Analysis
-
max time kernel
150s -
max time network
10s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11-03-2023 04:46
Behavioral task
behavioral1
Sample
Medusa.bin.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Medusa.bin.exe
Resource
win10v2004-20230220-en
General
-
Target
Medusa.bin.exe
-
Size
661KB
-
MD5
19ddac9782acd73f66c5fe040e86ddee
-
SHA1
24ceba1e2951cde8e41939da21c6ba3030fc531d
-
SHA256
dde3c98b6a370fb8d1785f3134a76cb465cd663db20dffe011da57a4de37aa95
-
SHA512
e7be7472241fdd26db48dbd0311afe821905f6d59dfb56e3dc035944b7346b0767a8af76d110c5f60c0ba0183ca3791e56d9b3c8b9ba887afa111aafc949c1d4
-
SSDEEP
12288:vN3K5e8nbwFigzk6VVMqX8aQNRMcauV9B/rtiPnA40Q8:hCXbwFigzkQVdXvlcayDh49
Malware Config
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 2 IoCs
resource yara_rule behavioral1/files/0x000400000000b46e-834.dat family_medusalocker behavioral1/files/0x000400000000b46e-833.dat family_medusalocker -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Medusa.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Medusa.bin.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\CompressInstall.tif => C:\Users\Admin\Pictures\CompressInstall.tif.encrypted Medusa.bin.exe File renamed C:\Users\Admin\Pictures\ConvertToRequest.tiff => C:\Users\Admin\Pictures\ConvertToRequest.tiff.encrypted Medusa.bin.exe File renamed C:\Users\Admin\Pictures\ReceiveInvoke.raw => C:\Users\Admin\Pictures\ReceiveInvoke.raw.encrypted Medusa.bin.exe File renamed C:\Users\Admin\Pictures\UnblockUninstall.png => C:\Users\Admin\Pictures\UnblockUninstall.png.encrypted Medusa.bin.exe File renamed C:\Users\Admin\Pictures\AddPush.tif => C:\Users\Admin\Pictures\AddPush.tif.encrypted Medusa.bin.exe File opened for modification C:\Users\Admin\Pictures\ConvertToRequest.tiff Medusa.bin.exe File renamed C:\Users\Admin\Pictures\InvokeExport.raw => C:\Users\Admin\Pictures\InvokeExport.raw.encrypted Medusa.bin.exe File renamed C:\Users\Admin\Pictures\RemoveConfirm.tif => C:\Users\Admin\Pictures\RemoveConfirm.tif.encrypted Medusa.bin.exe File renamed C:\Users\Admin\Pictures\UnlockLock.raw => C:\Users\Admin\Pictures\UnlockLock.raw.encrypted Medusa.bin.exe -
Executes dropped EXE 1 IoCs
pid Process 1620 svchostt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Medusa.bin.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: Medusa.bin.exe File opened (read-only) \??\W: Medusa.bin.exe File opened (read-only) \??\X: Medusa.bin.exe File opened (read-only) \??\Y: Medusa.bin.exe File opened (read-only) \??\Z: Medusa.bin.exe File opened (read-only) \??\L: Medusa.bin.exe File opened (read-only) \??\Q: Medusa.bin.exe File opened (read-only) \??\J: Medusa.bin.exe File opened (read-only) \??\T: Medusa.bin.exe File opened (read-only) \??\F: Medusa.bin.exe File opened (read-only) \??\I: Medusa.bin.exe File opened (read-only) \??\H: Medusa.bin.exe File opened (read-only) \??\O: Medusa.bin.exe File opened (read-only) \??\B: Medusa.bin.exe File opened (read-only) \??\G: Medusa.bin.exe File opened (read-only) \??\K: Medusa.bin.exe File opened (read-only) \??\M: Medusa.bin.exe File opened (read-only) \??\N: Medusa.bin.exe File opened (read-only) \??\P: Medusa.bin.exe File opened (read-only) \??\R: Medusa.bin.exe File opened (read-only) \??\S: Medusa.bin.exe File opened (read-only) \??\A: Medusa.bin.exe File opened (read-only) \??\E: Medusa.bin.exe File opened (read-only) \??\V: Medusa.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1532 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe 1556 Medusa.bin.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeBackupPrivilege 1304 vssvc.exe Token: SeRestorePrivilege 1304 vssvc.exe Token: SeAuditPrivilege 1304 vssvc.exe Token: SeIncreaseQuotaPrivilege 1720 wmic.exe Token: SeSecurityPrivilege 1720 wmic.exe Token: SeTakeOwnershipPrivilege 1720 wmic.exe Token: SeLoadDriverPrivilege 1720 wmic.exe Token: SeSystemProfilePrivilege 1720 wmic.exe Token: SeSystemtimePrivilege 1720 wmic.exe Token: SeProfSingleProcessPrivilege 1720 wmic.exe Token: SeIncBasePriorityPrivilege 1720 wmic.exe Token: SeCreatePagefilePrivilege 1720 wmic.exe Token: SeBackupPrivilege 1720 wmic.exe Token: SeRestorePrivilege 1720 wmic.exe Token: SeShutdownPrivilege 1720 wmic.exe Token: SeDebugPrivilege 1720 wmic.exe Token: SeSystemEnvironmentPrivilege 1720 wmic.exe Token: SeRemoteShutdownPrivilege 1720 wmic.exe Token: SeUndockPrivilege 1720 wmic.exe Token: SeManageVolumePrivilege 1720 wmic.exe Token: 33 1720 wmic.exe Token: 34 1720 wmic.exe Token: 35 1720 wmic.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1556 wrote to memory of 1532 1556 Medusa.bin.exe 28 PID 1556 wrote to memory of 1532 1556 Medusa.bin.exe 28 PID 1556 wrote to memory of 1532 1556 Medusa.bin.exe 28 PID 1556 wrote to memory of 1532 1556 Medusa.bin.exe 28 PID 1556 wrote to memory of 1720 1556 Medusa.bin.exe 31 PID 1556 wrote to memory of 1720 1556 Medusa.bin.exe 31 PID 1556 wrote to memory of 1720 1556 Medusa.bin.exe 31 PID 1556 wrote to memory of 1720 1556 Medusa.bin.exe 31 PID 1980 wrote to memory of 1620 1980 taskeng.exe 35 PID 1980 wrote to memory of 1620 1980 taskeng.exe 35 PID 1980 wrote to memory of 1620 1980 taskeng.exe 35 PID 1980 wrote to memory of 1620 1980 taskeng.exe 35 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Medusa.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Medusa.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" Medusa.bin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Medusa.bin.exe"C:\Users\Admin\AppData\Local\Temp\Medusa.bin.exe"1⤵
- UAC bypass
- Modifies extensions of user files
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1556 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1532
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1304
-
C:\Windows\system32\taskeng.exetaskeng.exe {FE574BBD-17C7-4E3D-9B67-5D12A889AC12} S-1-5-21-3430344531-3702557399-3004411149-1000:WFSTZEPN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Roaming\svchostt.exeC:\Users\Admin\AppData\Roaming\svchostt.exe2⤵
- Executes dropped EXE
PID:1620
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD54e94527259f9c5c27645c4c98fd2d327
SHA17b1578fb046ea90128c71ecce9b47b309ca686bd
SHA256ec63a359df66e85f826fb064bfd0a76caa153950e93f8b58edce9c8bf825e781
SHA5126bf5da2e3b95225165ce756b78f52d1236a92a6c1eba64b184e6152f03a81ae801cf1fe980beeee65c602c60683dd025526f674c084fd82116dce299ac5d56e3
-
Filesize
661KB
MD519ddac9782acd73f66c5fe040e86ddee
SHA124ceba1e2951cde8e41939da21c6ba3030fc531d
SHA256dde3c98b6a370fb8d1785f3134a76cb465cd663db20dffe011da57a4de37aa95
SHA512e7be7472241fdd26db48dbd0311afe821905f6d59dfb56e3dc035944b7346b0767a8af76d110c5f60c0ba0183ca3791e56d9b3c8b9ba887afa111aafc949c1d4
-
Filesize
661KB
MD519ddac9782acd73f66c5fe040e86ddee
SHA124ceba1e2951cde8e41939da21c6ba3030fc531d
SHA256dde3c98b6a370fb8d1785f3134a76cb465cd663db20dffe011da57a4de37aa95
SHA512e7be7472241fdd26db48dbd0311afe821905f6d59dfb56e3dc035944b7346b0767a8af76d110c5f60c0ba0183ca3791e56d9b3c8b9ba887afa111aafc949c1d4