Overview

overview

10

Static

static

10

c7e71eb5d9...c8.exe

windows7_x64

10

c7e71eb5d9...c8.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    161s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    01/02/2022, 15:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c7e71eb5d99cb54f83d3617682805bdf2991cb8fd0b4d34ecc0cf7624aaed6c8.exe

  • Size

    669KB

  • MD5

    86660badc63761b1ba8000d047fc91d4

  • SHA1

    292a53b0de5fbe7400b85a74cc553b6ec3f40133

  • SHA256

    c7e71eb5d99cb54f83d3617682805bdf2991cb8fd0b4d34ecc0cf7624aaed6c8

  • SHA512

    88da4368e1aa44b6a847204e330699d76271fe36c7ceb64c1574f73fb77d5bd1f76f75c86b15aab6605de26dba287af2f9e2aa1deebf29d36ce6dfb9ef84cae1

Score
10/10
medusalockerevasionransomwarespywarestealertrojan

Malware Config

Extracted

Path

\??\Z:\Boot\HOW_TO_RECOVER_DATA.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">35D1F2ABED4A1A31A63DE4F999E0581C89A46F2AA3DB5DAFDACB54E2BD566DFF12ECA4B8D1182FC0A8E1512473989B56F2CF8C740AB0AEE9304DD720AA9E86B5<br>5F68FCA00016179CCC148C8DF46D4CF5B61C7B56C4FF8C9082675EFE7EBE16FCECBD9416B2D0F376B303ED242AAB97411F639D34DF6D31B76D14262BCF98<br>5B4F9835432A85F053AC11F87F44F205F46BFB6D1AAC5E112A8DFD0CE371555ACC9FC13D1346204C5024410D4ABE184E0AE1BC5845D44E306E2AB7E03531<br>1B0F61AAA3DF4741F2397750F0071D9EBC9C464DA5F5240AB6990C9FD225B8BC00FC98CF95CE00A215999A9FEB4C5170D57C066E11E66BC2130CDBE202FB<br>803D333E07C1166F05E2B62D8970FA5DBC634DE190A7A73078FF40B7FBDECF9863B522AA4383E52ACE6F0905AAE441685E615C2E35F812A90E840F712451<br>6E279D1F9679136C2463A5252548AEAF344F773FAAF5D0DA86F584DD43B18F352AA15694EC78CBDA3EAC1EFF36F6B62093E67B143CBB4CDB2FCF147916BA<br>F5D0E885E52AC1D6576B0C37C78C75532E78C3E0D5D323041AF05CE055FD5711BA0A9C2E4A1EFD65BA138F49FE7A2E2FC26E10988F901F5D5BBEE52110DD<br>20B6EB1DDC5077D6F3ECFCECA4A5B3A60BDC9F65B359049A0B455104C1E3C5E31E7A871A08AC5746603042417FAEA7CD0B4FC932D1807F01BF5D5F76CF6E<br>57D5638C7960638E2E4F3ADB28BD</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED!</b><br><br> YOUR FILES ARE SAFE! JUST MODIFIED ONLY. (RSA+AES) <br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMENANTLY DESTROY YOUR FILE.<br> DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES.<br><br> NO SOFTWARE AVAILABLE ON INTERNET CAN HELP YOU. WE ONLY HAVE<br> SOLUTION TO YOUR PROBLEM.<br><br> WE GATHERED HIGHLY CONFIDENTIAL/PERSORNAL DATA. THESE DATA<br> ARE CURRENTLY STORED ON A PRIVATE SERVER. THIS SERVER WILL BE<br> IMMEDIATELY DESTROYED AFTER YOUR PAYMENT. WE ONLY SEEK MONEY<br> AND DO NOT WANT TO DAMAGE YOUR REPUTATION. IF YOU DECIDE TO<br> NOT PAY, WE WILL RELEASE THIS DATA TO PUBLIC OR RE-SELLER.<br><br> YOU WILL CAN SEND US 2-3 NON-IMPORTANT FILES AND WE WILL<br> DECRYPT IT FOR FREE TO PROVE WE ARE ABLE TO GIVE YOUR FILES<br> BACK.<br><br> <!--text data --> <hr> <b>CONTACT US FOR PRICE (BITCOIN) AND GET DECRYPTION SOFTWARE.</b><br><br> <a href="mailto:[email protected]">[email protected]</a><br> <a href="malito:[email protected] ? ">[email protected] </a> <hr> </div> <div class="text"> MAKE CONTACT AS SOON AS POSSIBLE. YOUR DECRYPTION KEY IS ONLY STORED <br> TEMPORARLY. IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>
Emails

href="mailto:[email protected]">[email protected]</a><br>

href="malito:[email protected]

">[email protected]

Signatures

  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

    ransomwaremedusalocker
  • MedusaLocker Payload 2 IoCs
  • UAC bypass 3 TTPs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7e71eb5d99cb54f83d3617682805bdf2991cb8fd0b4d34ecc0cf7624aaed6c8.exe
    "C:\Users\Admin\AppData\Local\Temp\c7e71eb5d99cb54f83d3617682805bdf2991cb8fd0b4d34ecc0cf7624aaed6c8.exe"
    1⤵
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:612
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:656
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1640
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:396
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2004
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2024
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1196
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:568
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {562195B0-4F06-4234-BADB-1CEE8FF03B95} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Users\Admin\AppData\Roaming\svhost.exe
      C:\Users\Admin\AppData\Roaming\svhost.exe
      2⤵
      • Executes dropped EXE
      PID:2008

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/612-54-0x0000000075891000-0x0000000075893000-memory.dmp

    Filesize

    8KB

    Download