Analysis

  • max time kernel
    192s
  • max time network
    215s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-01-2023 19:39

General

  • Target

    64_MEcip8.exe

  • Size

    666KB

  • MD5

    1a1bd3c9901502ba239c242a43ffc7d3

  • SHA1

    1365c2d7edcf5e6e970bd7a8257a24eece404098

  • SHA256

    9e7723372ff1ee68d817cf9ac7de7c0994d528e6fcf7fb3fcf17125e4cb59d0c

  • SHA512

    85fc17144dd0d739444acdb859b76c257570005e5587e9f49ede70cbac1a3b8eaf4325e745bff888fdbcd25174be750bb752bbb16185d6fb3df81cbd6a977b25

  • SSDEEP

    12288:ZYW1LNT35lDbK/LIVaN8+T7vwqyqhYMhWt918vulAiC9+m:dd35lDbKDIwWUDyqS5om3C9+

Malware Config

Extracted

Path

C:\!-Recovery_Instructions-!.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset='utf-8'> <meta name='viewport' content='width=device-width,initial-scale=1'> <title></title> <style> html, body { background-color: #1a1a1a; } body { padding-top: 1rem !important; font-size: 1.3rem; color: white; } #text h2 { font-size: 2rem; font-weight: 600; line-height: 1.125; } .container { max-width: 1152px; flex-grow: 1; margin: 0 auto; position: relative; width: auto; } .box { background-color: #242424; display: block; padding: 1.25rem; border: 1px solid #303030; } a { color: #00b4d8; text-decoration: none; } a:hover { text-decoration: underline; } li { margin-bottom: 10px; } </style> </head> <body> <div class='container'> <div class='box'> <div id='text'> <h2>If you get this message, your network was hacked!</h2> <p>After we gained full access to your servers, we first downloaded a large amount of sensitive data and then encrypted all the data stored on them.</p> <p>That includes personal information on your clients, partners, your personnel, accounting documents, and other crucial files that are necessary for your company to work normally.</p> <p>We used modern complicated algorithms, so you or any recovery service will not be able to decrypt files without our help, wasting time on these attempts instead of negotiations can be fatal for your company.</p> <p>Make sure to act within <span style='color:#f4a261;'>72</span> hours or the negotiations will be considered failed!</p> <p>Inform your superior management about what's going on.</p> <p> Contact us for pricing and decryption software.</p> <p> Contact us by email:<p> <h2>[email protected]</h2> </p>If you do not receive a response within 24 hours, please contact us at our additional contacts:</p> <p> 1) Download for TOX CHAT https://tox.chat/download.html</p> <p> 2) Open chat<p> <p>Add ID Chat: </p><h2>3C9D49B928FDC3C15F0314217623A71B865909B308576B4B0D10AEA62C98677B4A3F160D5C93</h2> <p>If we did not answer you, leave the chat enabled, the operator will contact you!<p> </p>To verify the possibility of the recovery of your files we can decrypted 1-3 file for free.</p> </p>Attach file to the letter (no more than 5Mb).</p> <h2>If you and us succeed the negotiations we will grant you:</h2> <ul> <li>complete confidentiality, we will keep in secret any information regarding to attack, your company will act as if nothing had happened.</li> <li>comprehensive information about vulnerabilities of your network and security report.</li> <li>software and instructions to decrypt all the data that was encrypted.</li> <li>all sensitive downloaded data will be permanently deleted from our cloud storage and we will provide an erasure log.</li> </ul> <h2>Our options if you act like nothing's happening, refuse to make a deal or fail the negotiations:</h2> <ul> <li>inform the media and independent journalists about what happened to your servers. To prove it we'll publish a chunk of private data that you should have ciphered if you care about potential breaches. Moreover, your company will inevitably take decent reputational loss which is hard to assess precisely.</li> <li>inform your clients, employees, partners by phone, e-mail, sms and social networks that you haven't prevent their data leakage. You will violate laws about private data protection.</li> <li>start DDOS attack on you website and infrastructures.</li> <li>personal data stored will be put on sale on the Darknet to find anyone interested to buy useful information regarding your company. It could be data mining agencies or your market competitors.</li> <li>publish all the discovered vulnerabilities found in your network, so anyone will do anything with it.</li> </ul> <h2>Why pay us?</h2> <p>We care about our reputation. You are welcome to google our cases up and be sure that we don't have a single case of failure to provide what we promissed.</p> <p>Turning this issue to a bug bounty will save your private information, reputation and will allow you to use the security report and avoid this kind of situations in future.</p> <h2>Your personal ID</p> Your ID: 8FA855BC2EDAC461F1C238B6ADA3ED46C05B0F0BE36EDC08E496A150DD085AEEE9B80E7E9100378272456D995190E2F749B486F4570EF7D51C4B514781E9164B<br>B98EA73CF61B418C98B0D2CCA611FC186E8EC2D83104A2F91137F821C091195F884594AD7381AEF4781B0B93C6AF45199DD1D4D5BB16720051FD2D4EC8C2<br>2D9874BDAFF0FC4CFFFC1CFE6563EF36654DDD6B173A7998016CAF070749180042F768DE0E23F9978515EB9CD08111238CBD1F446D11758DE23002DD65A6<br>D4D775E4E73C0730815F852913112FF6CF61789C1DAD1EBE6296FF418B75A06ABA3679A447BF5EB1BCA0AFD5FD0E0B8BFC1B6312C261018DCA36A6D405EB<br>9C7A0D01C6275E260BE970EB3583AE550FB4F75E15A96235975A060683801A4A313D2256F1ED208DF743B8C282E5EE7FA72F7DB6D508C8EE6C10B691CBA2<br>7DF62FB7B3943647CF8BE80BA885FC3F5899BB2F4B0AB825EAFB206927505A2949CF5C41660D292D6C0C633090B489F076F19578A4E4DB48DE743A14CBA0<br>4E79D9EB3F4FD990D3587E254BADC71C3B9711270AA875B2B53177A0F9345A3E8EDEBAF7C9DC68BC8215DF6635226211DBF46E7D479F2E33A7D045877CD3<br>EB51F5FAB4F0A866AB2D7CDCD9649F2DF59A5BDD162803CD69E67887403B792B203D54A79811A37CE2F310CE22FA444D2FD6CEAEAAF280D596E90BBE99D1<br>9C34B2B7645378506DE5D34F8B2D
Emails
URLs

https://tox.chat/download.html</p>

Signatures

  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

  • MedusaLocker payload 2 IoCs
  • UAC bypass 3 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64_MEcip8.exe
    "C:\Users\Admin\AppData\Local\Temp\64_MEcip8.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3960
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3144
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2228
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3276
  • C:\Users\Admin\AppData\Roaming\svhost.exe
    C:\Users\Admin\AppData\Roaming\svhost.exe
    1⤵
    • Executes dropped EXE
    PID:2320

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\svhost.exe

    Filesize

    666KB

    MD5

    1a1bd3c9901502ba239c242a43ffc7d3

    SHA1

    1365c2d7edcf5e6e970bd7a8257a24eece404098

    SHA256

    9e7723372ff1ee68d817cf9ac7de7c0994d528e6fcf7fb3fcf17125e4cb59d0c

    SHA512

    85fc17144dd0d739444acdb859b76c257570005e5587e9f49ede70cbac1a3b8eaf4325e745bff888fdbcd25174be750bb752bbb16185d6fb3df81cbd6a977b25

  • C:\Users\Admin\AppData\Roaming\svhost.exe

    Filesize

    666KB

    MD5

    1a1bd3c9901502ba239c242a43ffc7d3

    SHA1

    1365c2d7edcf5e6e970bd7a8257a24eece404098

    SHA256

    9e7723372ff1ee68d817cf9ac7de7c0994d528e6fcf7fb3fcf17125e4cb59d0c

    SHA512

    85fc17144dd0d739444acdb859b76c257570005e5587e9f49ede70cbac1a3b8eaf4325e745bff888fdbcd25174be750bb752bbb16185d6fb3df81cbd6a977b25

  • memory/2228-133-0x0000000000000000-mapping.dmp

  • memory/3144-132-0x0000000000000000-mapping.dmp

  • memory/3276-134-0x0000000000000000-mapping.dmp