Overview

overview

10

Static

static

10

03df9dbf3f...4c.exe

windows7_x64

10

03df9dbf3f...4c.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c

  • Size

    669KB

  • Sample

    220201-tbzfcahagk

  • MD5

    87c5c72a57a08ca2f3bfac5485eb0fe6

  • SHA1

    4d38a9aaa50bc35439054610bb45eb2298458404

  • SHA256

    03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c

  • SHA512

    b1715fcd1cd80ec857dbc11f5d9a4933c18029d4f18720deb6036ca30ac1b34f3efda5e436dfadc64a7391184c21356bb99b93aee3c3c8f0a78f08dd1e4e2aeb

Score
10/10
medusalockerevasionransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RECOVER_INSTRUCTIONS.html

Ransom Note
<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=Edge"> <meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1, user-scalable=yes"> <title>Title</title> <style> html, body, div, span, applet, object, iframe, h1, h2, h3, h4, h5, h6, p, blockquote, pre, a, abbr, acronym, address, big, cite, code, del, dfn, em, img, ins, kbd, q, s, samp, small, strike, strong, sub, sup, tt, var, b, u, i, center, dl, dt, dd, ol, ul, li, fieldset, form, label, legend, table, caption, tbody, tfoot, thead, tr, th, td, article, aside, canvas, details, embed, figure, figcaption, footer, header, hgroup, menu, nav, output, ruby, section, summary, time, mark, audio, video { margin: 0; padding: 0; border: 0; font-size: 100%; font: inherit; vertical-align: baseline; } /* HTML5 display-role reset for older browsers */ article, aside, details, figcaption, figure, footer, header, hgroup, menu, nav, section { display: block; } body { font-family: Tahoma, Arial; background: #717798; } .all { max-width: 1170px; margin: auto; background: #000; min-height: 100px; border-radius: 10px; } .tl { text-align: center; color: #e03930; font-family: Tahoma; font-size: 28px; font-weight: 700; position: relative; height: 60px; line-height: 60px; } .close { padding: 15px; width: 36px; height: 36px; position: absolute; right: 15px; top:0; } .bg { background: #252a42; text-align: center; color: #ffffff; padding: 25px 15px; font-size: 18px; font-weight: 400; line-height: 20px; } .bg span { color: #f25252; } .bg a { color: #9676fd; font-size: 20px; font-style: italic; text-decoration: none; line-height: 35px; } .bg c { color: #f25252; font-weight: 500; font-size: 20px; line-height: 35px;} .footer { padding: 15px 0;} .tl2 { text-align: center; color: #e03930; font-size: 25px; font-weight: 500; line-height: 32px; text-decoration: underline; padding-bottom: 15px; } .text { min-height: 192px; color: #ffffff; font-size: 16px; font-weight: 500; line-height: 24px; } .text div { padding-right: 50px; padding-left: 50px; } @media (max-width: 767px) { .tl { height: auto; padding-right: 50px; line-height: 1.5; } .text div { padding: 0 15px; } .footer { background: none; } } </style> </head> <body> <div class="all"> <div class="container"> <div class="tl">All your data are encrypted! <div class="close"></div></div> <div class="bg"> <c>What happened?</c> <br> Your files are encrypted, and currently unavailable. <br> You can check it: all files on you computer has new expansion.<br> By the way, everything is possible to recover (restore), but you need to buy a unique decryptor. <br> Otherwise, you never cant return your data.<br> <br> <c>For purchasing a decryptor contact us by email: </c><br> <a href="mailto:[email protected]">[email protected]</a><br> If you will get no answer within 24 hours contact us by our alternate emails: <br> <a href="mailto:[email protected]">[email protected]</a> <br> <br> <c>What guarantees?</c> <br> Its just a business. If we do not do our work and liabilities - nobody will not cooperate with us.<br> To verify the possibility of the recovery of your files we can decrypted 1 file for free. <br> Attach 1 file to the letter (no more than 10Mb). Indicate your <b>personal ID</b> on the letter:<br> <span style="width:800px; word-wrap:break-word; display:inline-block; color: #ffffff; font-size: 10px;">415232788CDB7D69986F1146A8BAE980440B12CB3CA2AB93FD94B853BB9FBEB209F0626892CBA1574FD639FF88C86291CE131B11857DE36F2D131CFD376269D7<br>FB2EAF8C60726990DE24A4AF706F89E81AB78B3DB8F6B26F3880CBEA8C28809F5AF6731CA3B1F632D94836DEC3576C4AE138F2C8A2EC97EAEAD338212168<br>816F9341C0D98EC1719CBE6C5152E38A9BE1ED804622ECE3C98F89D52078F5C78D24398D378C7314658CBB53A5AC92015236E2EB19382BFCCA8B5EBE1BDD<br>567D2F7D9AFD61598F4EFBAE69CA24F6BFE3071C2E265F2DB5637C0A0CFC43CE6608ED38C5EA616F7F68B1752D1CC236EFE84E72CDC463C5742D00CEF4F2<br>FE2D7F58112E8607F364047DF434B433E87F0A8E6CAB0A38ED887C8744C40FA1E1B7F7EA10A86E4EC9ADB214366D5B315489D50D42606C6AE50EA7B3C494<br>C2A23C1227A2394A297AA1C58EC55AA9B07D4C7A8413D2DC67F0E8D1BF5B0993F2B8644890B79349770AD85CF60BBDD5543688ADC8A70CB2CBA861B0CD14<br>2A8CA6F529F088AD90068655DD5872D5022E4921B3D521F99769886AA2D22E6A72A15A36880480C73CD23B45AD11C82233D2BDDB0790FD03DC8B3193101A<br>B58AFCC21FB1306287B6AD00D4380068D4383DF47354C96966647E4CAE84E490F466FA070A83481F91A7503272283DA094903A65A43EAE864A1C246A4D2B<br>916ACDFA54C4C28D6D07DD5B7746</span> <br> </div> <div class="footer"> <div class="tl2"> Attention! </div> <div class="bg2"> <div class="text"> <div> - Attempts of change files by yourself will result in a loose of data. <br> - Our e-mail can be blocked over time. Write now, loss of contact with us will result in a loose of data.<br> - Use any third party software for restoring your data or antivirus solutions will result in a loose of data. <br> - Decryptors of other users are unique and will not fit your files and use of those will result in a loose of data.<br> - If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. </div> </div> </div> </div> </div> </div> </body> </html>
Emails

href="mailto:[email protected]">[email protected]</a><br>

href="mailto:[email protected]">[email protected]</a>
URLs

http-equiv="X-UA-Compatible"

Extracted

Path

C:\RECOVER_INSTRUCTIONS.html

Ransom Note
<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=Edge"> <meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1, user-scalable=yes"> <title>Title</title> <style> html, body, div, span, applet, object, iframe, h1, h2, h3, h4, h5, h6, p, blockquote, pre, a, abbr, acronym, address, big, cite, code, del, dfn, em, img, ins, kbd, q, s, samp, small, strike, strong, sub, sup, tt, var, b, u, i, center, dl, dt, dd, ol, ul, li, fieldset, form, label, legend, table, caption, tbody, tfoot, thead, tr, th, td, article, aside, canvas, details, embed, figure, figcaption, footer, header, hgroup, menu, nav, output, ruby, section, summary, time, mark, audio, video { margin: 0; padding: 0; border: 0; font-size: 100%; font: inherit; vertical-align: baseline; } /* HTML5 display-role reset for older browsers */ article, aside, details, figcaption, figure, footer, header, hgroup, menu, nav, section { display: block; } body { font-family: Tahoma, Arial; background: #717798; } .all { max-width: 1170px; margin: auto; background: #000; min-height: 100px; border-radius: 10px; } .tl { text-align: center; color: #e03930; font-family: Tahoma; font-size: 28px; font-weight: 700; position: relative; height: 60px; line-height: 60px; } .close { padding: 15px; width: 36px; height: 36px; position: absolute; right: 15px; top:0; } .bg { background: #252a42; text-align: center; color: #ffffff; padding: 25px 15px; font-size: 18px; font-weight: 400; line-height: 20px; } .bg span { color: #f25252; } .bg a { color: #9676fd; font-size: 20px; font-style: italic; text-decoration: none; line-height: 35px; } .bg c { color: #f25252; font-weight: 500; font-size: 20px; line-height: 35px;} .footer { padding: 15px 0;} .tl2 { text-align: center; color: #e03930; font-size: 25px; font-weight: 500; line-height: 32px; text-decoration: underline; padding-bottom: 15px; } .text { min-height: 192px; color: #ffffff; font-size: 16px; font-weight: 500; line-height: 24px; } .text div { padding-right: 50px; padding-left: 50px; } @media (max-width: 767px) { .tl { height: auto; padding-right: 50px; line-height: 1.5; } .text div { padding: 0 15px; } .footer { background: none; } } </style> </head> <body> <div class="all"> <div class="container"> <div class="tl">All your data are encrypted! <div class="close"></div></div> <div class="bg"> <c>What happened?</c> <br> Your files are encrypted, and currently unavailable. <br> You can check it: all files on you computer has new expansion.<br> By the way, everything is possible to recover (restore), but you need to buy a unique decryptor. <br> Otherwise, you never cant return your data.<br> <br> <c>For purchasing a decryptor contact us by email: </c><br> <a href="mailto:[email protected]">[email protected]</a><br> If you will get no answer within 24 hours contact us by our alternate emails: <br> <a href="mailto:[email protected]">[email protected]</a> <br> <br> <c>What guarantees?</c> <br> Its just a business. If we do not do our work and liabilities - nobody will not cooperate with us.<br> To verify the possibility of the recovery of your files we can decrypted 1 file for free. <br> Attach 1 file to the letter (no more than 10Mb). Indicate your <b>personal ID</b> on the letter:<br> <span style="width:800px; word-wrap:break-word; display:inline-block; color: #ffffff; font-size: 10px;">3531C39C67B6E4059E72C784EB3DFA0D628EB622A5D56839147949DD9B6CEFCAF06AB9061107BC986426F89EB52B99F4235A07150EDE45A0CFCB1150DE7AD5F1<br>F5C473BA2FA32EED20182D7F880FA560021A36E1DF3B9F088A8BF01063A5707D45B755F470E08ED0F0C9DFDD54DD5FB01702EA027DACE41D0A187E644180<br>8D8A0EF2B5BC72AD8619A657D7D3363DB55B09C65DED939D0B3F27245CED11F487D92891A1F5A616FFE1AFE96748869416B798200576EFF3369E23C8779C<br>97D06FAD1491026B9A63BD4973D58CCAD41F41CF3A9281D205671FA7D67556ABC1081106792739577DD3586187160579293224BE72D19BBF2DA55E303F55<br>930152967C5EE6F700A9FE46630E9FA2400737E186C35FF7CA7D08ABCEA4722870E56C78882411AD42D6A743896E0D429CD4ACD0C7E2C68C9B09A45568D4<br>B3BB4719D59AE45C08A026BDA1B5B7F704FFF8924CBAF590A2B5EA52BBB14D92BC93632F56F8CE809EB4607469E0375441C8CEDE5DC61B6D381BDFCF8BA7<br>7B5D5B02C6A26A59E4D0975F168588A55260C4D282089B830940FCC06D18E7640D4C9C67D31F6B29E60AAE40D274E07B3CDA4101029D85413E8234DD8C92<br>FCE729BC37951B0592D7F63E079988F4E82C70EA54640C0AE2D963619F62DB5F6F116BBDA2D9097D4AB52E692A0C6A45D2AEB4BFAF68A22E2A063BDCA88A<br>B3AA1E415686B472CA0FAD631F38</span> <br> </div> <div class="footer"> <div class="tl2"> Attention! </div> <div class="bg2"> <div class="text"> <div> - Attempts of change files by yourself will result in a loose of data. <br> - Our e-mail can be blocked over time. Write now, loss of contact with us will result in a loose of data.<br> - Use any third party software for restoring your data or antivirus solutions will result in a loose of data. <br> - Decryptors of other users are unique and will not fit your files and use of those will result in a loose of data.<br> - If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. </div> </div> </div> </div> </div> </div> </body> </html>
Emails

href="mailto:[email protected]">[email protected]</a><br>

href="mailto:[email protected]">[email protected]</a>
URLs

http-equiv="X-UA-Compatible"

Targets

    • Target

      03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c

    • Size

      669KB

    • MD5

      87c5c72a57a08ca2f3bfac5485eb0fe6

    • SHA1

      4d38a9aaa50bc35439054610bb45eb2298458404

    • SHA256

      03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c

    • SHA512

      b1715fcd1cd80ec857dbc11f5d9a4933c18029d4f18720deb6036ca30ac1b34f3efda5e436dfadc64a7391184c21356bb99b93aee3c3c8f0a78f08dd1e4e2aeb

    Score
    10/10
    medusalockerevasionransomwarespywarestealertrojan

    • MedusaLocker

      Ransomware with several variants first seen in September 2019.

      ransomwaremedusalocker

    • MedusaLocker Payload

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks