medusalocker

General

Target

fd24ff7e838fea836079c4554254768abdce32c4f46148c609a5a676c9e71103
Size

678KB
Sample

220201-srd9nsghg6
MD5

4984d9af56c39a161b627e019ed2604d
SHA1

eef59fd5b71487448bfd44270d909b1441cd537b
SHA256

fd24ff7e838fea836079c4554254768abdce32c4f46148c609a5a676c9e71103
SHA512

647917640c35888911c99a57a6c7db9164cc3739cbeebc0ad698f597ef04a34ad35b8f0e516ad3b701358e5f6bd6bf537e396b3ebacbaa3e1b5ee32b9d1e2222

Score

10^/10

Malware Config

Extracted

Path

\??\Z:\Boot\Recovery_Instructions.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">DBC200DEAEAE7FE7A78F6AAFFEE0FA6756BF53235765B4CA45505593924FE326BBA20AC7DD28362C417B2B97EB6C48E44D7095F2C12E93B63AF21F3E18E42823<br>F87E6EFF33DC7B321C750B63919EB5FB4BBA880F26FBB932BFCDA4BC8B56157C22E7C8DCFFB2817033A91731DABB98D1AA43CD174AB5983AED71323E53DE<br>8AD251B1794E89B9216A78BB3D5E38EF5E338E9B472DBA5D0E3C992A1EA4AE9C7DBF0CC24C6C4EC0E77C07EA293F10D6A3BF2D4D26848C90889562BBA0B9<br>C6C637762FA5347C406DA7AFC0586B30F4B7343B54303385E090382D2218E98057AEB68A7CB5E5CFBC335100EFD30C5D3B4B9080CE473FED81676EB6DACA<br>DF688F928D7626CA2F8445F58AF6121840C8B99A697AE2855C5C756BC36F8463AFE31F491E590DFEE05A6B60FFEE702A618CC5F0766B9B44EC8E0268EA56<br>1EDE1D65EC61187A7C0CB23E486DFA51D3F8F88297BFBD0E2E2CCA1EB98FF3CC17DA2A05967250CBD3635A7936FFC84FD510ED0C3BFEE83F626BD0896A6C<br>58158DBE0E59492AA8B7829986FC35BB027858C73E3A48818CF0C6983AB9ADCDB684B3CCF5061EF255DBCEE371D601D52133EA764794397EB7C5F3D716DD<br>A465CF4D3F1B30184526415FBDBC358004D6ECFF34BAAFAAC998C4BE8C8A343B0797BC6CE2F88C67751190C7D7BBFE56EB5B966428BB8725F393F3F8DB7F<br>367B45165816BD6AD28279975736</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED!</b><br><br> YOUR FILES ARE SAFE! JUST MODIFIED ONLY. (RSA+AES) <br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMENANTLY DESTROY YOUR FILE.<br> DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES.<br><br> NO SOFTWARE AVAILABLE ON INTERNET CAN HELP YOU. WE ONLY HAVE<br> SOLUTION TO YOUR PROBLEM.<br><br> WE GATHERED HIGHLY CONFIDENTIAL/PERSORNAL DATA. THESE DATA<br> ARE CURRENTLY STORED ON A PRIVATE SERVER. THIS SERVER WILL BE<br> IMMEDIATELY DESTROYED AFTER YOUR PAYMENT. WE ONLY SEEK MONEY<br> AND DO NOT WANT TO DAMAGE YOUR REPUTATION. IF YOU DECIDE TO<br> NOT PAY, WE WILL RELEASE THIS DATA TO PUBLIC OR RE-SELLER.<br><br> YOU WILL CAN SEND US 2-3 NON-IMPORTANT FILES AND WE WILL<br> DECRYPT IT FOR FREE TO PROVE WE ARE ABLE TO GIVE YOUR FILES<br> BACK.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a href="">http://gvlay6u4g53rxdi5.onion/8-BEr5s2CLhrmCqH4xxg229SZxlkjCyDmc-RLv6LJa5nBnjldk0uGsdEpDpoIAKllCD</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open "{{URL}}". <br> 4. Start a chat and follow the further instructions. <br><br> <b>If you can't use the above link, use the email:</b><br> <a href=" [email protected] ? "> [email protected] </a> <hr> <a href=" [email protected] ? ">[email protected] </a> <hr> MAKE CONTACT AS SOON AS POSSIBLE. YOUR DECRYPTION KEY IS ONLY STORED <br> TEMPORARLY. IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

[email protected]

">[email protected]

Extracted

Path

C:\Recovery_Instructions.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">7CEDE47CBD3F4E6074BEA02B70BA552F55474B0661513A1B278EF04D9C275EA687E60DCF18FC05F4C2F144F20C56D477A90B9F62E442B06FBD8DBFE29AA6B6E6<br>5373480C29A90D4062CCE3F71FAE3DA7B8A3F261FEA0FE9ED18B91BA5E27DE3E0F1FF024467FC5A9AB4E7449CD7B4F95AAFC3FA5696BEE484C6EDF3DD740<br>4C626DEE796E31A1815DE7A26DA511577657C3E79492363A8C5981AA8CCCEC0602F618D55375946761CE218A1CD403CCA6FEA996CC544EFF51681E4A6A29<br>5D9C9674F511515A812A33BFF37C589757A768606F39CC848A3CC43137E6B1164ADCABACC39B291BC2BD8C3FBBFD1185BC172F87AD05E0192D4695A8A0A3<br>BF5470DD739C2315B9DD4279ED7D4C935E528491C1D264BF21D3614CD1AB0843206B423C00BB7FCBE566746E68923B3D26A0CC8EA0B60F750E16EAB35AB5<br>A0871CF5EA509217F9B51E70582A3912645137E04B44B5450C5294D1075195B5632634B61F8B6AAC3D8C8EE49AA3976BE823D342E72E0C697B64E0B134C3<br>715E0149AF852FB1C7CAF3B65AE6BD3F2528224A9DE35853392B7866813226C681C61FCCB6ECAC47F8D2686DEE7D1D2566533A7CFD3B503A10D16F5CA8D3<br>03C15145E5546F8BEA042A4CA9A28329CB30899CCDB3A7B5A514498F1733879ADE7D757093668CA08DECD7BFA77A8B10183D44204D5381FFB9D6D1C61B70<br>A5F105BB5C8FA5D26F058BC31B45</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED!</b><br><br> YOUR FILES ARE SAFE! JUST MODIFIED ONLY. (RSA+AES) <br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMENANTLY DESTROY YOUR FILE.<br> DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES.<br><br> NO SOFTWARE AVAILABLE ON INTERNET CAN HELP YOU. WE ONLY HAVE<br> SOLUTION TO YOUR PROBLEM.<br><br> WE GATHERED HIGHLY CONFIDENTIAL/PERSORNAL DATA. THESE DATA<br> ARE CURRENTLY STORED ON A PRIVATE SERVER. THIS SERVER WILL BE<br> IMMEDIATELY DESTROYED AFTER YOUR PAYMENT. WE ONLY SEEK MONEY<br> AND DO NOT WANT TO DAMAGE YOUR REPUTATION. IF YOU DECIDE TO<br> NOT PAY, WE WILL RELEASE THIS DATA TO PUBLIC OR RE-SELLER.<br><br> YOU WILL CAN SEND US 2-3 NON-IMPORTANT FILES AND WE WILL<br> DECRYPT IT FOR FREE TO PROVE WE ARE ABLE TO GIVE YOUR FILES<br> BACK.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a href="">http://gvlay6u4g53rxdi5.onion/8-BEr5s2CLhrmCqH4xxg229SZxlkjCyDmc-cH19ykO4847NNiYGVsumnwvTNunPF2Ti</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open "{{URL}}". <br> 4. Start a chat and follow the further instructions. <br><br> <b>If you can't use the above link, use the email:</b><br> <a href=" [email protected] ? "> [email protected] </a> <hr> <a href=" [email protected] ? ">[email protected] </a> <hr> MAKE CONTACT AS SOON AS POSSIBLE. YOUR DECRYPTION KEY IS ONLY STORED <br> TEMPORARLY. IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

[email protected]

">[email protected]

Targets

- Target
  
  fd24ff7e838fea836079c4554254768abdce32c4f46148c609a5a676c9e71103
- Size
  
  678KB
- MD5
  
  4984d9af56c39a161b627e019ed2604d
- SHA1
  
  eef59fd5b71487448bfd44270d909b1441cd537b
- SHA256
  
  fd24ff7e838fea836079c4554254768abdce32c4f46148c609a5a676c9e71103
- SHA512
  
  647917640c35888911c99a57a6c7db9164cc3739cbeebc0ad698f597ef04a34ad35b8f0e516ad3b701358e5f6bd6bf537e396b3ebacbaa3e1b5ee32b9d1e2222
Score

10^/10

medusalocker evasion ransomware spyware stealer trojan
- MedusaLocker
  Ransomware with several variants first seen in September 2019.
  ransomware medusalocker
- MedusaLocker Payload
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2