Analysis
-
max time kernel
144s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
11-03-2023 04:46
Behavioral task
behavioral1
Sample
Medusa.bin.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Medusa.bin.exe
Resource
win10v2004-20230220-en
General
-
Target
Medusa.bin.exe
-
Size
661KB
-
MD5
19ddac9782acd73f66c5fe040e86ddee
-
SHA1
24ceba1e2951cde8e41939da21c6ba3030fc531d
-
SHA256
dde3c98b6a370fb8d1785f3134a76cb465cd663db20dffe011da57a4de37aa95
-
SHA512
e7be7472241fdd26db48dbd0311afe821905f6d59dfb56e3dc035944b7346b0767a8af76d110c5f60c0ba0183ca3791e56d9b3c8b9ba887afa111aafc949c1d4
-
SSDEEP
12288:vN3K5e8nbwFigzk6VVMqX8aQNRMcauV9B/rtiPnA40Q8:hCXbwFigzkQVdXvlcayDh49
Malware Config
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 2 IoCs
resource yara_rule behavioral2/files/0x000a00000002313d-629.dat family_medusalocker behavioral2/files/0x000a00000002313d-630.dat family_medusalocker -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Medusa.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Medusa.bin.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\SwitchAdd.tiff => C:\Users\Admin\Pictures\SwitchAdd.tiff.encrypted Medusa.bin.exe File renamed C:\Users\Admin\Pictures\UnblockReceive.tif => C:\Users\Admin\Pictures\UnblockReceive.tif.encrypted Medusa.bin.exe File renamed C:\Users\Admin\Pictures\UseExport.raw => C:\Users\Admin\Pictures\UseExport.raw.encrypted Medusa.bin.exe File renamed C:\Users\Admin\Pictures\ResolveMeasure.raw => C:\Users\Admin\Pictures\ResolveMeasure.raw.encrypted Medusa.bin.exe File opened for modification C:\Users\Admin\Pictures\SwitchAdd.tiff Medusa.bin.exe -
Executes dropped EXE 1 IoCs
pid Process 4456 svchostt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Medusa.bin.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: Medusa.bin.exe File opened (read-only) \??\R: Medusa.bin.exe File opened (read-only) \??\G: Medusa.bin.exe File opened (read-only) \??\H: Medusa.bin.exe File opened (read-only) \??\L: Medusa.bin.exe File opened (read-only) \??\P: Medusa.bin.exe File opened (read-only) \??\Y: Medusa.bin.exe File opened (read-only) \??\E: Medusa.bin.exe File opened (read-only) \??\F: Medusa.bin.exe File opened (read-only) \??\O: Medusa.bin.exe File opened (read-only) \??\S: Medusa.bin.exe File opened (read-only) \??\T: Medusa.bin.exe File opened (read-only) \??\V: Medusa.bin.exe File opened (read-only) \??\W: Medusa.bin.exe File opened (read-only) \??\K: Medusa.bin.exe File opened (read-only) \??\M: Medusa.bin.exe File opened (read-only) \??\J: Medusa.bin.exe File opened (read-only) \??\N: Medusa.bin.exe File opened (read-only) \??\Q: Medusa.bin.exe File opened (read-only) \??\U: Medusa.bin.exe File opened (read-only) \??\X: Medusa.bin.exe File opened (read-only) \??\Z: Medusa.bin.exe File opened (read-only) \??\B: Medusa.bin.exe File opened (read-only) \??\I: Medusa.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe 4028 Medusa.bin.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 848 wmic.exe Token: SeSecurityPrivilege 848 wmic.exe Token: SeTakeOwnershipPrivilege 848 wmic.exe Token: SeLoadDriverPrivilege 848 wmic.exe Token: SeSystemProfilePrivilege 848 wmic.exe Token: SeSystemtimePrivilege 848 wmic.exe Token: SeProfSingleProcessPrivilege 848 wmic.exe Token: SeIncBasePriorityPrivilege 848 wmic.exe Token: SeCreatePagefilePrivilege 848 wmic.exe Token: SeBackupPrivilege 848 wmic.exe Token: SeRestorePrivilege 848 wmic.exe Token: SeShutdownPrivilege 848 wmic.exe Token: SeDebugPrivilege 848 wmic.exe Token: SeSystemEnvironmentPrivilege 848 wmic.exe Token: SeRemoteShutdownPrivilege 848 wmic.exe Token: SeUndockPrivilege 848 wmic.exe Token: SeManageVolumePrivilege 848 wmic.exe Token: 33 848 wmic.exe Token: 34 848 wmic.exe Token: 35 848 wmic.exe Token: 36 848 wmic.exe Token: SeAuditPrivilege 1876 svchost.exe Token: SeAuditPrivilege 1876 svchost.exe Token: SeAuditPrivilege 1876 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4028 wrote to memory of 848 4028 Medusa.bin.exe 86 PID 4028 wrote to memory of 848 4028 Medusa.bin.exe 86 PID 4028 wrote to memory of 848 4028 Medusa.bin.exe 86 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Medusa.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Medusa.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" Medusa.bin.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Medusa.bin.exe"C:\Users\Admin\AppData\Local\Temp\Medusa.bin.exe"1⤵
- UAC bypass
- Modifies extensions of user files
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4028 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
C:\Users\Admin\AppData\Roaming\svchostt.exeC:\Users\Admin\AppData\Roaming\svchostt.exe1⤵
- Executes dropped EXE
PID:4456
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD5b519154a47a672b60f019520552300af
SHA18607773e63c2228c612fc21b7476c55e862de8b9
SHA256ed8899801255d462a4d76c28ecf027d0e5c4e480a72a44b10a9328649c0a2de7
SHA512c8e346dc3626152f0220d8d9fa750b5639d5a7ff8025d33b71bfed52bf31c2719606b3ebceb472106183316ee4cfa7bbf9b595a4631064669777fd1ad96abfee
-
Filesize
661KB
MD519ddac9782acd73f66c5fe040e86ddee
SHA124ceba1e2951cde8e41939da21c6ba3030fc531d
SHA256dde3c98b6a370fb8d1785f3134a76cb465cd663db20dffe011da57a4de37aa95
SHA512e7be7472241fdd26db48dbd0311afe821905f6d59dfb56e3dc035944b7346b0767a8af76d110c5f60c0ba0183ca3791e56d9b3c8b9ba887afa111aafc949c1d4
-
Filesize
661KB
MD519ddac9782acd73f66c5fe040e86ddee
SHA124ceba1e2951cde8e41939da21c6ba3030fc531d
SHA256dde3c98b6a370fb8d1785f3134a76cb465cd663db20dffe011da57a4de37aa95
SHA512e7be7472241fdd26db48dbd0311afe821905f6d59dfb56e3dc035944b7346b0767a8af76d110c5f60c0ba0183ca3791e56d9b3c8b9ba887afa111aafc949c1d4