General
-
Target
bb4d0f67360858a27da21d79bf93b5c628045883712c3c2e10917bebf6771c44
-
Size
657KB
-
Sample
220201-sxn13ahah6
-
MD5
3e2453e67ae1eead725a627adba9ae2e
-
SHA1
7a6ffc2da7d2ccd87e80c5c5c829bf0a5f1fda51
-
SHA256
bb4d0f67360858a27da21d79bf93b5c628045883712c3c2e10917bebf6771c44
-
SHA512
1fc6356638a3964c1715a83d35b08c46ca503af3ce2b3df108e4f41361d12c22c490af96e7c7086c32a898bedccb89b695f9129313cfebe08d061e80ae3badf7
Score
10/10
Malware Config
Extracted
Path
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\INSTRUCTIONS.html
Ransom Note
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1, user-scalable=yes">
<title>Title</title>
<style>
html, body, div, span, applet, object, iframe,
h1, h2, h3, h4, h5, h6, p, blockquote, pre,
a, abbr, acronym, address, big, cite, code,
del, dfn, em, img, ins, kbd, q, s, samp,
small, strike, strong, sub, sup, tt, var,
b, u, i, center,
dl, dt, dd, ol, ul, li,
fieldset, form, label, legend,
table, caption, tbody, tfoot, thead, tr, th, td,
article, aside, canvas, details, embed,
figure, figcaption, footer, header, hgroup,
menu, nav, output, ruby, section, summary,
time, mark, audio, video {
margin: 0;
padding: 0;
border: 0;
font-size: 100%;
font: inherit;
vertical-align: baseline; }
/* HTML5 display-role reset for older browsers */
article, aside, details, figcaption, figure,
footer, header, hgroup, menu, nav, section {
display: block; }
body {
font-family: Tahoma, Arial;
background: #717798; }
.all {
max-width: 1170px;
margin: auto;
background: #000;
min-height: 100px;
border-radius: 10px; }
.tl {
text-align: center;
color: #e03930;
font-family: Tahoma;
font-size: 28px;
font-weight: 700;
position: relative;
height: 60px;
line-height: 60px;
}
.close {
padding: 15px;
width: 36px;
height: 36px;
position: absolute;
right: 15px;
top:0;
}
.bg {
background: #252a42;
text-align: center;
color: #ffffff;
padding: 25px 15px;
font-size: 18px;
font-weight: 400;
line-height: 20px; }
.bg span {
color: #f25252; }
.bg a {
color: #9676fd;
font-size: 20px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.bg c {
color: #f25252;
font-weight: 500;
font-size: 20px;
line-height: 35px;}
.footer {
padding: 15px 0;}
.tl2 {
text-align: center;
color: #e03930;
font-size: 25px;
font-weight: 500;
line-height: 32px;
text-decoration: underline;
padding-bottom: 15px; }
.text {
min-height: 192px;
color: #ffffff;
font-size: 16px;
font-weight: 500;
line-height: 24px; }
.text div {
padding-right: 50px;
padding-left: 50px; }
@media (max-width: 767px) {
.tl {
height: auto;
padding-right: 50px;
line-height: 1.5;
}
.text div {
padding: 0 15px; }
.footer {
background: none; } }
</style>
</head>
<body>
<div class="all">
<div class="container">
<div class="tl">All your data are encrypted!
<div class="close"></div></div>
<div class="bg">
<c>What happened?</c> <br>
Your files are encrypted, and currently unavailable. <br>
You can check it: all files on you computer has new expansion.<br>
By the way, everything is possible to recover (restore), but you need to buy a unique decryptor. <br>
Otherwise, you never cant return your data.<br>
<br>
<c>For purchasing a decryptor contact us by email: </c><br>
<a href="mailto:[email protected]">[email protected]</a><br>
If you will get no answer within 24 hours contact us by our alternate emails: <br>
<a href="mailto:[email protected]">[email protected]</a> <br>
<br>
<c>What guarantees?</c> <br>
Its just a business. If we do not do our work and liabilities - nobody will not cooperate with us.<br>
To verify the possibility of the recovery of your files we can decrypted 1 file for free. <br>
Attach 1 file to the letter (no more than 10Mb). Indicate your <b>personal ID</b> on the letter:<br>
<span style="width:800px; word-wrap:break-word; display:inline-block; color: #ffffff; font-size: 10px;">C2E00DAAA64CB6790405839F07D8667072C12CAE782833EA10A83DD4A87865B7C9BDBFC6CCDB123D29B91E8515BB37B33E52789CC854105F4FF858D68A814506<br>CFAC2F196CED9BEC1C93376C1B21F9F9771A782ECA4C63DA3A51C39DDD26B740E54AAE9D9EB5111492004CA5ADAFE2FBC06A8EAD4005DEE4A338673FE141<br>E6483E7D1F1AEEC3F1D84BE2307E3F415E706911C70AAD6B87300291AC77D5142234F805459F51D46EF2C5AEB784F4D0F25A3752CB5EDC21783FC59B359A<br>E1F7A09C57151EA5922E07ED873B5ED951C26AB8FFE0DE67FCB77F43306139BDCDD2EBBB44C14F0F85EF63AA7B6EA92EE444994BE0E865C651FFC2C83809<br>6BE7F232DB42154571F9A44D5DAF3F48420DE18476133E8C3B45050659B76EA8196CCFF25B0018B64E0B2647177E6010F2BD09C58DC4CDB873F7DADD1FC3<br>A7F3439AADD81CC75E055CDB0C21200AE2C5031B47191805C0E4AC5AD54CED791A66F8D4640834A0B8DA238F6963FD65E70BCE00F433090E4571EFDA726B<br>8857413C6CB79C136BC65C5ACB881D170D400046C8A4752F0ADFEE1617837481DBEB6E62AEA3713AD6A73286EB22EDBA2930FBE52C777E7F0385C26D0BBB<br>1B85A8D24C151398A8800BEF7C3143FA0C8E05298D70EC283B441C1E9E09F24CCAEE10259B80C5DFF1898CF6214FE6BEC5E5907A16CB1A95608D7772CC1D<br>CBAB3FA574B0C8CD427075AFE7D8</span>
<br>
</div>
<div class="footer">
<div class="tl2">
Attention!
</div>
<div class="bg2">
<div class="text">
<div>
- Attempts of change files by yourself will result in a loose of data. <br>
- Our e-mail can be blocked over time. Write now, loss of contact with us will result in a loose of data.<br>
- Use any third party software for restoring your data or antivirus solutions will result in a loose of data. <br>
- Decryptors of other users are unique and will not fit your files and use of those will result in a loose of data.<br>
- If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key.
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>
Emails
href="mailto:[email protected]">[email protected]</a><br>
href="mailto:[email protected]">[email protected]</a>
URLs
http-equiv="X-UA-Compatible"
Extracted
Path
C:\INSTRUCTIONS.html
Ransom Note
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1, user-scalable=yes">
<title>Title</title>
<style>
html, body, div, span, applet, object, iframe,
h1, h2, h3, h4, h5, h6, p, blockquote, pre,
a, abbr, acronym, address, big, cite, code,
del, dfn, em, img, ins, kbd, q, s, samp,
small, strike, strong, sub, sup, tt, var,
b, u, i, center,
dl, dt, dd, ol, ul, li,
fieldset, form, label, legend,
table, caption, tbody, tfoot, thead, tr, th, td,
article, aside, canvas, details, embed,
figure, figcaption, footer, header, hgroup,
menu, nav, output, ruby, section, summary,
time, mark, audio, video {
margin: 0;
padding: 0;
border: 0;
font-size: 100%;
font: inherit;
vertical-align: baseline; }
/* HTML5 display-role reset for older browsers */
article, aside, details, figcaption, figure,
footer, header, hgroup, menu, nav, section {
display: block; }
body {
font-family: Tahoma, Arial;
background: #717798; }
.all {
max-width: 1170px;
margin: auto;
background: #000;
min-height: 100px;
border-radius: 10px; }
.tl {
text-align: center;
color: #e03930;
font-family: Tahoma;
font-size: 28px;
font-weight: 700;
position: relative;
height: 60px;
line-height: 60px;
}
.close {
padding: 15px;
width: 36px;
height: 36px;
position: absolute;
right: 15px;
top:0;
}
.bg {
background: #252a42;
text-align: center;
color: #ffffff;
padding: 25px 15px;
font-size: 18px;
font-weight: 400;
line-height: 20px; }
.bg span {
color: #f25252; }
.bg a {
color: #9676fd;
font-size: 20px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.bg c {
color: #f25252;
font-weight: 500;
font-size: 20px;
line-height: 35px;}
.footer {
padding: 15px 0;}
.tl2 {
text-align: center;
color: #e03930;
font-size: 25px;
font-weight: 500;
line-height: 32px;
text-decoration: underline;
padding-bottom: 15px; }
.text {
min-height: 192px;
color: #ffffff;
font-size: 16px;
font-weight: 500;
line-height: 24px; }
.text div {
padding-right: 50px;
padding-left: 50px; }
@media (max-width: 767px) {
.tl {
height: auto;
padding-right: 50px;
line-height: 1.5;
}
.text div {
padding: 0 15px; }
.footer {
background: none; } }
</style>
</head>
<body>
<div class="all">
<div class="container">
<div class="tl">All your data are encrypted!
<div class="close"></div></div>
<div class="bg">
<c>What happened?</c> <br>
Your files are encrypted, and currently unavailable. <br>
You can check it: all files on you computer has new expansion.<br>
By the way, everything is possible to recover (restore), but you need to buy a unique decryptor. <br>
Otherwise, you never cant return your data.<br>
<br>
<c>For purchasing a decryptor contact us by email: </c><br>
<a href="mailto:[email protected]">[email protected]</a><br>
If you will get no answer within 24 hours contact us by our alternate emails: <br>
<a href="mailto:[email protected]">[email protected]</a> <br>
<br>
<c>What guarantees?</c> <br>
Its just a business. If we do not do our work and liabilities - nobody will not cooperate with us.<br>
To verify the possibility of the recovery of your files we can decrypted 1 file for free. <br>
Attach 1 file to the letter (no more than 10Mb). Indicate your <b>personal ID</b> on the letter:<br>
<span style="width:800px; word-wrap:break-word; display:inline-block; color: #ffffff; font-size: 10px;">C310684FA1895DDE7BE7B3CD7515CF4FE7BD65F0DD7249356FC36F5269C9C01D3C29BADDFEE6FA317EAC4FBE5CE8E709EE6E1E5BE02884C613E0747D116EEC57<br>AA8AC0223C62605DFED599986051AAA0FDB49FCE93FE5AC371E44455067BE2877851D107313AB78D8FD6A94161C81B85D1124B3BFF1430E218746DBA0B69<br>3B2B68D89436F521E5024C1D90DD09C2B2075A74FFCA2ED60973664934A76C07B0F7A56ADFD531643D48794792B31AA1C31EB14578D91CE24E6584316D05<br>0E793CBC7524AB9DEBA6C853F8E5D7C2E9B03130E212B119F7A6C915586F2E8643DF6C47A3C5F8FC6810B3394918A3694F004701CC6EBFCC409B1836414D<br>D58EAC5F6C399B5D24C3507591E8EAE4440A8792BC0C6653E5A7E557D2DF763DE387778A82A1F3BC65DBC65CDF182788D36DD45B03CA97969E68B66019FC<br>091545B81C6E677B2A016D7C627440514437F5ADDC1ED947B82EFD34B4B450DE9AA5C83D08788A545EF803C89B9CCD17CBEE7A522D7084B34E205B109EEF<br>0B59EAFBBCA0C7503AE05A393B7816659BD843E2BE98129FA06AEEEDF1B33D67363C340A1C343C70B0E4AE8E5E4CAC9B87D48E915DF35C541AD17602886B<br>C05AF1C51B0043189AC58AFD3C196A788EBAE3E72C535459FD43A7A7FABDEE7694254A7A65C906C58D3C95C03D37E31120A2E03E850103F8A9A1D1B4510A<br>0C6BE884014A2CAADC2ADC2EE86B</span>
<br>
</div>
<div class="footer">
<div class="tl2">
Attention!
</div>
<div class="bg2">
<div class="text">
<div>
- Attempts of change files by yourself will result in a loose of data. <br>
- Our e-mail can be blocked over time. Write now, loss of contact with us will result in a loose of data.<br>
- Use any third party software for restoring your data or antivirus solutions will result in a loose of data. <br>
- Decryptors of other users are unique and will not fit your files and use of those will result in a loose of data.<br>
- If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key.
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>
Emails
href="mailto:[email protected]">[email protected]</a><br>
href="mailto:[email protected]">[email protected]</a>
URLs
http-equiv="X-UA-Compatible"
Targets
-
-
Target
bb4d0f67360858a27da21d79bf93b5c628045883712c3c2e10917bebf6771c44
-
Size
657KB
-
MD5
3e2453e67ae1eead725a627adba9ae2e
-
SHA1
7a6ffc2da7d2ccd87e80c5c5c829bf0a5f1fda51
-
SHA256
bb4d0f67360858a27da21d79bf93b5c628045883712c3c2e10917bebf6771c44
-
SHA512
1fc6356638a3964c1715a83d35b08c46ca503af3ce2b3df108e4f41361d12c22c490af96e7c7086c32a898bedccb89b695f9129313cfebe08d061e80ae3badf7
Score10/10-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Sets service image path in registry
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-