Analysis
-
max time kernel
150s -
max time network
10s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
11-03-2023 04:46
General
-
Target
Medusa.bin.exe
-
Size
661KB
-
MD5
19ddac9782acd73f66c5fe040e86ddee
-
SHA1
24ceba1e2951cde8e41939da21c6ba3030fc531d
-
SHA256
dde3c98b6a370fb8d1785f3134a76cb465cd663db20dffe011da57a4de37aa95
-
SHA512
e7be7472241fdd26db48dbd0311afe821905f6d59dfb56e3dc035944b7346b0767a8af76d110c5f60c0ba0183ca3791e56d9b3c8b9ba887afa111aafc949c1d4
-
SSDEEP
12288:vN3K5e8nbwFigzk6VVMqX8aQNRMcauV9B/rtiPnA40Q8:hCXbwFigzkQVdXvlcayDh49
Malware Config
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 2 IoCs
-
UAC bypass 3 TTPs 2 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Medusa.bin.exe"C:\Users\Admin\AppData\Local\Temp\Medusa.bin.exe"1⤵
- UAC bypass
- Modifies extensions of user files
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {FE574BBD-17C7-4E3D-9B67-5D12A889AC12} S-1-5-21-3430344531-3702557399-3004411149-1000:WFSTZEPN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchostt.exeC:\Users\Admin\AppData\Roaming\svchostt.exe2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD54e94527259f9c5c27645c4c98fd2d327
SHA17b1578fb046ea90128c71ecce9b47b309ca686bd
SHA256ec63a359df66e85f826fb064bfd0a76caa153950e93f8b58edce9c8bf825e781
SHA5126bf5da2e3b95225165ce756b78f52d1236a92a6c1eba64b184e6152f03a81ae801cf1fe980beeee65c602c60683dd025526f674c084fd82116dce299ac5d56e3
-
Filesize
661KB
MD519ddac9782acd73f66c5fe040e86ddee
SHA124ceba1e2951cde8e41939da21c6ba3030fc531d
SHA256dde3c98b6a370fb8d1785f3134a76cb465cd663db20dffe011da57a4de37aa95
SHA512e7be7472241fdd26db48dbd0311afe821905f6d59dfb56e3dc035944b7346b0767a8af76d110c5f60c0ba0183ca3791e56d9b3c8b9ba887afa111aafc949c1d4
-
Filesize
661KB
MD519ddac9782acd73f66c5fe040e86ddee
SHA124ceba1e2951cde8e41939da21c6ba3030fc531d
SHA256dde3c98b6a370fb8d1785f3134a76cb465cd663db20dffe011da57a4de37aa95
SHA512e7be7472241fdd26db48dbd0311afe821905f6d59dfb56e3dc035944b7346b0767a8af76d110c5f60c0ba0183ca3791e56d9b3c8b9ba887afa111aafc949c1d4