Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
17-11-2022 06:18
Behavioral task
behavioral1
Sample
svhost.exe
Resource
win7-20220901-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
svhost.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
svhost.exe
-
Size
678KB
-
MD5
5aa0a571567f8437556e9b00ae5a3532
-
SHA1
45377cb152832c9112db7909219fa87a6e760aae
-
SHA256
73549f6017ad04e475e40e9d306b3e042d080843d8e7c029a5bb6b8ab7e34432
-
SHA512
d320fecef75b4514b9cf154d41c3cc03e2cd8f6bf15ff0d7c97398127c0728cf0b24e5a46435573d38b384b1515876070f28daa7d37e81de10d1db2b27ae51ec
-
SSDEEP
12288:cPJ4UOTYQivI2qZ7aSgLwkFVpzUvest4ZEbjJLuhJVoM7:JRTYVQ2qZ7aSgLwuVfstRJL6YM
Malware Config
Extracted
Path
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Recovery_Instructions.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">3CC1DEAE0E7CC3C82C62B472124F50ADE721272201DA2791C3B7BE5AF037EAD6BBF158389FF517B49B67CE105289EA60AB0FC2F829E49EA9E8DED21B1001544E<br>7AEE4B9F34B7042EC3DDA9C1610BA1B42B44A2F248FD50F85BA5904A79DD8DE9ED7DDA4B9807FB72E1BB96340386C841B2BFB3A9E731931055FB0CE4A427<br>CFAE525BC0FDCF2B29D26B1798F46C233D28A977F41FF8199936F868E3D57A4BC1EE8093D46CA1B6CD1539AF16CEE2413E0F014FA058247822445BAC6B89<br>02F71F1C996BFD9D30BFDD9F441DCE2E78C8C7D58DEAF1976206A99691276DD6203FD192BFA2FDAD114E1240DF8D112CDE602EE10894ADFC2B73BC8BF598<br>2C69D8AAC0BC20A36119955A62C44490F15FFAA1CE96479D225A59E082BD7BA2028BBAEDED16F0E355360FFFCDDF5DA73ED1AF81B6B1F0CA0E5A4C0CE349<br>E81659AEE922A934CAB67DBB96DB443E67541D2FF62526BDEE1397759A1A18E8FB32EA649ED34D025E109C1F80A0FB55EC6E77143318FCCE325FE3A3943E<br>D01D44A4D56E149CF4C505BE7ADF75C100093F36B0679B6F66AAA57C35BD5F3E4E37B35385A8CC86B8F66B8DD078D6CDF2B22C9BAC5D49454FCA78D5A675<br>42B7C3E629FEF91CB11DBC68E5B3BA3C68E3B2F173200EAAC09875ACDD7F7D2962774FEC681243F76467CD9248C22FC57742D35C6D16455B3D5D516EC27B<br>2B17DCBE1F8163AB2582310DE13B</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>http://gvlay6u4g53rxdi5.onion/31-LPy3hdSfGLBgLSfGcKN9rubDKoa1VMK4-9One4w8FvjhYZkcKvsbEI2UvnGHl7qg7</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open "{{URL}}". <br>
4. Start a chat and follow the further instructions. <br><br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected]">[email protected]</a>
<br><a href="[email protected]">[email protected]</a>
<br>
<b>* To contact us, create a new mail on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr>
<b>Make contact as soon as possible. Your private key (decryption key) <br>
is only stored temporarily.<br><br>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 2 IoCs
resource yara_rule behavioral1/files/0x000500000000b2d2-61.dat family_medusalocker behavioral1/files/0x000500000000b2d2-63.dat family_medusalocker -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" svhost.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 748 svhost.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\InvokeGrant.raw => C:\Users\Admin\Pictures\InvokeGrant.raw.ReadInstructions svhost.exe File renamed C:\Users\Admin\Pictures\ExitRestore.png => C:\Users\Admin\Pictures\ExitRestore.png.ReadInstructions svhost.exe File renamed C:\Users\Admin\Pictures\InitializeMount.crw => C:\Users\Admin\Pictures\InitializeMount.crw.ReadInstructions svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svhost.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-4063495947-34355257-727531523-1000\desktop.ini svhost.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: svhost.exe File opened (read-only) \??\M: svhost.exe File opened (read-only) \??\S: svhost.exe File opened (read-only) \??\Y: svhost.exe File opened (read-only) \??\F: svhost.exe File opened (read-only) \??\H: svhost.exe File opened (read-only) \??\J: svhost.exe File opened (read-only) \??\L: svhost.exe File opened (read-only) \??\N: svhost.exe File opened (read-only) \??\A: svhost.exe File opened (read-only) \??\G: svhost.exe File opened (read-only) \??\Q: svhost.exe File opened (read-only) \??\R: svhost.exe File opened (read-only) \??\T: svhost.exe File opened (read-only) \??\U: svhost.exe File opened (read-only) \??\W: svhost.exe File opened (read-only) \??\B: svhost.exe File opened (read-only) \??\I: svhost.exe File opened (read-only) \??\K: svhost.exe File opened (read-only) \??\O: svhost.exe File opened (read-only) \??\P: svhost.exe File opened (read-only) \??\V: svhost.exe File opened (read-only) \??\X: svhost.exe File opened (read-only) \??\Z: svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 836 vssadmin.exe 828 vssadmin.exe 952 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe 1128 svhost.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeBackupPrivilege 1616 vssvc.exe Token: SeRestorePrivilege 1616 vssvc.exe Token: SeAuditPrivilege 1616 vssvc.exe Token: SeIncreaseQuotaPrivilege 1480 wmic.exe Token: SeSecurityPrivilege 1480 wmic.exe Token: SeTakeOwnershipPrivilege 1480 wmic.exe Token: SeLoadDriverPrivilege 1480 wmic.exe Token: SeSystemProfilePrivilege 1480 wmic.exe Token: SeSystemtimePrivilege 1480 wmic.exe Token: SeProfSingleProcessPrivilege 1480 wmic.exe Token: SeIncBasePriorityPrivilege 1480 wmic.exe Token: SeCreatePagefilePrivilege 1480 wmic.exe Token: SeBackupPrivilege 1480 wmic.exe Token: SeRestorePrivilege 1480 wmic.exe Token: SeShutdownPrivilege 1480 wmic.exe Token: SeDebugPrivilege 1480 wmic.exe Token: SeSystemEnvironmentPrivilege 1480 wmic.exe Token: SeRemoteShutdownPrivilege 1480 wmic.exe Token: SeUndockPrivilege 1480 wmic.exe Token: SeManageVolumePrivilege 1480 wmic.exe Token: 33 1480 wmic.exe Token: 34 1480 wmic.exe Token: 35 1480 wmic.exe Token: SeIncreaseQuotaPrivilege 1868 wmic.exe Token: SeSecurityPrivilege 1868 wmic.exe Token: SeTakeOwnershipPrivilege 1868 wmic.exe Token: SeLoadDriverPrivilege 1868 wmic.exe Token: SeSystemProfilePrivilege 1868 wmic.exe Token: SeSystemtimePrivilege 1868 wmic.exe Token: SeProfSingleProcessPrivilege 1868 wmic.exe Token: SeIncBasePriorityPrivilege 1868 wmic.exe Token: SeCreatePagefilePrivilege 1868 wmic.exe Token: SeBackupPrivilege 1868 wmic.exe Token: SeRestorePrivilege 1868 wmic.exe Token: SeShutdownPrivilege 1868 wmic.exe Token: SeDebugPrivilege 1868 wmic.exe Token: SeSystemEnvironmentPrivilege 1868 wmic.exe Token: SeRemoteShutdownPrivilege 1868 wmic.exe Token: SeUndockPrivilege 1868 wmic.exe Token: SeManageVolumePrivilege 1868 wmic.exe Token: 33 1868 wmic.exe Token: 34 1868 wmic.exe Token: 35 1868 wmic.exe Token: SeIncreaseQuotaPrivilege 1944 wmic.exe Token: SeSecurityPrivilege 1944 wmic.exe Token: SeTakeOwnershipPrivilege 1944 wmic.exe Token: SeLoadDriverPrivilege 1944 wmic.exe Token: SeSystemProfilePrivilege 1944 wmic.exe Token: SeSystemtimePrivilege 1944 wmic.exe Token: SeProfSingleProcessPrivilege 1944 wmic.exe Token: SeIncBasePriorityPrivilege 1944 wmic.exe Token: SeCreatePagefilePrivilege 1944 wmic.exe Token: SeBackupPrivilege 1944 wmic.exe Token: SeRestorePrivilege 1944 wmic.exe Token: SeShutdownPrivilege 1944 wmic.exe Token: SeDebugPrivilege 1944 wmic.exe Token: SeSystemEnvironmentPrivilege 1944 wmic.exe Token: SeRemoteShutdownPrivilege 1944 wmic.exe Token: SeUndockPrivilege 1944 wmic.exe Token: SeManageVolumePrivilege 1944 wmic.exe Token: 33 1944 wmic.exe Token: 34 1944 wmic.exe Token: 35 1944 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1128 wrote to memory of 836 1128 svhost.exe 27 PID 1128 wrote to memory of 836 1128 svhost.exe 27 PID 1128 wrote to memory of 836 1128 svhost.exe 27 PID 1128 wrote to memory of 836 1128 svhost.exe 27 PID 1128 wrote to memory of 1480 1128 svhost.exe 30 PID 1128 wrote to memory of 1480 1128 svhost.exe 30 PID 1128 wrote to memory of 1480 1128 svhost.exe 30 PID 1128 wrote to memory of 1480 1128 svhost.exe 30 PID 1128 wrote to memory of 828 1128 svhost.exe 32 PID 1128 wrote to memory of 828 1128 svhost.exe 32 PID 1128 wrote to memory of 828 1128 svhost.exe 32 PID 1128 wrote to memory of 828 1128 svhost.exe 32 PID 1128 wrote to memory of 1868 1128 svhost.exe 34 PID 1128 wrote to memory of 1868 1128 svhost.exe 34 PID 1128 wrote to memory of 1868 1128 svhost.exe 34 PID 1128 wrote to memory of 1868 1128 svhost.exe 34 PID 1128 wrote to memory of 952 1128 svhost.exe 36 PID 1128 wrote to memory of 952 1128 svhost.exe 36 PID 1128 wrote to memory of 952 1128 svhost.exe 36 PID 1128 wrote to memory of 952 1128 svhost.exe 36 PID 1128 wrote to memory of 1944 1128 svhost.exe 38 PID 1128 wrote to memory of 1944 1128 svhost.exe 38 PID 1128 wrote to memory of 1944 1128 svhost.exe 38 PID 1128 wrote to memory of 1944 1128 svhost.exe 38 PID 1920 wrote to memory of 748 1920 taskeng.exe 42 PID 1920 wrote to memory of 748 1920 taskeng.exe 42 PID 1920 wrote to memory of 748 1920 taskeng.exe 42 PID 1920 wrote to memory of 748 1920 taskeng.exe 42 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" svhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"1⤵
- UAC bypass
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1128 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:836
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:828
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:952
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
C:\Windows\system32\taskeng.exetaskeng.exe {84DB3DE6-E408-418B-B8EB-24324CE6E98C} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
PID:748
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
678KB
MD55aa0a571567f8437556e9b00ae5a3532
SHA145377cb152832c9112db7909219fa87a6e760aae
SHA25673549f6017ad04e475e40e9d306b3e042d080843d8e7c029a5bb6b8ab7e34432
SHA512d320fecef75b4514b9cf154d41c3cc03e2cd8f6bf15ff0d7c97398127c0728cf0b24e5a46435573d38b384b1515876070f28daa7d37e81de10d1db2b27ae51ec
-
Filesize
678KB
MD55aa0a571567f8437556e9b00ae5a3532
SHA145377cb152832c9112db7909219fa87a6e760aae
SHA25673549f6017ad04e475e40e9d306b3e042d080843d8e7c029a5bb6b8ab7e34432
SHA512d320fecef75b4514b9cf154d41c3cc03e2cd8f6bf15ff0d7c97398127c0728cf0b24e5a46435573d38b384b1515876070f28daa7d37e81de10d1db2b27ae51ec