Analysis
-
max time kernel
145s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
08-12-2021 14:53
Static task
static1
Behavioral task
behavioral1
Sample
svhost.bin.exe
Resource
win7-en-20211104
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
svhost.bin.exe
Resource
win10-en-20211104
windows10_x64
0 signatures
0 seconds
General
-
Target
svhost.bin.exe
-
Size
669KB
-
MD5
ed7d859df562c7679dfcb14ee359ff2a
-
SHA1
cde2bfc546f6fc85bcdf5d35bfbd2d17d5c7c91c
-
SHA256
c2a78b419e7d33de9e7418306f30623970a02d4d41c562e99581d0dc3e0bdb08
-
SHA512
730c6940dc83f071cb65ebc3dacde8ddde5147e722cdb027d3feb8fe42bf7b6b0f699ff8b744b7f0dc0ca0fd6762b42acee4b2d67220b637cee0c82ae893bf80
Malware Config
Extracted
Path
\??\Z:\Boot\HOW_TO_RECOVER_DATA.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">3BAD2413F203AF7EF46E3028211DE3A1F9FB089086146C12D30C86F0ABA373BBAF3337F47D66DBEE259DE648876F1DD321888DDA5D86C77332330AEB2CF835A3<br>AD5859D4DF0E62F2231C522156582D96921606BC7526D5BAB7C6C21C41F7E28875EB652B704E8316B4CDEF3B35361D9487FA8F673AD303FE43711AC1699C<br>EBABB5B2AB05C1F1E3DF1E791FF25538770764C18FCF64D35959F62CB9C3F97485B36A1E14CC9070BE7A7EDF6F5DD410B338256FEC09C323D36C60935B36<br>52C28C39BBA576FD897723A13CF342CB93218D86A17311078D0FBFB46F21167B14317ABC22FD109870C49F9694AB6FD51D3B2DF7773B72C7D8D1CF57C07D<br>12070A4D6C8388212F1202A601BBA40ACAB8B5A76E428216B201B031D0D3483A48629F2C3BA8C3DEFD83C0169CD91C00477B7DD72086626FF5FC0C91AEF8<br>8FF62766F1F68C7594372510FE0F4E896895DC511CAED5D9E1003ACD2338C9C27A0AEAA9F01DD75D4681F0BA69D304EFD6AC263FCBAEDFB927BE42C6A284<br>54356EBAA4BA40388F9165A326C80A1DE4355AB63A272E234D537EB901F65638DD511B64A51991AABF7B7778A10672CA9438DD4C285733AB71C1D0F43140<br>C9F74A503AF0ABE42992376023692AFE2B225FA45DC76E72E679C389FEA9C793947B9B1CCC4794F93A1248FDBFC3685C6502D999858ABF8C804F91F61900<br>4FCCFD7B844E45647228E74A0B25</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>.onion<br>
</a>
4. Start a chat and follow the further instructions. <br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href=" [email protected]">[email protected]</a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Signatures
-
LockFile
LockFile is a new ransomware that emerged in July 2021 with ProxyShell vulnerabilties.
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker Payload 2 IoCs
resource yara_rule behavioral1/files/0x00060000000125cd-62.dat family_medusalocker behavioral1/files/0x00060000000125cd-64.dat family_medusalocker -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 1608 svhost.exe -
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\SearchWatch.tiff => C:\Users\Admin\Pictures\SearchWatch.tiff.lockfile svhost.bin.exe File renamed C:\Users\Admin\Pictures\MeasureLock.crw => C:\Users\Admin\Pictures\MeasureLock.crw.lockfile svhost.bin.exe File renamed C:\Users\Admin\Pictures\MountRemove.crw => C:\Users\Admin\Pictures\MountRemove.crw.lockfile svhost.bin.exe File renamed C:\Users\Admin\Pictures\RemoveWrite.tiff => C:\Users\Admin\Pictures\RemoveWrite.tiff.lockfile svhost.bin.exe File opened for modification C:\Users\Admin\Pictures\SearchWatch.tiff svhost.bin.exe File renamed C:\Users\Admin\Pictures\SendConvertTo.tif => C:\Users\Admin\Pictures\SendConvertTo.tif.lockfile svhost.bin.exe File renamed C:\Users\Admin\Pictures\RegisterSkip.png => C:\Users\Admin\Pictures\RegisterSkip.png.lockfile svhost.bin.exe File opened for modification C:\Users\Admin\Pictures\RemoveWrite.tiff svhost.bin.exe File renamed C:\Users\Admin\Pictures\SearchTrace.raw => C:\Users\Admin\Pictures\SearchTrace.raw.lockfile svhost.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svhost.bin.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-103686315-404690609-2047157615-1000\desktop.ini svhost.bin.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: svhost.bin.exe File opened (read-only) \??\Q: svhost.bin.exe File opened (read-only) \??\H: svhost.bin.exe File opened (read-only) \??\R: svhost.bin.exe File opened (read-only) \??\S: svhost.bin.exe File opened (read-only) \??\T: svhost.bin.exe File opened (read-only) \??\V: svhost.bin.exe File opened (read-only) \??\X: svhost.bin.exe File opened (read-only) \??\A: svhost.bin.exe File opened (read-only) \??\F: svhost.bin.exe File opened (read-only) \??\G: svhost.bin.exe File opened (read-only) \??\I: svhost.bin.exe File opened (read-only) \??\M: svhost.bin.exe File opened (read-only) \??\P: svhost.bin.exe File opened (read-only) \??\W: svhost.bin.exe File opened (read-only) \??\Z: svhost.bin.exe File opened (read-only) \??\B: svhost.bin.exe File opened (read-only) \??\E: svhost.bin.exe File opened (read-only) \??\K: svhost.bin.exe File opened (read-only) \??\L: svhost.bin.exe File opened (read-only) \??\N: svhost.bin.exe File opened (read-only) \??\O: svhost.bin.exe File opened (read-only) \??\U: svhost.bin.exe File opened (read-only) \??\Y: svhost.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 948 vssadmin.exe 1548 vssadmin.exe 828 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe 1448 svhost.bin.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeBackupPrivilege 1048 vssvc.exe Token: SeRestorePrivilege 1048 vssvc.exe Token: SeAuditPrivilege 1048 vssvc.exe Token: SeIncreaseQuotaPrivilege 816 wmic.exe Token: SeSecurityPrivilege 816 wmic.exe Token: SeTakeOwnershipPrivilege 816 wmic.exe Token: SeLoadDriverPrivilege 816 wmic.exe Token: SeSystemProfilePrivilege 816 wmic.exe Token: SeSystemtimePrivilege 816 wmic.exe Token: SeProfSingleProcessPrivilege 816 wmic.exe Token: SeIncBasePriorityPrivilege 816 wmic.exe Token: SeCreatePagefilePrivilege 816 wmic.exe Token: SeBackupPrivilege 816 wmic.exe Token: SeRestorePrivilege 816 wmic.exe Token: SeShutdownPrivilege 816 wmic.exe Token: SeDebugPrivilege 816 wmic.exe Token: SeSystemEnvironmentPrivilege 816 wmic.exe Token: SeRemoteShutdownPrivilege 816 wmic.exe Token: SeUndockPrivilege 816 wmic.exe Token: SeManageVolumePrivilege 816 wmic.exe Token: 33 816 wmic.exe Token: 34 816 wmic.exe Token: 35 816 wmic.exe Token: SeIncreaseQuotaPrivilege 748 wmic.exe Token: SeSecurityPrivilege 748 wmic.exe Token: SeTakeOwnershipPrivilege 748 wmic.exe Token: SeLoadDriverPrivilege 748 wmic.exe Token: SeSystemProfilePrivilege 748 wmic.exe Token: SeSystemtimePrivilege 748 wmic.exe Token: SeProfSingleProcessPrivilege 748 wmic.exe Token: SeIncBasePriorityPrivilege 748 wmic.exe Token: SeCreatePagefilePrivilege 748 wmic.exe Token: SeBackupPrivilege 748 wmic.exe Token: SeRestorePrivilege 748 wmic.exe Token: SeShutdownPrivilege 748 wmic.exe Token: SeDebugPrivilege 748 wmic.exe Token: SeSystemEnvironmentPrivilege 748 wmic.exe Token: SeRemoteShutdownPrivilege 748 wmic.exe Token: SeUndockPrivilege 748 wmic.exe Token: SeManageVolumePrivilege 748 wmic.exe Token: 33 748 wmic.exe Token: 34 748 wmic.exe Token: 35 748 wmic.exe Token: SeIncreaseQuotaPrivilege 1680 wmic.exe Token: SeSecurityPrivilege 1680 wmic.exe Token: SeTakeOwnershipPrivilege 1680 wmic.exe Token: SeLoadDriverPrivilege 1680 wmic.exe Token: SeSystemProfilePrivilege 1680 wmic.exe Token: SeSystemtimePrivilege 1680 wmic.exe Token: SeProfSingleProcessPrivilege 1680 wmic.exe Token: SeIncBasePriorityPrivilege 1680 wmic.exe Token: SeCreatePagefilePrivilege 1680 wmic.exe Token: SeBackupPrivilege 1680 wmic.exe Token: SeRestorePrivilege 1680 wmic.exe Token: SeShutdownPrivilege 1680 wmic.exe Token: SeDebugPrivilege 1680 wmic.exe Token: SeSystemEnvironmentPrivilege 1680 wmic.exe Token: SeRemoteShutdownPrivilege 1680 wmic.exe Token: SeUndockPrivilege 1680 wmic.exe Token: SeManageVolumePrivilege 1680 wmic.exe Token: 33 1680 wmic.exe Token: 34 1680 wmic.exe Token: 35 1680 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1448 wrote to memory of 948 1448 svhost.bin.exe 27 PID 1448 wrote to memory of 948 1448 svhost.bin.exe 27 PID 1448 wrote to memory of 948 1448 svhost.bin.exe 27 PID 1448 wrote to memory of 948 1448 svhost.bin.exe 27 PID 1448 wrote to memory of 816 1448 svhost.bin.exe 30 PID 1448 wrote to memory of 816 1448 svhost.bin.exe 30 PID 1448 wrote to memory of 816 1448 svhost.bin.exe 30 PID 1448 wrote to memory of 816 1448 svhost.bin.exe 30 PID 1448 wrote to memory of 1548 1448 svhost.bin.exe 32 PID 1448 wrote to memory of 1548 1448 svhost.bin.exe 32 PID 1448 wrote to memory of 1548 1448 svhost.bin.exe 32 PID 1448 wrote to memory of 1548 1448 svhost.bin.exe 32 PID 1448 wrote to memory of 748 1448 svhost.bin.exe 34 PID 1448 wrote to memory of 748 1448 svhost.bin.exe 34 PID 1448 wrote to memory of 748 1448 svhost.bin.exe 34 PID 1448 wrote to memory of 748 1448 svhost.bin.exe 34 PID 1448 wrote to memory of 828 1448 svhost.bin.exe 36 PID 1448 wrote to memory of 828 1448 svhost.bin.exe 36 PID 1448 wrote to memory of 828 1448 svhost.bin.exe 36 PID 1448 wrote to memory of 828 1448 svhost.bin.exe 36 PID 1448 wrote to memory of 1680 1448 svhost.bin.exe 38 PID 1448 wrote to memory of 1680 1448 svhost.bin.exe 38 PID 1448 wrote to memory of 1680 1448 svhost.bin.exe 38 PID 1448 wrote to memory of 1680 1448 svhost.bin.exe 38 PID 1408 wrote to memory of 1608 1408 taskeng.exe 44 PID 1408 wrote to memory of 1608 1408 taskeng.exe 44 PID 1408 wrote to memory of 1608 1408 taskeng.exe 44 PID 1408 wrote to memory of 1608 1408 taskeng.exe 44 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svhost.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" svhost.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" svhost.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svhost.bin.exe"C:\Users\Admin\AppData\Local\Temp\svhost.bin.exe"1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1448 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:948
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:816
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1548
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:748
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:828
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
C:\Windows\system32\taskeng.exetaskeng.exe {00093348-C903-46AA-974E-E192A2D44D7F} S-1-5-21-103686315-404690609-2047157615-1000:EDWYFHKN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
PID:1608
-