Overview

overview

10

Static

static

10

6b9ca4cbb6...4e.exe

windows7_x64

10

6b9ca4cbb6...4e.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    165s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    01-02-2022 15:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b9ca4cbb68f23e164625614d9d074b7bb9e2c5aeb429034ed4d6440594ce64e.exe

  • Size

    707KB

  • MD5

    0ea3051e5173035fc97c403746d67437

  • SHA1

    e04260b5cc147207c3d18b9a486cb636b3a46ff8

  • SHA256

    6b9ca4cbb68f23e164625614d9d074b7bb9e2c5aeb429034ed4d6440594ce64e

  • SHA512

    9afdcf3ffd9190362900c55f02172f5c9d1033e7e618b627b0efbda170eb31114547d9808ad161dfa08dc135fe311d096a8317370d5e7cefaf2e263ac118c85d

Score
10/10
medusalockerneshtaevasionpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Path

\??\Z:\Boot\Recovery_Instructions.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">C465B41C894F9E47D88D08FC63A495CCF7125FD8BD68710065A0CBD6E956ED59EE8043B0AE15493B4A5FF075E67A7CA4F58A61AD17000A5D26CF85F4A3B04A13<br>6E466A4ADA4614121EF5D5C39C950C230C0978B127E3FED95E4699572E777ECF7FF7CF145702EA2959CFFC807C42C14B41A820AE1F120144C6116A33D711<br>21BA1034A75013BE92CFA99EEF08F70D81D15F30C464D5AD4638B947EBC5D63C38621BE062451F642C5867677C04022586D3895C3DE5BA08EA9B53C98374<br>4C45E3C30ACC7667B0B3DC1BEE593D74CB858A26EDB77E6418182F8D698F2026D770DC1AB859948A27B7FBC74513D6F1403CB8148AC7E07AD623460E5DBE<br>5DEE9DF4E4984E518927579884208F3830249E9FFDDC501F205A96CD52D4336C8051F27B3862421017477B2C624044478ABFC782C88221CB359F2FD27BC3<br>8FC39642FF54F03BDB2F96ADA570CFD7D95D1A8D3E35350C3BA79227F4D489064F0F796E12A104F418E77F67A2B58AE6EC5532121A637778C726CD95D660<br>AAEA2FA3E483707FF14B72C01C5D46CA1FBBF0F2CE1250758F55996F7E09B48378A0DAAEE050E38F2E595D1318F19D1FD3D1EB66D357BB10D6274153137F<br>9387EACF0225C54A13B387E2178DFA449775596A73D4B35FA7B20FC49624DB5714D95EF0F885640ADC363F4378A13C48E1BA1F085EE56A555CEAAA021C21<br>2D09BE8E3F74D382CDF8B786743D</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED!</b><br><br> YOUR FILES ARE SAFE! JUST MODIFIED ONLY. (RSA+AES) <br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMENANTLY DESTROY YOUR FILE.<br> DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES.<br><br> NO SOFTWARE AVAILABLE ON INTERNET CAN HELP YOU. WE ONLY HAVE<br> SOLUTION TO YOUR PROBLEM.<br><br> WE GATHERED HIGHLY CONFIDENTIAL/PERSORNAL DATA. THESE DATA<br> ARE CURRENTLY STORED ON A PRIVATE SERVER. THIS SERVER WILL BE<br> IMMEDIATELY DESTROYED AFTER YOUR PAYMENT. WE ONLY SEEK MONEY<br> AND DO NOT WANT TO DAMAGE YOUR REPUTATION. IF YOU DECIDE TO<br> NOT PAY, WE WILL RELEASE THIS DATA TO PUBLIC OR RE-SELLER.<br><br> YOU WILL CAN SEND US 2-3 NON-IMPORTANT FILES AND WE WILL<br> DECRYPT IT FOR FREE TO PROVE WE ARE ABLE TO GIVE YOUR FILES<br> BACK.<br><br> <!--text data --> <hr> <b>CONTACT US FOR PRICE (BITCOIN) AND GET DECRYPTION SOFTWARE.</b><br><br> <a href="mailto:[email protected]">[email protected]</a><br> <a href="mailto:[email protected]">[email protected]</a> <hr> </div> <div class="text"> MAKE CONTACT AS SOON AS POSSIBLE. YOUR DECRYPTION KEY IS ONLY STORED <br> TEMPORARLY. IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>
Emails

href="mailto:[email protected]">[email protected]</a><br>

href="mailto:[email protected]">[email protected]</a>

Signatures

  • Detect Neshta Payload 1 IoCs
  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

    ransomwaremedusalocker
  • MedusaLocker Payload 6 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • UAC bypass 3 TTPs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b9ca4cbb68f23e164625614d9d074b7bb9e2c5aeb429034ed4d6440594ce64e.exe
    "C:\Users\Admin\AppData\Local\Temp\6b9ca4cbb68f23e164625614d9d074b7bb9e2c5aeb429034ed4d6440594ce64e.exe"
    1⤵
    • Modifies system executable filetype association
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Users\Admin\AppData\Local\Temp\3582-490\6b9ca4cbb68f23e164625614d9d074b7bb9e2c5aeb429034ed4d6440594ce64e.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\6b9ca4cbb68f23e164625614d9d074b7bb9e2c5aeb429034ed4d6440594ce64e.exe"
      2⤵
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1492
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:568
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic.exe SHADOWCOPY /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:364
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:1100
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic.exe SHADOWCOPY /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2044
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:740
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic.exe SHADOWCOPY /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1828
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:532
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {3DA76330-2CDC-4941-A2FA-5F5EE2A5A25B} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Users\Admin\AppData\Roaming\svhost.exe
      C:\Users\Admin\AppData\Roaming\svhost.exe
      2⤵
      • Executes dropped EXE
      PID:1316

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
    MD5

    70e413d7ff7f9c2a7ab5fafebf3e4d4a

    SHA1

    0129ad15e2baf730306d578761da2e933359d78d

    SHA256

    27ae04d6e8a7d390742b4e9a472e8980a37f8ca7d3c19d0a06c9531f67e04c0b

    SHA512

    e47d9f6e354b02cf3b3560ec6ca6f33cb2910effd3cadc200d36781de63ff99037efb2c54b3886a7606e602c9ab24d3988f2ea39a9f9b8abfc308bbec1bfd3c4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\6b9ca4cbb68f23e164625614d9d074b7bb9e2c5aeb429034ed4d6440594ce64e.exe
    MD5

    72874d97065bbcebbd165f0c347910c8

    SHA1

    252f9105fe80f0167006569641a769c11c663787

    SHA256

    5aa810e4891538670cc0db6274b7276abe84e8ccbbaef1d3b1208b9ad419a9fa

    SHA512

    ccf5f128094bf83c37b4ad5116fe156edc47f3e584a2aa5db05a968a1fd6e37f93c5687e1ce2bee2978610f38b479e2b0d6ae4af12304b9a2d83a1d5fd6b1628

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\6b9ca4cbb68f23e164625614d9d074b7bb9e2c5aeb429034ed4d6440594ce64e.exe
    MD5

    72874d97065bbcebbd165f0c347910c8

    SHA1

    252f9105fe80f0167006569641a769c11c663787

    SHA256

    5aa810e4891538670cc0db6274b7276abe84e8ccbbaef1d3b1208b9ad419a9fa

    SHA512

    ccf5f128094bf83c37b4ad5116fe156edc47f3e584a2aa5db05a968a1fd6e37f93c5687e1ce2bee2978610f38b479e2b0d6ae4af12304b9a2d83a1d5fd6b1628

    Download Submit
  • C:\Users\Admin\AppData\Roaming\svhost.exe
    MD5

    72874d97065bbcebbd165f0c347910c8

    SHA1

    252f9105fe80f0167006569641a769c11c663787

    SHA256

    5aa810e4891538670cc0db6274b7276abe84e8ccbbaef1d3b1208b9ad419a9fa

    SHA512

    ccf5f128094bf83c37b4ad5116fe156edc47f3e584a2aa5db05a968a1fd6e37f93c5687e1ce2bee2978610f38b479e2b0d6ae4af12304b9a2d83a1d5fd6b1628

    Download Submit
  • C:\Users\Admin\AppData\Roaming\svhost.exe
    MD5

    72874d97065bbcebbd165f0c347910c8

    SHA1

    252f9105fe80f0167006569641a769c11c663787

    SHA256

    5aa810e4891538670cc0db6274b7276abe84e8ccbbaef1d3b1208b9ad419a9fa

    SHA512

    ccf5f128094bf83c37b4ad5116fe156edc47f3e584a2aa5db05a968a1fd6e37f93c5687e1ce2bee2978610f38b479e2b0d6ae4af12304b9a2d83a1d5fd6b1628

    Download Submit
  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    Download Submit
  • \Users\Admin\AppData\Local\Temp\3582-490\6b9ca4cbb68f23e164625614d9d074b7bb9e2c5aeb429034ed4d6440594ce64e.exe
    MD5

    72874d97065bbcebbd165f0c347910c8

    SHA1

    252f9105fe80f0167006569641a769c11c663787

    SHA256

    5aa810e4891538670cc0db6274b7276abe84e8ccbbaef1d3b1208b9ad419a9fa

    SHA512

    ccf5f128094bf83c37b4ad5116fe156edc47f3e584a2aa5db05a968a1fd6e37f93c5687e1ce2bee2978610f38b479e2b0d6ae4af12304b9a2d83a1d5fd6b1628

    Download Submit
  • \Users\Admin\AppData\Roaming\svhost.exe
    MD5

    72874d97065bbcebbd165f0c347910c8

    SHA1

    252f9105fe80f0167006569641a769c11c663787

    SHA256

    5aa810e4891538670cc0db6274b7276abe84e8ccbbaef1d3b1208b9ad419a9fa

    SHA512

    ccf5f128094bf83c37b4ad5116fe156edc47f3e584a2aa5db05a968a1fd6e37f93c5687e1ce2bee2978610f38b479e2b0d6ae4af12304b9a2d83a1d5fd6b1628

    Download Submit
  • memory/1692-54-0x0000000075D51000-0x0000000075D53000-memory.dmp
    Filesize

    8KB

    Download