medusalocker

General

Target

6b9ca4cbb68f23e164625614d9d074b7bb9e2c5aeb429034ed4d6440594ce64e
Size

707KB
Sample

220201-s4smtshcb5
MD5

0ea3051e5173035fc97c403746d67437
SHA1

e04260b5cc147207c3d18b9a486cb636b3a46ff8
SHA256

6b9ca4cbb68f23e164625614d9d074b7bb9e2c5aeb429034ed4d6440594ce64e
SHA512

9afdcf3ffd9190362900c55f02172f5c9d1033e7e618b627b0efbda170eb31114547d9808ad161dfa08dc135fe311d096a8317370d5e7cefaf2e263ac118c85d

Score

10^/10

Malware Config

Extracted

Path

\??\Z:\Boot\Recovery_Instructions.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">C465B41C894F9E47D88D08FC63A495CCF7125FD8BD68710065A0CBD6E956ED59EE8043B0AE15493B4A5FF075E67A7CA4F58A61AD17000A5D26CF85F4A3B04A13<br>6E466A4ADA4614121EF5D5C39C950C230C0978B127E3FED95E4699572E777ECF7FF7CF145702EA2959CFFC807C42C14B41A820AE1F120144C6116A33D711<br>21BA1034A75013BE92CFA99EEF08F70D81D15F30C464D5AD4638B947EBC5D63C38621BE062451F642C5867677C04022586D3895C3DE5BA08EA9B53C98374<br>4C45E3C30ACC7667B0B3DC1BEE593D74CB858A26EDB77E6418182F8D698F2026D770DC1AB859948A27B7FBC74513D6F1403CB8148AC7E07AD623460E5DBE<br>5DEE9DF4E4984E518927579884208F3830249E9FFDDC501F205A96CD52D4336C8051F27B3862421017477B2C624044478ABFC782C88221CB359F2FD27BC3<br>8FC39642FF54F03BDB2F96ADA570CFD7D95D1A8D3E35350C3BA79227F4D489064F0F796E12A104F418E77F67A2B58AE6EC5532121A637778C726CD95D660<br>AAEA2FA3E483707FF14B72C01C5D46CA1FBBF0F2CE1250758F55996F7E09B48378A0DAAEE050E38F2E595D1318F19D1FD3D1EB66D357BB10D6274153137F<br>9387EACF0225C54A13B387E2178DFA449775596A73D4B35FA7B20FC49624DB5714D95EF0F885640ADC363F4378A13C48E1BA1F085EE56A555CEAAA021C21<br>2D09BE8E3F74D382CDF8B786743D</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED!</b><br><br> YOUR FILES ARE SAFE! JUST MODIFIED ONLY. (RSA+AES) <br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMENANTLY DESTROY YOUR FILE.<br> DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES.<br><br> NO SOFTWARE AVAILABLE ON INTERNET CAN HELP YOU. WE ONLY HAVE<br> SOLUTION TO YOUR PROBLEM.<br><br> WE GATHERED HIGHLY CONFIDENTIAL/PERSORNAL DATA. THESE DATA<br> ARE CURRENTLY STORED ON A PRIVATE SERVER. THIS SERVER WILL BE<br> IMMEDIATELY DESTROYED AFTER YOUR PAYMENT. WE ONLY SEEK MONEY<br> AND DO NOT WANT TO DAMAGE YOUR REPUTATION. IF YOU DECIDE TO<br> NOT PAY, WE WILL RELEASE THIS DATA TO PUBLIC OR RE-SELLER.<br><br> YOU WILL CAN SEND US 2-3 NON-IMPORTANT FILES AND WE WILL<br> DECRYPT IT FOR FREE TO PROVE WE ARE ABLE TO GIVE YOUR FILES<br> BACK.<br><br>  <hr> <b>CONTACT US FOR PRICE (BITCOIN) AND GET DECRYPTION SOFTWARE.</b><br><br> <a href="mailto:[email protected]">[email protected]</a><br> <a href="mailto:[email protected]">[email protected]</a> <hr> </div> <div class="text"> MAKE CONTACT AS SOON AS POSSIBLE. YOUR DECRYPTION KEY IS ONLY STORED <br> TEMPORARLY. IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="mailto:[email protected]">[email protected]</a><br>

href="mailto:[email protected]">[email protected]</a>

Extracted

Path

\??\Z:\Boot\Recovery_Instructions.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">2B662DF56B22E996B01084FCE7555582334B9B09F8C4DE1F0ED8F88DF21985897F7D53B1995311EC7338E0011444AA4A94C9E0DD3266159F7AB4030F6A2FD91A<br>0C095422A5BC38FB57664DAE6F2FF0174FEC920383EAC4957A3C0F10EF956FD6F601C12E7AB9F13255EED72DF03D3658AB1072B87597917304DC0DDD8B18<br>6076ACF6A56B58B98AE1EBA897FD7D06A2C519DCC0D78A7F05A46BA77A43F2B1EE86DC2F2D7394CB7903FA2F95545D14DD5E2845C68D6BD0E3054C6EE1E1<br>84A830543343FBD7EC2A8EBD959A4449F4F798C99947C1C6C65E106C9E1223F641E957092A683C79B6A4FA09D4FBA4BDF45DAA41E724F10BC673B75F55F5<br>5A29A0798E2A269124F790B75099BB17EE1DEC61F0BDC89C20F9CF1DFCB2DFBD96B6C03F6777388E203274C9EFD1BDCC7C8B95EF1E8747E3840A3F534EAA<br>9F44D4ED7A2B748868F629AE4DE19516DA6669676EBCF8C133AC0A4F52B7EE65A1694F1C0774E3D79707B658E55EB8166F8F610E72694BABF82B44BE9A0A<br>A773FE4AA174D67419F5C8E6F6D158BFE8A4F1314CC55BC1FFCB6AF8163A8650685E5702CF3D38AB0CB29272E430417B06A7ADFA7F7430E28C3C9B9B14F7<br>64898FF608791EEFFC4791F19EC3B5C5CF44551D393B3604BCAC1E323F77B6BCD3053B9EEC873370866D3B608B757AA9542575A5F4031CAAA82539B5196A<br>1D7ED996766F69AF218260F79013</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED!</b><br><br> YOUR FILES ARE SAFE! JUST MODIFIED ONLY. (RSA+AES) <br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMENANTLY DESTROY YOUR FILE.<br> DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES.<br><br> NO SOFTWARE AVAILABLE ON INTERNET CAN HELP YOU. WE ONLY HAVE<br> SOLUTION TO YOUR PROBLEM.<br><br> WE GATHERED HIGHLY CONFIDENTIAL/PERSORNAL DATA. THESE DATA<br> ARE CURRENTLY STORED ON A PRIVATE SERVER. THIS SERVER WILL BE<br> IMMEDIATELY DESTROYED AFTER YOUR PAYMENT. WE ONLY SEEK MONEY<br> AND DO NOT WANT TO DAMAGE YOUR REPUTATION. IF YOU DECIDE TO<br> NOT PAY, WE WILL RELEASE THIS DATA TO PUBLIC OR RE-SELLER.<br><br> YOU WILL CAN SEND US 2-3 NON-IMPORTANT FILES AND WE WILL<br> DECRYPT IT FOR FREE TO PROVE WE ARE ABLE TO GIVE YOUR FILES<br> BACK.<br><br>  <hr> <b>CONTACT US FOR PRICE (BITCOIN) AND GET DECRYPTION SOFTWARE.</b><br><br> <a href="mailto:[email protected]">[email protected]</a><br> <a href="mailto:[email protected]">[email protected]</a> <hr> </div> <div class="text"> MAKE CONTACT AS SOON AS POSSIBLE. YOUR DECRYPTION KEY IS ONLY STORED <br> TEMPORARLY. IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="mailto:[email protected]">[email protected]</a><br>

href="mailto:[email protected]">[email protected]</a>

Targets

- Target
  
  6b9ca4cbb68f23e164625614d9d074b7bb9e2c5aeb429034ed4d6440594ce64e
- Size
  
  707KB
- MD5
  
  0ea3051e5173035fc97c403746d67437
- SHA1
  
  e04260b5cc147207c3d18b9a486cb636b3a46ff8
- SHA256
  
  6b9ca4cbb68f23e164625614d9d074b7bb9e2c5aeb429034ed4d6440594ce64e
- SHA512
  
  9afdcf3ffd9190362900c55f02172f5c9d1033e7e618b627b0efbda170eb31114547d9808ad161dfa08dc135fe311d096a8317370d5e7cefaf2e263ac118c85d
Score

10^/10

medusalocker neshta evasion persistence ransomware spyware stealer trojan
- Detect Neshta Payload
- MedusaLocker
  Ransomware with several variants first seen in September 2019.
  ransomware medusalocker
- MedusaLocker Payload
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2