medusalocker | b2493a580153291b69ca23190d00a00b1220cd0aadf469b3974fdaa726516649

General

Target

medusa.exe
Size

719KB
MD5

8474039d83805eb7b447325c3a8d1ebb
SHA1

a07d537f4253745a087709a9a07c449f84deed8d
SHA256

b2493a580153291b69ca23190d00a00b1220cd0aadf469b3974fdaa726516649
SHA512

3272091bbf123ba5e1592e8b2bd7740cddcb174fa158bc6980b25ee61d92387e94a25284736253f83a6eea78b427f6717e888e843db9d7759cfe9a7676576438
SSDEEP

12288:q4UOTYQivI2qZ7aSgLwkFVpzUvest4ZEbjJLuhJVoM7SPd:bRTYVQ2qZ7aSgLwuVfstRJL6YM6

Score

10^/10

medusalocker neshta evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Recovery_Instructions.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">21D384B0419344268B908C119D34DCAC6F41CB0A4516271E246BA678313B1E522BED92FD544F914C36CC8688183B9DD02A97D2DEDA236F83E3BA6C7783174863<br>D95734C21880A076631D728B8EE683EDCFD11D458923441F1D9E6BC045A91F8D321148CA49EA105E36DDBF5B47089A05B865AF346C36BABA7D116619FDED<br>91445E626762BE8A4114B589A66CB7E895283092B4F558DC315C34A71CBEC15F787904F59F75D32DA64316D284D574D448701500473AFD3F6A7E125CE8AE<br>0DDE5825E08AF5D848DFA03971666F93872A070B833EFD238F514676C7946B0DAA127913634929FCD031BAE96612ABB4E6BE75F56EBCCC39FD94935D299E<br>32991087B07301B92A0F44FA050DD67A3DBBCBF32B4FA5ADE081EFC8D34332DCF74ADE42C669630C792AD503A8C04C221D7F59B8942EE6E7598861478882<br>018CBEFF956D604F45D3F7DDDFBA5A909BC1047D6B5429AD9F2EC98C39510D7C80101FC739D48BEA1683970218BF471D81A661706B32B68BF5B5B6176783<br>F8451D51976A37D9EF2D435AC9878C0CCDAAC7CB9E73AA4C96A7B1397717227D545977DCD72A9F43C7D249F1EEE743FEAF5F3234D34EB58CB9492A52F304<br>4B779F18C9C0768B45CB163608D2F46551EE0304F4F5B57E8585F37D9462E6C7AD2A4D657BA818D6E45294689952ACEE9CD54AB09DC7BFC11BD40458482F<br>26A3467F6C6A1DD16C83F2F8DAA3</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>http://gvlay6u4g53rxdi5.onion/31-LPy3hdSfGLBgLSfGcKN9rubDKoa1VMK4-NpnxG6mV6VqPPEFYJnVbNEWpIq61e3G3</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open "{{URL}}". <br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected]">[email protected]</a> <br><a href="[email protected]">[email protected]</a> <br> <b>* To contact us, create a new mail on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b>Make contact as soon as possible. Your private key (decryption key) <br> is only stored temporarily.<br><br> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]">[email protected]</a>

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker

MedusaLocker payload 6 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3582-490\medusa.exe	family_medusalocker
C:\Users\Admin\AppData\Local\Temp\3582-490\medusa.exe	family_medusalocker
C:\Users\Admin\AppData\Local\Temp\3582-490\medusa.exe	family_medusalocker
C:\Users\Admin\AppData\Roaming\svhost.exe	family_medusalocker
\Users\Admin\AppData\Roaming\svhost.exe	family_medusalocker
C:\Users\Admin\AppData\Roaming\svhost.exe	family_medusalocker

Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1042

Processes:

medusa.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" medusa.exe
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	medusa.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

medusa.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	medusa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	medusa.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

medusa.exesvhost.exe

pid process

1888 medusa.exe
904 svhost.exe

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

medusa.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\RenameAdd.tiff => C:\Users\Admin\Pictures\RenameAdd.tiff.ReadInstructions	medusa.exe
File renamed	C:\Users\Admin\Pictures\SkipDebug.tif => C:\Users\Admin\Pictures\SkipDebug.tif.ReadInstructions	medusa.exe
File renamed	C:\Users\Admin\Pictures\SuspendShow.png => C:\Users\Admin\Pictures\SuspendShow.png.ReadInstructions	medusa.exe
File renamed	C:\Users\Admin\Pictures\UnregisterImport.png => C:\Users\Admin\Pictures\UnregisterImport.png.ReadInstructions	medusa.exe
File opened for modification	C:\Users\Admin\Pictures\DenyConvert.tiff	medusa.exe
File renamed	C:\Users\Admin\Pictures\DenyConvert.tiff => C:\Users\Admin\Pictures\DenyConvert.tiff.ReadInstructions	medusa.exe
File renamed	C:\Users\Admin\Pictures\InvokeReceive.png => C:\Users\Admin\Pictures\InvokeReceive.png.ReadInstructions	medusa.exe
File opened for modification	C:\Users\Admin\Pictures\RenameAdd.tiff	medusa.exe
File renamed	C:\Users\Admin\Pictures\WaitMove.raw => C:\Users\Admin\Pictures\WaitMove.raw.ReadInstructions	medusa.exe
File renamed	C:\Users\Admin\Pictures\CloseUnblock.crw => C:\Users\Admin\Pictures\CloseUnblock.crw.ReadInstructions	medusa.exe
File renamed	C:\Users\Admin\Pictures\HideGrant.crw => C:\Users\Admin\Pictures\HideGrant.crw.ReadInstructions	medusa.exe
File renamed	C:\Users\Admin\Pictures\UseAssert.crw => C:\Users\Admin\Pictures\UseAssert.crw.ReadInstructions	medusa.exe

Loads dropped DLL 3 IoCs

Processes:

medusa.exe

pid process

1948 medusa.exe
1948 medusa.exe
1948 medusa.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

medusa.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" medusa.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

medusa.exe

description ioc process

File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2292972927-2705560509-2768824231-1000\desktop.ini medusa.exe

pid	process
1948	medusa.exe
1948	medusa.exe
1948	medusa.exe

description	ioc	process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-2292972927-2705560509-2768824231-1000\desktop.ini	medusa.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

medusa.exe

description	ioc	process
File opened (read-only)	\??\N:	medusa.exe
File opened (read-only)	\??\P:	medusa.exe
File opened (read-only)	\??\T:	medusa.exe
File opened (read-only)	\??\Y:	medusa.exe
File opened (read-only)	\??\H:	medusa.exe
File opened (read-only)	\??\K:	medusa.exe
File opened (read-only)	\??\F:	medusa.exe
File opened (read-only)	\??\L:	medusa.exe
File opened (read-only)	\??\M:	medusa.exe
File opened (read-only)	\??\U:	medusa.exe
File opened (read-only)	\??\W:	medusa.exe
File opened (read-only)	\??\Z:	medusa.exe
File opened (read-only)	\??\B:	medusa.exe
File opened (read-only)	\??\E:	medusa.exe
File opened (read-only)	\??\I:	medusa.exe
File opened (read-only)	\??\J:	medusa.exe
File opened (read-only)	\??\R:	medusa.exe
File opened (read-only)	\??\S:	medusa.exe
File opened (read-only)	\??\V:	medusa.exe
File opened (read-only)	\??\X:	medusa.exe
File opened (read-only)	\??\A:	medusa.exe
File opened (read-only)	\??\G:	medusa.exe
File opened (read-only)	\??\O:	medusa.exe
File opened (read-only)	\??\Q:	medusa.exe

Drops file in Program Files directory 64 IoCs

Processes:

medusa.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	medusa.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	medusa.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	medusa.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	medusa.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	medusa.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	medusa.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	medusa.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	medusa.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	medusa.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	medusa.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	medusa.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	medusa.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	medusa.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	medusa.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	medusa.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	medusa.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	medusa.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	medusa.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	medusa.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	medusa.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	medusa.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	medusa.exe

Drops file in Windows directory 1 IoCs

Processes:

medusa.exe

description ioc process

File opened for modification C:\Windows\svchost.com medusa.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

1348 vssadmin.exe
1688 vssadmin.exe
600 vssadmin.exe
Modifies registry class 1 IoCs

Processes:

medusa.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" medusa.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	medusa.exe

pid	process
1348	vssadmin.exe
1688	vssadmin.exe
600	vssadmin.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	medusa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

medusa.exe

pid	process
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe
1888	medusa.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

vssvc.exewmic.exewmic.exewmic.exe

description	pid	process
Token: SeBackupPrivilege	700	vssvc.exe
Token: SeRestorePrivilege	700	vssvc.exe
Token: SeAuditPrivilege	700	vssvc.exe
Token: SeIncreaseQuotaPrivilege	848	wmic.exe
Token: SeSecurityPrivilege	848	wmic.exe
Token: SeTakeOwnershipPrivilege	848	wmic.exe
Token: SeLoadDriverPrivilege	848	wmic.exe
Token: SeSystemProfilePrivilege	848	wmic.exe
Token: SeSystemtimePrivilege	848	wmic.exe
Token: SeProfSingleProcessPrivilege	848	wmic.exe
Token: SeIncBasePriorityPrivilege	848	wmic.exe
Token: SeCreatePagefilePrivilege	848	wmic.exe
Token: SeBackupPrivilege	848	wmic.exe
Token: SeRestorePrivilege	848	wmic.exe
Token: SeShutdownPrivilege	848	wmic.exe
Token: SeDebugPrivilege	848	wmic.exe
Token: SeSystemEnvironmentPrivilege	848	wmic.exe
Token: SeRemoteShutdownPrivilege	848	wmic.exe
Token: SeUndockPrivilege	848	wmic.exe
Token: SeManageVolumePrivilege	848	wmic.exe
Token: 33	848	wmic.exe
Token: 34	848	wmic.exe
Token: 35	848	wmic.exe
Token: SeIncreaseQuotaPrivilege	1044	wmic.exe
Token: SeSecurityPrivilege	1044	wmic.exe
Token: SeTakeOwnershipPrivilege	1044	wmic.exe
Token: SeLoadDriverPrivilege	1044	wmic.exe
Token: SeSystemProfilePrivilege	1044	wmic.exe
Token: SeSystemtimePrivilege	1044	wmic.exe
Token: SeProfSingleProcessPrivilege	1044	wmic.exe
Token: SeIncBasePriorityPrivilege	1044	wmic.exe
Token: SeCreatePagefilePrivilege	1044	wmic.exe
Token: SeBackupPrivilege	1044	wmic.exe
Token: SeRestorePrivilege	1044	wmic.exe
Token: SeShutdownPrivilege	1044	wmic.exe
Token: SeDebugPrivilege	1044	wmic.exe
Token: SeSystemEnvironmentPrivilege	1044	wmic.exe
Token: SeRemoteShutdownPrivilege	1044	wmic.exe
Token: SeUndockPrivilege	1044	wmic.exe
Token: SeManageVolumePrivilege	1044	wmic.exe
Token: 33	1044	wmic.exe
Token: 34	1044	wmic.exe
Token: 35	1044	wmic.exe
Token: SeIncreaseQuotaPrivilege	284	wmic.exe
Token: SeSecurityPrivilege	284	wmic.exe
Token: SeTakeOwnershipPrivilege	284	wmic.exe
Token: SeLoadDriverPrivilege	284	wmic.exe
Token: SeSystemProfilePrivilege	284	wmic.exe
Token: SeSystemtimePrivilege	284	wmic.exe
Token: SeProfSingleProcessPrivilege	284	wmic.exe
Token: SeIncBasePriorityPrivilege	284	wmic.exe
Token: SeCreatePagefilePrivilege	284	wmic.exe
Token: SeBackupPrivilege	284	wmic.exe
Token: SeRestorePrivilege	284	wmic.exe
Token: SeShutdownPrivilege	284	wmic.exe
Token: SeDebugPrivilege	284	wmic.exe
Token: SeSystemEnvironmentPrivilege	284	wmic.exe
Token: SeRemoteShutdownPrivilege	284	wmic.exe
Token: SeUndockPrivilege	284	wmic.exe
Token: SeManageVolumePrivilege	284	wmic.exe
Token: 33	284	wmic.exe
Token: 34	284	wmic.exe
Token: 35	284	wmic.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

medusa.exemedusa.exetaskeng.exe

description	pid	process	target process
PID 1948 wrote to memory of 1888	1948	medusa.exe	medusa.exe
PID 1948 wrote to memory of 1888	1948	medusa.exe	medusa.exe
PID 1948 wrote to memory of 1888	1948	medusa.exe	medusa.exe
PID 1948 wrote to memory of 1888	1948	medusa.exe	medusa.exe
PID 1888 wrote to memory of 1348	1888	medusa.exe	vssadmin.exe
PID 1888 wrote to memory of 1348	1888	medusa.exe	vssadmin.exe
PID 1888 wrote to memory of 1348	1888	medusa.exe	vssadmin.exe
PID 1888 wrote to memory of 1348	1888	medusa.exe	vssadmin.exe
PID 1888 wrote to memory of 848	1888	medusa.exe	wmic.exe
PID 1888 wrote to memory of 848	1888	medusa.exe	wmic.exe
PID 1888 wrote to memory of 848	1888	medusa.exe	wmic.exe
PID 1888 wrote to memory of 848	1888	medusa.exe	wmic.exe
PID 1888 wrote to memory of 1688	1888	medusa.exe	vssadmin.exe
PID 1888 wrote to memory of 1688	1888	medusa.exe	vssadmin.exe
PID 1888 wrote to memory of 1688	1888	medusa.exe	vssadmin.exe
PID 1888 wrote to memory of 1688	1888	medusa.exe	vssadmin.exe
PID 1888 wrote to memory of 1044	1888	medusa.exe	wmic.exe
PID 1888 wrote to memory of 1044	1888	medusa.exe	wmic.exe
PID 1888 wrote to memory of 1044	1888	medusa.exe	wmic.exe
PID 1888 wrote to memory of 1044	1888	medusa.exe	wmic.exe
PID 1888 wrote to memory of 600	1888	medusa.exe	vssadmin.exe
PID 1888 wrote to memory of 600	1888	medusa.exe	vssadmin.exe
PID 1888 wrote to memory of 600	1888	medusa.exe	vssadmin.exe
PID 1888 wrote to memory of 600	1888	medusa.exe	vssadmin.exe
PID 1888 wrote to memory of 284	1888	medusa.exe	wmic.exe
PID 1888 wrote to memory of 284	1888	medusa.exe	wmic.exe
PID 1888 wrote to memory of 284	1888	medusa.exe	wmic.exe
PID 1888 wrote to memory of 284	1888	medusa.exe	wmic.exe
PID 1384 wrote to memory of 904	1384	taskeng.exe	svhost.exe
PID 1384 wrote to memory of 904	1384	taskeng.exe	svhost.exe
PID 1384 wrote to memory of 904	1384	taskeng.exe	svhost.exe
PID 1384 wrote to memory of 904	1384	taskeng.exe	svhost.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

medusa.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	medusa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	medusa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	medusa.exe

C:\Users\Admin\AppData\Local\Temp\medusa.exe
"C:\Users\Admin\AppData\Local\Temp\medusa.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\3582-490\medusa.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\medusa.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Modifies extensions of user files
  - Checks whether UAC is enabled
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1888
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1348
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:848
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1688
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1044
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:600
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:284

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Windows\system32\taskeng.exe
taskeng.exe {3CE7722E-98D6-4509-AACB-4CB8D9A0F9D7} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Roaming\svhost.exe
  C:\Users\Admin\AppData\Roaming\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

File Deletion

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
864KB

MD5
2c1f43649ea7e7bb1c46eba33f38b085

SHA1
b0a514764ad8d5dba68e509075f4b84e6b38fcd0

SHA256
436d673b1784f0fc5f66b1b6ea03112997f7b629422955a5d7465c1788a8042d

SHA512
9638bdeabc285afd3fd1e6cba8b362811fe5cc0a7276a4c12aeb8af65011530b050f7e89af4dda84fff0dcfeb52613a9815d55dea8af347dcedd7765f591b60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\medusa.exe

Filesize
678KB

MD5
5aa0a571567f8437556e9b00ae5a3532

SHA1
45377cb152832c9112db7909219fa87a6e760aae

SHA256
73549f6017ad04e475e40e9d306b3e042d080843d8e7c029a5bb6b8ab7e34432

SHA512
d320fecef75b4514b9cf154d41c3cc03e2cd8f6bf15ff0d7c97398127c0728cf0b24e5a46435573d38b384b1515876070f28daa7d37e81de10d1db2b27ae51ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\medusa.exe

Filesize
678KB

MD5
5aa0a571567f8437556e9b00ae5a3532

SHA1
45377cb152832c9112db7909219fa87a6e760aae

SHA256
73549f6017ad04e475e40e9d306b3e042d080843d8e7c029a5bb6b8ab7e34432

SHA512
d320fecef75b4514b9cf154d41c3cc03e2cd8f6bf15ff0d7c97398127c0728cf0b24e5a46435573d38b384b1515876070f28daa7d37e81de10d1db2b27ae51ec

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
678KB

MD5
5aa0a571567f8437556e9b00ae5a3532

SHA1
45377cb152832c9112db7909219fa87a6e760aae

SHA256
73549f6017ad04e475e40e9d306b3e042d080843d8e7c029a5bb6b8ab7e34432

SHA512
d320fecef75b4514b9cf154d41c3cc03e2cd8f6bf15ff0d7c97398127c0728cf0b24e5a46435573d38b384b1515876070f28daa7d37e81de10d1db2b27ae51ec

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
678KB

MD5
5aa0a571567f8437556e9b00ae5a3532

SHA1
45377cb152832c9112db7909219fa87a6e760aae

SHA256
73549f6017ad04e475e40e9d306b3e042d080843d8e7c029a5bb6b8ab7e34432

SHA512
d320fecef75b4514b9cf154d41c3cc03e2cd8f6bf15ff0d7c97398127c0728cf0b24e5a46435573d38b384b1515876070f28daa7d37e81de10d1db2b27ae51ec

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\medusa.exe

Filesize
678KB

MD5
5aa0a571567f8437556e9b00ae5a3532

SHA1
45377cb152832c9112db7909219fa87a6e760aae

SHA256
73549f6017ad04e475e40e9d306b3e042d080843d8e7c029a5bb6b8ab7e34432

SHA512
d320fecef75b4514b9cf154d41c3cc03e2cd8f6bf15ff0d7c97398127c0728cf0b24e5a46435573d38b384b1515876070f28daa7d37e81de10d1db2b27ae51ec

Download Submit
\Users\Admin\AppData\Roaming\svhost.exe

Filesize
678KB

MD5
5aa0a571567f8437556e9b00ae5a3532

SHA1
45377cb152832c9112db7909219fa87a6e760aae

SHA256
73549f6017ad04e475e40e9d306b3e042d080843d8e7c029a5bb6b8ab7e34432

SHA512
d320fecef75b4514b9cf154d41c3cc03e2cd8f6bf15ff0d7c97398127c0728cf0b24e5a46435573d38b384b1515876070f28daa7d37e81de10d1db2b27ae51ec

Download Submit
memory/284-65-0x0000000000000000-mapping.dmp

Download
memory/600-64-0x0000000000000000-mapping.dmp

Download
memory/848-61-0x0000000000000000-mapping.dmp

Download
memory/904-70-0x0000000000000000-mapping.dmp

Download
memory/1044-63-0x0000000000000000-mapping.dmp

Download
memory/1348-60-0x0000000000000000-mapping.dmp

Download
memory/1688-62-0x0000000000000000-mapping.dmp

Download
memory/1888-56-0x0000000000000000-mapping.dmp

Download
memory/1948-54-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads