Analysis

  • max time kernel
    179s
  • max time network
    200s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    01-02-2022 15:28

General

  • Target

    c7e71eb5d99cb54f83d3617682805bdf2991cb8fd0b4d34ecc0cf7624aaed6c8.exe

  • Size

    669KB

  • MD5

    86660badc63761b1ba8000d047fc91d4

  • SHA1

    292a53b0de5fbe7400b85a74cc553b6ec3f40133

  • SHA256

    c7e71eb5d99cb54f83d3617682805bdf2991cb8fd0b4d34ecc0cf7624aaed6c8

  • SHA512

    88da4368e1aa44b6a847204e330699d76271fe36c7ceb64c1574f73fb77d5bd1f76f75c86b15aab6605de26dba287af2f9e2aa1deebf29d36ce6dfb9ef84cae1

Malware Config

Extracted

Path

C:\HOW_TO_RECOVER_DATA.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">646A24219DD0DAEC03FD12303C6B70445426D3B01094564BF133A64BDF720ACB8EEB55D6FC39DCE63557367FDCE931753FF93E54AD4C80734C985E18A3DF05D9<br>75DD4A483C29EC8C03123EBBCDE029D1E2932A6C2D12B0FEC4E96D649A81E24394D89B7B44BE83C6A9161BE4A1E1940562C30A335EB094D28B3DC012053B<br>541282B8339544EC9B45D6B58B1C00F2F35312F42ACE9D21D3A53CCE79B9F6188ACB3C21B7FAEDA0E977265D66ECA7E9DCE7E6BDEDC57080189BA11F6B23<br>218FF044FAF482D0E43120312F223D1D15B62E3F5F0A82655AD284CCB55B43C8C081C8D93C73AEDDD0CA2D7C14775449E9D123A4C7DF689465AC8E2ED23B<br>2D9733FD4538444A947CAAD66019ADBCC51381C5F4876F93ED383E2A4C85958B0763AD2AAA1269ECB46CCBEAA790E9CD917C94A00F9C81D562CA99CBE62F<br>2EEF130E90B6EE213BBD10FF4F6A037AA1AB73F0D23922C62AADDA782D372A1B6711B2B7B8EBBE4C735973FB50680F6C4BBC2B1C5DC31A458EB2EF7FF58E<br>5BBFE65A0AE5292ECBC3C36BC20F691CC05BAE85F489D74F91077F484707A7B74F0409A51575E33241846A47C954972D40FEBA4EF8DAA67743F60EF3CB88<br>82E01937DF75502337B35357789BA98CEE7C4067C3AF70369D6280762F96F2516A621B3DB9CF53CF7281FA58A15B87C7AF66D25848149A5730F51166DE47<br>483EA9D446ED2487B003AE2C3C0A</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED!</b><br><br> YOUR FILES ARE SAFE! JUST MODIFIED ONLY. (RSA+AES) <br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMENANTLY DESTROY YOUR FILE.<br> DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES.<br><br> NO SOFTWARE AVAILABLE ON INTERNET CAN HELP YOU. WE ONLY HAVE<br> SOLUTION TO YOUR PROBLEM.<br><br> WE GATHERED HIGHLY CONFIDENTIAL/PERSORNAL DATA. THESE DATA<br> ARE CURRENTLY STORED ON A PRIVATE SERVER. THIS SERVER WILL BE<br> IMMEDIATELY DESTROYED AFTER YOUR PAYMENT. WE ONLY SEEK MONEY<br> AND DO NOT WANT TO DAMAGE YOUR REPUTATION. IF YOU DECIDE TO<br> NOT PAY, WE WILL RELEASE THIS DATA TO PUBLIC OR RE-SELLER.<br><br> YOU WILL CAN SEND US 2-3 NON-IMPORTANT FILES AND WE WILL<br> DECRYPT IT FOR FREE TO PROVE WE ARE ABLE TO GIVE YOUR FILES<br> BACK.<br><br> <!--text data --> <hr> <b>CONTACT US FOR PRICE (BITCOIN) AND GET DECRYPTION SOFTWARE.</b><br><br> <a href="mailto:[email protected]">[email protected]</a><br> <a href="malito:[email protected] ? ">[email protected] </a> <hr> </div> <div class="text"> MAKE CONTACT AS SOON AS POSSIBLE. YOUR DECRYPTION KEY IS ONLY STORED <br> TEMPORARLY. IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>
Emails

href="mailto:[email protected]">[email protected]</a><br>

href="malito:[email protected]

">[email protected]

Signatures

  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

  • MedusaLocker Payload 2 IoCs
  • UAC bypass 3 TTPs
  • Executes dropped EXE 1 IoCs
  • Sets service image path in registry 2 TTPs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7e71eb5d99cb54f83d3617682805bdf2991cb8fd0b4d34ecc0cf7624aaed6c8.exe
    "C:\Users\Admin\AppData\Local\Temp\c7e71eb5d99cb54f83d3617682805bdf2991cb8fd0b4d34ecc0cf7624aaed6c8.exe"
    1⤵
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1196
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3532
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4316
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3664
  • C:\Users\Admin\AppData\Roaming\svhost.exe
    C:\Users\Admin\AppData\Roaming\svhost.exe
    1⤵
    • Executes dropped EXE
    PID:4736
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe 48aa1a3b37840459f636d4e425818dfd YiNifrNuB060IsezIzRxbA.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:920
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2208

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2208-133-0x000002BAB5990000-0x000002BAB59A0000-memory.dmp

    Filesize

    64KB

  • memory/2208-132-0x000002BAB5930000-0x000002BAB5940000-memory.dmp

    Filesize

    64KB

  • memory/2208-134-0x000002BAB8680000-0x000002BAB8684000-memory.dmp

    Filesize

    16KB