMerge.png => C:\Users\Admin\Pictures\DisconnectMerge.png.LOCK Build.exe File renamed C:\Users\Admin\Pictures\EditReceive.png => C:\Users\Admin\Pictures\EditReceive.png.LOCK Build.exe File renamed C:\Users\Admin\Pictures\ExportClear.tif => C:\Users\Admin\Pictures\ExportClear.tif.LOCK Build.exe File renamed C:\Users\Admin\Pictures\ExportRemove.png => C:\Users\Admin\Pictures\ExportRemove.png.LOCK Build.exe File renamed C:\Users\Admin\Pictures\WaitUninstall.tiff => C:\Users\Admin\Pictures\WaitUninstall.tiff.LOCK Build.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
Build.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Build.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
Build.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2481030822-2828258191-1606198294-1000\desktop.ini Build.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Build.exedescription ioc process File opened (read-only) \??\G: Build.exe File opened (read-only) \??\V: Build.exe File opened (read-only) \??\W: Build.exe File opened (read-only) \??\O: Build.exe File opened (read-only) \??\X: Build.exe File opened (read-only) \??\Y: Build.exe File opened (read-only) \??\B: Build.exe File opened (read-only) \??\H: Build.exe File opened (read-only) \??\L: Build.exe File opened (read-only) \??\M: Build.exe File opened (read-only) \??\N: Build.exe File opened (read-only) \??\E: Build.exe File opened (read-only) \??\F: Build.exe File opened (read-only) \??\K: Build.exe File opened (read-only) \??\U: Build.exe File opened (read-only) \??\Z: Build.exe File opened (read-only) \??\R: Build.exe File opened (read-only) \??\S: Build.exe File opened (read-only) \??\T: Build.exe File opened (read-only) \??\A: Build.exe File opened (read-only) \??\I: Build.exe File opened (read-only) \??\J: Build.exe File opened (read-only) \??\P: Build.exe File opened (read-only) \??\Q: Build.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1148 vssadmin.exe 412 vssadmin.exe 1020 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Build.exepid process 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe 1952 Build.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exewmic.exewmic.exewmic.exedescription pid process Token: SeBackupPrivilege 2224 vssvc.exe Token: SeRestorePrivilege 2224 vssvc.exe Token: SeAuditPrivilege 2224 vssvc.exe Token: SeIncreaseQuotaPrivilege 2888 wmic.exe Token: SeSecurityPrivilege 2888 wmic.exe Token: SeTakeOwnershipPrivilege 2888 wmic.exe Token: SeLoadDriverPrivilege 2888 wmic.exe Token: SeSystemProfilePrivilege 2888 wmic.exe Token: SeSystemtimePrivilege 2888 wmic.exe Token: SeProfSingleProcessPrivilege 2888 wmic.exe Token: SeIncBasePriorityPrivilege 2888 wmic.exe Token: SeCreatePagefilePrivilege 2888 wmic.exe Token: SeBackupPrivilege 2888 wmic.exe Token: SeRestorePrivilege 2888 wmic.exe Token: SeShutdownPrivilege 2888 wmic.exe Token: SeDebugPrivilege 2888 wmic.exe Token: SeSystemEnvironmentPrivilege 2888 wmic.exe Token: SeRemoteShutdownPrivilege 2888 wmic.exe Token: SeUndockPrivilege 2888 wmic.exe Token: SeManageVolumePrivilege 2888 wmic.exe Token: 33 2888 wmic.exe Token: 34 2888 wmic.exe Token: 35 2888 wmic.exe Token: 36 2888 wmic.exe Token: SeIncreaseQuotaPrivilege 1396 wmic.exe Token: SeSecurityPrivilege 1396 wmic.exe Token: SeTakeOwnershipPrivilege 1396 wmic.exe Token: SeLoadDriverPrivilege 1396 wmic.exe Token: SeSystemProfilePrivilege 1396 wmic.exe Token: SeSystemtimePrivilege 1396 wmic.exe Token: SeProfSingleProcessPrivilege 1396 wmic.exe Token: SeIncBasePriorityPrivilege 1396 wmic.exe Token: SeCreatePagefilePrivilege 1396 wmic.exe Token: SeBackupPrivilege 1396 wmic.exe Token: SeRestorePrivilege 1396 wmic.exe Token: SeShutdownPrivilege 1396 wmic.exe Token: SeDebugPrivilege 1396 wmic.exe Token: SeSystemEnvironmentPrivilege 1396 wmic.exe Token: SeRemoteShutdownPrivilege 1396 wmic.exe Token: SeUndockPrivilege 1396 wmic.exe Token: SeManageVolumePrivilege 1396 wmic.exe Token: 33 1396 wmic.exe Token: 34 1396 wmic.exe Token: 35 1396 wmic.exe Token: 36 1396 wmic.exe Token: SeIncreaseQuotaPrivilege 3604 wmic.exe Token: SeSecurityPrivilege 3604 wmic.exe Token: SeTakeOwnershipPrivilege 3604 wmic.exe Token: SeLoadDriverPrivilege 3604 wmic.exe Token: SeSystemProfilePrivilege 3604 wmic.exe Token: SeSystemtimePrivilege 3604 wmic.exe Token: SeProfSingleProcessPrivilege 3604 wmic.exe Token: SeIncBasePriorityPrivilege 3604 wmic.exe Token: SeCreatePagefilePrivilege 3604 wmic.exe Token: SeBackupPrivilege 3604 wmic.exe Token: SeRestorePrivilege 3604 wmic.exe Token: SeShutdownPrivilege 3604 wmic.exe Token: SeDebugPrivilege 3604 wmic.exe Token: SeSystemEnvironmentPrivilege 3604 wmic.exe Token: SeRemoteShutdownPrivilege 3604 wmic.exe Token: SeUndockPrivilege 3604 wmic.exe Token: SeManageVolumePrivilege 3604 wmic.exe Token: 33 3604 wmic.exe Token: 34 3604 wmic.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Build.exedescription pid process target process PID 1952 wrote to memory of 1020 1952 Build.exe vssadmin.exe PID 1952 wrote to memory of 1020 1952 Build.exe vssadmin.exe PID 1952 wrote to memory of 1020 1952 Build.exe vssadmin.exe PID 1952 wrote to memory of 2888 1952 Build.exe wmic.exe PID 1952 wrote to memory of 2888 1952 Build.exe wmic.exe PID 1952 wrote to memory of 2888 1952 Build.exe wmic.exe PID 1952 wrote to memory of 1148 1952 Build.exe vssadmin.exe PID 1952 wrote to memory of 1148 1952 Build.exe vssadmin.exe PID 1952 wrote to memory of 1148 1952 Build.exe vssadmin.exe PID 1952 wrote to memory of 1396 1952 Build.exe wmic.exe PID 1952 wrote to memory of 1396 1952 Build.exe wmic.exe PID 1952 wrote to memory of 1396 1952 Build.exe wmic.exe PID 1952 wrote to memory of 412 1952 Build.exe vssadmin.exe PID 1952 wrote to memory of 412 1952 Build.exe vssadmin.exe PID 1952 wrote to memory of 412 1952 Build.exe vssadmin.exe PID 1952 wrote to memory of 3604 1952 Build.exe wmic.exe PID 1952 wrote to memory of 3604 1952 Build.exe wmic.exe PID 1952 wrote to memory of 3604 1952 Build.exe wmic.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Build.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Build.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Build.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" Build.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Build.exe"C:\Users\Admin\AppData\Local\Temp\Build.exe"1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/412-119-0x0000000000000000-mapping.dmp
-
memory/1020-115-0x0000000000000000-mapping.dmp
-
memory/1148-117-0x0000000000000000-mapping.dmp
-
memory/1396-118-0x0000000000000000-mapping.dmp
-
memory/2888-116-0x0000000000000000-mapping.dmp
-
memory/3604-120-0x0000000000000000-mapping.dmp