Analysis
-
max time kernel
150s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-01-2023 19:39
Behavioral task
behavioral1
Sample
64_MEcip8.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
64_MEcip8.exe
Resource
win10v2004-20221111-en
General
-
Target
64_MEcip8.exe
-
Size
666KB
-
MD5
1a1bd3c9901502ba239c242a43ffc7d3
-
SHA1
1365c2d7edcf5e6e970bd7a8257a24eece404098
-
SHA256
9e7723372ff1ee68d817cf9ac7de7c0994d528e6fcf7fb3fcf17125e4cb59d0c
-
SHA512
85fc17144dd0d739444acdb859b76c257570005e5587e9f49ede70cbac1a3b8eaf4325e745bff888fdbcd25174be750bb752bbb16185d6fb3df81cbd6a977b25
-
SSDEEP
12288:ZYW1LNT35lDbK/LIVaN8+T7vwqyqhYMhWt918vulAiC9+m:dd35lDbKDIwWUDyqS5om3C9+
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\!-Recovery_Instructions-!.html
<h2>[email protected]</h2>
https://tox.chat/download.html</p>
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000014247-63.dat family_medusalocker behavioral1/files/0x0008000000014247-61.dat family_medusalocker -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 64_MEcip8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 64_MEcip8.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 1704 svhost.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ResumeApprove.tiff => C:\Users\Admin\Pictures\ResumeApprove.tiff.cipher8 64_MEcip8.exe File renamed C:\Users\Admin\Pictures\UndoRestore.crw => C:\Users\Admin\Pictures\UndoRestore.crw.cipher8 64_MEcip8.exe File renamed C:\Users\Admin\Pictures\EnableRead.crw => C:\Users\Admin\Pictures\EnableRead.crw.cipher8 64_MEcip8.exe File renamed C:\Users\Admin\Pictures\ExitTest.raw => C:\Users\Admin\Pictures\ExitTest.raw.cipher8 64_MEcip8.exe File renamed C:\Users\Admin\Pictures\RegisterGroup.raw => C:\Users\Admin\Pictures\RegisterGroup.raw.cipher8 64_MEcip8.exe File renamed C:\Users\Admin\Pictures\RenameCopy.crw => C:\Users\Admin\Pictures\RenameCopy.crw.cipher8 64_MEcip8.exe File opened for modification C:\Users\Admin\Pictures\ResumeApprove.tiff 64_MEcip8.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 64_MEcip8.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3406023954-474543476-3319432036-1000\desktop.ini 64_MEcip8.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: 64_MEcip8.exe File opened (read-only) \??\P: 64_MEcip8.exe File opened (read-only) \??\S: 64_MEcip8.exe File opened (read-only) \??\U: 64_MEcip8.exe File opened (read-only) \??\I: 64_MEcip8.exe File opened (read-only) \??\M: 64_MEcip8.exe File opened (read-only) \??\N: 64_MEcip8.exe File opened (read-only) \??\R: 64_MEcip8.exe File opened (read-only) \??\T: 64_MEcip8.exe File opened (read-only) \??\V: 64_MEcip8.exe File opened (read-only) \??\X: 64_MEcip8.exe File opened (read-only) \??\Y: 64_MEcip8.exe File opened (read-only) \??\H: 64_MEcip8.exe File opened (read-only) \??\E: 64_MEcip8.exe File opened (read-only) \??\F: 64_MEcip8.exe File opened (read-only) \??\O: 64_MEcip8.exe File opened (read-only) \??\Z: 64_MEcip8.exe File opened (read-only) \??\B: 64_MEcip8.exe File opened (read-only) \??\G: 64_MEcip8.exe File opened (read-only) \??\J: 64_MEcip8.exe File opened (read-only) \??\K: 64_MEcip8.exe File opened (read-only) \??\Q: 64_MEcip8.exe File opened (read-only) \??\W: 64_MEcip8.exe File opened (read-only) \??\A: 64_MEcip8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1172 vssadmin.exe 1748 vssadmin.exe 1812 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe 1212 64_MEcip8.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeBackupPrivilege 576 vssvc.exe Token: SeRestorePrivilege 576 vssvc.exe Token: SeAuditPrivilege 576 vssvc.exe Token: SeIncreaseQuotaPrivilege 936 wmic.exe Token: SeSecurityPrivilege 936 wmic.exe Token: SeTakeOwnershipPrivilege 936 wmic.exe Token: SeLoadDriverPrivilege 936 wmic.exe Token: SeSystemProfilePrivilege 936 wmic.exe Token: SeSystemtimePrivilege 936 wmic.exe Token: SeProfSingleProcessPrivilege 936 wmic.exe Token: SeIncBasePriorityPrivilege 936 wmic.exe Token: SeCreatePagefilePrivilege 936 wmic.exe Token: SeBackupPrivilege 936 wmic.exe Token: SeRestorePrivilege 936 wmic.exe Token: SeShutdownPrivilege 936 wmic.exe Token: SeDebugPrivilege 936 wmic.exe Token: SeSystemEnvironmentPrivilege 936 wmic.exe Token: SeRemoteShutdownPrivilege 936 wmic.exe Token: SeUndockPrivilege 936 wmic.exe Token: SeManageVolumePrivilege 936 wmic.exe Token: 33 936 wmic.exe Token: 34 936 wmic.exe Token: 35 936 wmic.exe Token: SeIncreaseQuotaPrivilege 556 wmic.exe Token: SeSecurityPrivilege 556 wmic.exe Token: SeTakeOwnershipPrivilege 556 wmic.exe Token: SeLoadDriverPrivilege 556 wmic.exe Token: SeSystemProfilePrivilege 556 wmic.exe Token: SeSystemtimePrivilege 556 wmic.exe Token: SeProfSingleProcessPrivilege 556 wmic.exe Token: SeIncBasePriorityPrivilege 556 wmic.exe Token: SeCreatePagefilePrivilege 556 wmic.exe Token: SeBackupPrivilege 556 wmic.exe Token: SeRestorePrivilege 556 wmic.exe Token: SeShutdownPrivilege 556 wmic.exe Token: SeDebugPrivilege 556 wmic.exe Token: SeSystemEnvironmentPrivilege 556 wmic.exe Token: SeRemoteShutdownPrivilege 556 wmic.exe Token: SeUndockPrivilege 556 wmic.exe Token: SeManageVolumePrivilege 556 wmic.exe Token: 33 556 wmic.exe Token: 34 556 wmic.exe Token: 35 556 wmic.exe Token: SeIncreaseQuotaPrivilege 1804 wmic.exe Token: SeSecurityPrivilege 1804 wmic.exe Token: SeTakeOwnershipPrivilege 1804 wmic.exe Token: SeLoadDriverPrivilege 1804 wmic.exe Token: SeSystemProfilePrivilege 1804 wmic.exe Token: SeSystemtimePrivilege 1804 wmic.exe Token: SeProfSingleProcessPrivilege 1804 wmic.exe Token: SeIncBasePriorityPrivilege 1804 wmic.exe Token: SeCreatePagefilePrivilege 1804 wmic.exe Token: SeBackupPrivilege 1804 wmic.exe Token: SeRestorePrivilege 1804 wmic.exe Token: SeShutdownPrivilege 1804 wmic.exe Token: SeDebugPrivilege 1804 wmic.exe Token: SeSystemEnvironmentPrivilege 1804 wmic.exe Token: SeRemoteShutdownPrivilege 1804 wmic.exe Token: SeUndockPrivilege 1804 wmic.exe Token: SeManageVolumePrivilege 1804 wmic.exe Token: 33 1804 wmic.exe Token: 34 1804 wmic.exe Token: 35 1804 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1212 wrote to memory of 1172 1212 64_MEcip8.exe 28 PID 1212 wrote to memory of 1172 1212 64_MEcip8.exe 28 PID 1212 wrote to memory of 1172 1212 64_MEcip8.exe 28 PID 1212 wrote to memory of 1172 1212 64_MEcip8.exe 28 PID 1212 wrote to memory of 936 1212 64_MEcip8.exe 31 PID 1212 wrote to memory of 936 1212 64_MEcip8.exe 31 PID 1212 wrote to memory of 936 1212 64_MEcip8.exe 31 PID 1212 wrote to memory of 936 1212 64_MEcip8.exe 31 PID 1212 wrote to memory of 1748 1212 64_MEcip8.exe 33 PID 1212 wrote to memory of 1748 1212 64_MEcip8.exe 33 PID 1212 wrote to memory of 1748 1212 64_MEcip8.exe 33 PID 1212 wrote to memory of 1748 1212 64_MEcip8.exe 33 PID 1212 wrote to memory of 556 1212 64_MEcip8.exe 35 PID 1212 wrote to memory of 556 1212 64_MEcip8.exe 35 PID 1212 wrote to memory of 556 1212 64_MEcip8.exe 35 PID 1212 wrote to memory of 556 1212 64_MEcip8.exe 35 PID 1212 wrote to memory of 1812 1212 64_MEcip8.exe 37 PID 1212 wrote to memory of 1812 1212 64_MEcip8.exe 37 PID 1212 wrote to memory of 1812 1212 64_MEcip8.exe 37 PID 1212 wrote to memory of 1812 1212 64_MEcip8.exe 37 PID 1212 wrote to memory of 1804 1212 64_MEcip8.exe 39 PID 1212 wrote to memory of 1804 1212 64_MEcip8.exe 39 PID 1212 wrote to memory of 1804 1212 64_MEcip8.exe 39 PID 1212 wrote to memory of 1804 1212 64_MEcip8.exe 39 PID 1728 wrote to memory of 1704 1728 taskeng.exe 43 PID 1728 wrote to memory of 1704 1728 taskeng.exe 43 PID 1728 wrote to memory of 1704 1728 taskeng.exe 43 PID 1728 wrote to memory of 1704 1728 taskeng.exe 43 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 64_MEcip8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 64_MEcip8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64_MEcip8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\64_MEcip8.exe"C:\Users\Admin\AppData\Local\Temp\64_MEcip8.exe"1⤵
- UAC bypass
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1212 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1172
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:936
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1748
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:556
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1812
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:576
-
C:\Windows\system32\taskeng.exetaskeng.exe {7354C9F5-9D93-4EBC-AF8D-344EAD95D92D} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
PID:1704
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
666KB
MD51a1bd3c9901502ba239c242a43ffc7d3
SHA11365c2d7edcf5e6e970bd7a8257a24eece404098
SHA2569e7723372ff1ee68d817cf9ac7de7c0994d528e6fcf7fb3fcf17125e4cb59d0c
SHA51285fc17144dd0d739444acdb859b76c257570005e5587e9f49ede70cbac1a3b8eaf4325e745bff888fdbcd25174be750bb752bbb16185d6fb3df81cbd6a977b25
-
Filesize
666KB
MD51a1bd3c9901502ba239c242a43ffc7d3
SHA11365c2d7edcf5e6e970bd7a8257a24eece404098
SHA2569e7723372ff1ee68d817cf9ac7de7c0994d528e6fcf7fb3fcf17125e4cb59d0c
SHA51285fc17144dd0d739444acdb859b76c257570005e5587e9f49ede70cbac1a3b8eaf4325e745bff888fdbcd25174be750bb752bbb16185d6fb3df81cbd6a977b25