General
-
Target
fb07649497b39eee0a93598ff66f14a1f7625f2b6d4c30d8bb5c48de848cd4f2
-
Size
678KB
-
Sample
220201-srq88sghh2
-
MD5
217b5b689dca5aa0026401bffc8d3079
-
SHA1
86d92fc3ba2b3536893b8e753da9cbae70063a50
-
SHA256
fb07649497b39eee0a93598ff66f14a1f7625f2b6d4c30d8bb5c48de848cd4f2
-
SHA512
4da6c584cde1eb4536c5a487dc12601bef711f8b9383c5a328d2d328c87f7b0ef597627749ec17466ddaf59a296af4117a70a772202ead7406a09944a6811fe4
Score
10/10
Malware Config
Extracted
Path
\??\Z:\Boot\Recovery_Instructions.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">8FED51C0E307A9820EDF370571D692369A527D8DC2CB418FC27FA4818FC1A978EB6D90FCA01CF4C25F5E8AD2D6F52A79D091BBADA99EC44A27CF188CB0F9955A<br>2B681573BA0A2292581F4BE85EC127E30825F96A0332E3A6AA897D0AFF61FFE91D0711139662580B2822A4775E4BBD899AFDE216F506B5234D303FB03FBD<br>BD729A952AFA4D07151226D0E3286F1952BFD5BA503530D2A5FC478C12198B1B3CE33DE46EB5FB5404AFF91FFC8E7CFF8CFE4637A2F8E7ED8396E7DA3937<br>CC9D18526B2E1B613D645BDFA46D668082E7E7F04D26E92CE97397AE8F71BF4BA86B3C106563E89296053DA1F4E8ED1F85B49AFC2F5B5AB2207E3C3E1C6C<br>B097BE459476F2798F25DDEA1E5BDB9945F433589B3398EF7AEB6AE62FC6B650B3BFD9EC8A0B089F11A97EA25D90EAAEB5329C1CD1FAF514721A682F529A<br>307C069649D51CE454D20E079CAE4BE996355137AC59FF5C7F25A0BF90F75028011208B0A16A7396CF6052F205696787AA93B8E48EC8C4D76281497F5ECF<br>DF21D1C4BCE678B8D085D0A50652239D6751BBEA426CEDB99CF7B4F3DC46E64E37892B6F1B90D298DA5E45103180D6411C708B6546B5AA7864E89888523B<br>0F99976866CCBD2A385825112BF755681BFECF1DB62B90C4948A09EF99E0962DE548A9FA8B44B95E6F07AEDD96629A794D7ED0046C17FB54EA0D9F26011B<br>0000042C0F185DFD99F88D648A81</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED!</b><br><br>
YOUR FILES ARE SAFE! JUST MODIFIED ONLY. (RSA+AES) <br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMENANTLY DESTROY YOUR FILE.<br>
DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES.<br><br>
NO SOFTWARE AVAILABLE ON INTERNET CAN HELP YOU. WE ONLY HAVE<br>
SOLUTION TO YOUR PROBLEM.<br><br>
WE GATHERED HIGHLY CONFIDENTIAL/PERSORNAL DATA. THESE DATA<br>
ARE CURRENTLY STORED ON A PRIVATE SERVER. THIS SERVER WILL BE<br>
IMMEDIATELY DESTROYED AFTER YOUR PAYMENT. WE ONLY SEEK MONEY<br>
AND DO NOT WANT TO DAMAGE YOUR REPUTATION. IF YOU DECIDE TO<br>
NOT PAY, WE WILL RELEASE THIS DATA TO PUBLIC OR RE-SELLER.<br><br>
YOU WILL CAN SEND US 2-3 NON-IMPORTANT FILES AND WE WILL<br>
DECRYPT IT FOR FREE TO PROVE WE ARE ABLE TO GIVE YOUR FILES<br>
BACK.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a href="">http://gvlay6u4g53rxdi5.onion/21-DB8k8moqBCQTJrRBd08b2CryB0SEELdw-wE0lSCixNCtxS9slfqqELUuYeetP5m85</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open "{{URL}}". <br>
4. Start a chat and follow the further instructions. <br><br>
<b>If you can't use the above link, use the email:</b><br>
<a href=" [email protected]
?
"> [email protected] </a> <hr>
<a href=" [email protected]
?
">[email protected] </a> <hr>
MAKE CONTACT AS SOON AS POSSIBLE. YOUR DECRYPTION KEY IS ONLY
STORED <br> TEMPORARLY. IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE
WILL BE HIGHER.
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Extracted
Path
C:\Recovery_Instructions.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">CFA237B81F5412830895560F1875EC6848CAB426ADDEF1A60FC09B6FBEA9A752C8AA1169B08AA5E7FFBB95B5053C88302790686422CBFA61716FE17CE09D9130<br>54AEFAE53289905BB0C15F1F2CABF58C9C9709F2172B2B50FF7BE1B9ED06846823D75A23283A25C9AA82F15C9600F640239F8435D46F1E92D565DEEE532B<br>D65B81CFFD504B52CF0BD27A29499585FA02055AA87894509D67799D687DDF9ACA1AED0771A3691BA5386AA273BECB85466D3D2F3EECCCCFA2809C582792<br>68D0C40B5F3472F418A37CFFDB47D13D28B443145E81FFCEE96D6447ADE4AF4298F18FFEDCD9DCF3DCB03498E1C9F9A03D0983D9E18D6C647F6BB269D770<br>6B178E96DA7D5F038AC5261AF9BE3F82B54899F0E132EC6C8787BFC14843B81891EE9797EA149B29C0A71094602396F1236F93C210562C86286B46E3D6CA<br>314146C861C2DD29001221A774F370601821BF021B0693BE764DFA09786F7FC67FC13E8361A48C182478397856895F07E39B977D5ABDCF6047825C2B624F<br>BAB5242530D16F391154D698D0FEA7F71A4B831B8EBDC3FACAC59A9B7199C565E0E963BFD32EC23FF4197F233ED8ABAB7ADF561445D8678EB5FB56C8B9A3<br>A7BCFC52EC26C94CB0879D71F69235331044BF1DB893BB98C075B3F3840A7377F6D5DA6825C3B708FD8482162D5E28D3ED28C4F0FC002D2160BEE99A56C2<br>AD18AD6F8B2BA69531C5DCE70F0D</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED!</b><br><br>
YOUR FILES ARE SAFE! JUST MODIFIED ONLY. (RSA+AES) <br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMENANTLY DESTROY YOUR FILE.<br>
DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES.<br><br>
NO SOFTWARE AVAILABLE ON INTERNET CAN HELP YOU. WE ONLY HAVE<br>
SOLUTION TO YOUR PROBLEM.<br><br>
WE GATHERED HIGHLY CONFIDENTIAL/PERSORNAL DATA. THESE DATA<br>
ARE CURRENTLY STORED ON A PRIVATE SERVER. THIS SERVER WILL BE<br>
IMMEDIATELY DESTROYED AFTER YOUR PAYMENT. WE ONLY SEEK MONEY<br>
AND DO NOT WANT TO DAMAGE YOUR REPUTATION. IF YOU DECIDE TO<br>
NOT PAY, WE WILL RELEASE THIS DATA TO PUBLIC OR RE-SELLER.<br><br>
YOU WILL CAN SEND US 2-3 NON-IMPORTANT FILES AND WE WILL<br>
DECRYPT IT FOR FREE TO PROVE WE ARE ABLE TO GIVE YOUR FILES<br>
BACK.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a href="">http://gvlay6u4g53rxdi5.onion/21-DB8k8moqBCQTJrRBd08b2CryB0SEELdw-YG9q5ON3SrXeSSv131u8fLnTyceJQqHO</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open "{{URL}}". <br>
4. Start a chat and follow the further instructions. <br><br>
<b>If you can't use the above link, use the email:</b><br>
<a href=" [email protected]
?
"> [email protected] </a> <hr>
<a href=" [email protected]
?
">[email protected] </a> <hr>
MAKE CONTACT AS SOON AS POSSIBLE. YOUR DECRYPTION KEY IS ONLY
STORED <br> TEMPORARLY. IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE
WILL BE HIGHER.
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Targets
-
-
Target
fb07649497b39eee0a93598ff66f14a1f7625f2b6d4c30d8bb5c48de848cd4f2
-
Size
678KB
-
MD5
217b5b689dca5aa0026401bffc8d3079
-
SHA1
86d92fc3ba2b3536893b8e753da9cbae70063a50
-
SHA256
fb07649497b39eee0a93598ff66f14a1f7625f2b6d4c30d8bb5c48de848cd4f2
-
SHA512
4da6c584cde1eb4536c5a487dc12601bef711f8b9383c5a328d2d328c87f7b0ef597627749ec17466ddaf59a296af4117a70a772202ead7406a09944a6811fe4
Score10/10-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker Payload
-
UAC bypass
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-