medusalocker

General

Target

fc12de55f162cd0645e6f7299f6160d1a3b4c3a665efaf4f8bd891d8139d159e
Size

678KB
Sample

220201-srlnraghg9
MD5

7405efcdd3e931cde430317df1c00131
SHA1

69c1527fbd840eee87821328ecf1453984ddc73e
SHA256

fc12de55f162cd0645e6f7299f6160d1a3b4c3a665efaf4f8bd891d8139d159e
SHA512

a54442e4ceb718491486653634640dfcfb79c535fde92b7234fbca328c6aeb1cc9b552ae16fe557055eb52ad0ef20e30a5caedd94dd3d89ea647fc4430e48d72

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Recovery_Instructions.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">396051FCE94D916B6D1B14251B1B02D48AC481184D954192EBC35C63286CA784FF1894C9D7AAD9FA22096F52BC007C4B1AAD1EE98FA77B118AD2A0D8EE3BAC3B<br>EF2B28E18D4340F2FDC74A94C4FD9FE3D89F6E8894195794E68787C76A7E0B3CF34382B688F97EF0B68580A0F07F918A22AE3872EEB1E3CD219E44EC98EA<br>0EEB50B2AC57E0B2AFCDD4B1A9C2FC85A282A7950777AE170406608FBB8E440F3BE314067ACDD9E362C1951B04AAA49CFECF49283A0DED41D105791A4D8D<br>2C3DBF27E67556973EFFAAA5B0975777B632B2BF5FAB2915D7BEB30DBF58BCD9FFEA8E9CE996FA54458F380EC3A76EFBF517135760694141F6CD65A94BF0<br>E39FADF4B98FEC95359A7D8B9594DDDB17896949859182FA96CBA08143042ED15D96D6A538920BE0750407DCABF0CADB3FA8532C460D73E1BAFF50D41CCD<br>FD73FCCEC5C6359EEC22C08BB053F2B81CEE50752E37CD10AE8B8A31E6E49D81124993442140CE1BA3E128C71C1B404A6346ED470289E0E9F70913DB2B10<br>B74A6DF22712ADB267B08C0DC9300318D99257C02AB0609206D2B763EED287F58A8EAF288B4DB3A946695075D02263FB918EA3AA91F3ACAD67B5D3787E98<br>1E610D6DD5EABD9D7BF31A97B3EA19B0005916EAE55C6C2AA2475FD1C65D117985CE7AB3E0D9656397C602E2FAC01AC6B9217423C51A2B159997AD0FFDCF<br>6A5B75BDE01DF5695E36B9427B37</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED!</b><br><br> YOUR FILES ARE SAFE! JUST MODIFIED ONLY. (RSA+AES) <br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMENANTLY DESTROY YOUR FILE.<br> DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES.<br><br> NO SOFTWARE AVAILABLE ON INTERNET CAN HELP YOU. WE ONLY HAVE<br> SOLUTION TO YOUR PROBLEM.<br><br> WE GATHERED HIGHLY CONFIDENTIAL/PERSORNAL DATA. THESE DATA<br> ARE CURRENTLY STORED ON A PRIVATE SERVER. THIS SERVER WILL BE<br> IMMEDIATELY DESTROYED AFTER YOUR PAYMENT. WE ONLY SEEK MONEY<br> AND DO NOT WANT TO DAMAGE YOUR REPUTATION. IF YOU DECIDE TO<br> NOT PAY, WE WILL RELEASE THIS DATA TO PUBLIC OR RE-SELLER.<br><br> YOU WILL CAN SEND US 2-3 NON-IMPORTANT FILES AND WE WILL<br> DECRYPT IT FOR FREE TO PROVE WE ARE ABLE TO GIVE YOUR FILES<br> BACK.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a href="">http://gvlay6u4g53rxdi5.onion/8-DYIkMDYTNMZw78F1u6LJFm1lvbyUyGMM-CCsOnxOxPCVboQ18eM1UENKhlw8N3Uua</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open "{{URL}}". <br> 4. Start a chat and follow the further instructions. <br><br> <b>If you can't use the above link, use the email:</b><br> <a href=" [email protected] ? "> [email protected] </a> <hr> <a href=" [email protected] ? ">[email protected] </a> <hr> MAKE CONTACT AS SOON AS POSSIBLE. YOUR DECRYPTION KEY IS ONLY STORED <br> TEMPORARLY. IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

[email protected]

">[email protected]

Extracted

Path

C:\Recovery_Instructions.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">898BD4699E03DCC292167CC63343AB4A7AABB91436EEFE26051ABDEDF65C4BA3C4393E0CC35034A7E766C8A55F704B2591810B28DB0A0580634967A326BF759A<br>323AB93CE494842166A38B208E97CB7B4A5D59B62451C3A0AD30D5B1EA3BC13E84D2699175F982F3DD4AAE13221210E416060FC31A577618028B01D49E67<br>052D78A9BF09BDFDFDEBB73CAB4AB12C2D681DCEDA0198FD48E7F2A396F768D2FF2462B98A5E98B525575F962DA3A8C1C5C814B15F08DC9F4FCCDB64FE27<br>17459AE06B20C6478B63F4865C5BE5F64BF409317535E492B7069035C43CF77D04C3A4D6B57A78E6A00129A08E5504E922E772472412CAC569310BE3384F<br>F556C3A68D7B05F011DDCB3BC4474A7C918FB796DC1D53930569834D00A335ACD3AB41358D4411F4B9C8ED58A05BECE8EEC618052FFAC895A4C216D66160<br>07A95BC2A812E9105401CF88BE2EFCB389F4C86D9DA28FD56F25101AF70A0683C94CA8567B02274AD8B1C3BE71BA054DF21513E83AB2A793FB606B48B216<br>47AB482CC7EA9792A347FC555753510A9E43589E452EFA994024B826081940E1D37F7970CBEC73BD4B47EFE7AE1109882958F220045171FFFBF46D31D022<br>CBC77E8125415607B948C7CF99471B493351E8B636879F6FFBDC600EC44C95778A69C78B1F3950D092E430A58FD1315750562D6B7E8C499608870097DFEE<br>1B37F6C2D1391CC328CECF924DB7</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED!</b><br><br> YOUR FILES ARE SAFE! JUST MODIFIED ONLY. (RSA+AES) <br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMENANTLY DESTROY YOUR FILE.<br> DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES.<br><br> NO SOFTWARE AVAILABLE ON INTERNET CAN HELP YOU. WE ONLY HAVE<br> SOLUTION TO YOUR PROBLEM.<br><br> WE GATHERED HIGHLY CONFIDENTIAL/PERSORNAL DATA. THESE DATA<br> ARE CURRENTLY STORED ON A PRIVATE SERVER. THIS SERVER WILL BE<br> IMMEDIATELY DESTROYED AFTER YOUR PAYMENT. WE ONLY SEEK MONEY<br> AND DO NOT WANT TO DAMAGE YOUR REPUTATION. IF YOU DECIDE TO<br> NOT PAY, WE WILL RELEASE THIS DATA TO PUBLIC OR RE-SELLER.<br><br> YOU WILL CAN SEND US 2-3 NON-IMPORTANT FILES AND WE WILL<br> DECRYPT IT FOR FREE TO PROVE WE ARE ABLE TO GIVE YOUR FILES<br> BACK.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a href="">http://gvlay6u4g53rxdi5.onion/8-DYIkMDYTNMZw78F1u6LJFm1lvbyUyGMM-D4ucYsp1QGmZZrCY8Ztwf4IL5vwWy974</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open "{{URL}}". <br> 4. Start a chat and follow the further instructions. <br><br> <b>If you can't use the above link, use the email:</b><br> <a href=" [email protected] ? "> [email protected] </a> <hr> <a href=" [email protected] ? ">[email protected] </a> <hr> MAKE CONTACT AS SOON AS POSSIBLE. YOUR DECRYPTION KEY IS ONLY STORED <br> TEMPORARLY. IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

[email protected]

">[email protected]

Targets

- Target
  
  fc12de55f162cd0645e6f7299f6160d1a3b4c3a665efaf4f8bd891d8139d159e
- Size
  
  678KB
- MD5
  
  7405efcdd3e931cde430317df1c00131
- SHA1
  
  69c1527fbd840eee87821328ecf1453984ddc73e
- SHA256
  
  fc12de55f162cd0645e6f7299f6160d1a3b4c3a665efaf4f8bd891d8139d159e
- SHA512
  
  a54442e4ceb718491486653634640dfcfb79c535fde92b7234fbca328c6aeb1cc9b552ae16fe557055eb52ad0ef20e30a5caedd94dd3d89ea647fc4430e48d72
Score

10^/10

medusalocker evasion ransomware trojan persistence
- MedusaLocker
  Ransomware with several variants first seen in September 2019.
  ransomware medusalocker
- MedusaLocker Payload
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Sets service image path in registry
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2