Overview

overview

10

Static

static

10

8e32be8103...29.exe

windows7_x64

10

8e32be8103...29.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294221s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    06/03/2022, 06:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe

  • Size

    678KB

  • MD5

    cd5e831586e171b130dd719e73e13f62

  • SHA1

    baf8da95632066364ff74df394bc2979c49e1993

  • SHA256

    8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29

  • SHA512

    f4d615a45d45b3630c9d2840dec3cd710d3dcb68ed60e74248e0026c99c62f4c3fbb2ae2b354d6492cc2b18c1b6cbc6eea8137100a42d591b07d191184f33ee0

Score
10/10
medusalockerevasionransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Recovery_Instructions.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">B77F9E8FA998DC305516D9BF0CA90E45933E4B6F179D4F51CF9024A772DD9D32CAC7B5FBF19A033F0D0EF63E0323DA42C9C4E135C4552C5D6DC8FC91E746045E<br>A305EE1B147E4CCA5AD5597BBCE009E69551056CCB3D49ABB839F6879060B5263B45C75F6E4F6BACF98C8FABCD7DECB991CADF032A58A309E938DB0B4A5A<br>06DE85E4548C1721F2510CF176582C071E15210D8CDB369A2171A9580627C21FB2B5872B1347F630189D1A13BF12CD1600D78E677825B9C6F176A7B71416<br>1572101101C36774FC4946FDAEBAC6AA32DBDBE88902730ABF465A66F3094D7A26791565D1B5C178D3A1BBE614B4B3BF2B8440D6EBA2303C9A04E3C3311D<br>3E09756DFA2026326A0C4475C9CEC064A18AA16828164714DCD6E34AAA5F80A2BB472CAD4AC6E73BF881DDA3C85B9710F817CE61838634EBCC3B965F0939<br>8C493C0740B87D0967A74B5F40DC150E6DC9D73F79A914DC55DEFFFDF1CD95C24D3BD408197039B73027AEB098EE57D5B82C88B51443DE1B64810676EE35<br>6E75A41A2966D1E3086CD13085251365AE56FE3A8557E735F2F6652AD34E8C0813CDDE9F3A9E6ACC8D67791798BD012654FA4BF1BD06524975408FC142EA<br>2791D4626819B867B04C99D5CE182929372B07A5C8C770DEEC1454B5D4E0714ACCE2E4E80117085C9D8B57E9B1AA0986EF4CD3BC9D8D9E58B6C744D97A67<br>BC0CDC6E09314E78B9C4A04AC58B</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED!</b><br><br> YOUR FILES ARE SAFE! JUST MODIFIED ONLY. (RSA+AES) <br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMENANTLY DESTROY YOUR FILE.<br> DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES.<br><br> NO SOFTWARE AVAILABLE ON INTERNET CAN HELP YOU. WE ONLY HAVE<br> SOLUTION TO YOUR PROBLEM.<br><br> WE GATHERED HIGHLY CONFIDENTIAL/PERSORNAL DATA. THESE DATA<br> ARE CURRENTLY STORED ON A PRIVATE SERVER. THIS SERVER WILL BE<br> IMMEDIATELY DESTROYED AFTER YOUR PAYMENT. WE ONLY SEEK MONEY<br> AND DO NOT WANT TO DAMAGE YOUR REPUTATION. IF YOU DECIDE TO<br> NOT PAY, WE WILL RELEASE THIS DATA TO PUBLIC OR RE-SELLER.<br><br> <b>Important! Emails from us may come to you in spam, so please check your spam!.</b><br><br> <a href=" [email protected] ? ">Your files are uploaded to the cloud. if you refuse to pay, we will put your data up for auction </a> <hr> YOU WILL CAN SEND US 2-3 NON-IMPORTANT FILES AND WE WILL<br> DECRYPT IT FOR FREE TO PROVE WE ARE ABLE TO GIVE YOUR FILES<br> BACK.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a href="">http://gvlay6u4g53rxdi5.onion/8-wnO3bDcxIf8DcvdLyfIYTpkXq8pHVAOt-XPOExmgYuZkN0LCpARWKyEyMUeT81T8l</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open "{{URL}}". <br> 4. Start a chat and follow the further instructions. <br><br> <b>If you can't use the above link, use the email:</b><br> <a href=" [email protected] ? ">[email protected] </a> <hr> <a href=" [email protected] ? ">[email protected] </a> <hr> MAKE CONTACT AS SOON AS POSSIBLE. YOUR DECRYPTION KEY IS ONLY STORED <br> TEMPORARLY. IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Signatures

  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

    ransomwaremedusalocker
  • MedusaLocker Payload 2 IoCs
  • UAC bypass 3 TTPs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe
    "C:\Users\Admin\AppData\Local\Temp\8e32be81036161928f5bf24d75335bda797ca91dee0730c9c1b62d88f9c24f29.exe"
    1⤵
    • Modifies extensions of user files
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1104
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1100
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:948
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1932
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1596
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:816
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1316
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1968
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {EB7F5B10-54F0-447E-87DA-B1CF3C3F9BBB} S-1-5-21-1405931862-909307831-4085185274-1000:GZAATBZA\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1528
    • C:\Users\Admin\AppData\Roaming\svhost.exe
      C:\Users\Admin\AppData\Roaming\svhost.exe
      2⤵
      • Executes dropped EXE
      PID:1708

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1104-54-0x00000000757F1000-0x00000000757F3000-memory.dmp

    Filesize

    8KB

    Download