Overview

overview

10

Static

static

10

Medusa.bin.exe

windows7-x64

10

Medusa.bin.exe

windows10-2004-x64

10

Resubmissions

13-03-2023 21:04

230313-zwvwjsca84 10

11-03-2023 04:46

230311-fdzbgaac8v 10

Analysis

  • max time kernel
    144s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-03-2023 04:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Medusa.bin.exe

  • Size

    661KB

  • MD5

    19ddac9782acd73f66c5fe040e86ddee

  • SHA1

    24ceba1e2951cde8e41939da21c6ba3030fc531d

  • SHA256

    dde3c98b6a370fb8d1785f3134a76cb465cd663db20dffe011da57a4de37aa95

  • SHA512

    e7be7472241fdd26db48dbd0311afe821905f6d59dfb56e3dc035944b7346b0767a8af76d110c5f60c0ba0183ca3791e56d9b3c8b9ba887afa111aafc949c1d4

  • SSDEEP

    12288:vN3K5e8nbwFigzk6VVMqX8aQNRMcauV9B/rtiPnA40Q8:hCXbwFigzkQVdXvlcayDh49

Score
10/10
medusalockerevasionransomwarespywarestealertrojan

Malware Config

Signatures

  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

    ransomwaremedusalocker
  • MedusaLocker payload 2 IoCs
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Medusa.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\Medusa.bin.exe"
    1⤵
    • UAC bypass
    • Modifies extensions of user files
    • Checks whether UAC is enabled
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4028
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:848
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1876
  • C:\Users\Admin\AppData\Roaming\svchostt.exe
    C:\Users\Admin\AppData\Roaming\svchostt.exe
    1⤵
    • Executes dropped EXE
    PID:4456

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recovery\WindowsRE\HOW_TO_RECOVER_DATA.html
    Filesize

    27KB

    MD5

    b519154a47a672b60f019520552300af

    SHA1

    8607773e63c2228c612fc21b7476c55e862de8b9

    SHA256

    ed8899801255d462a4d76c28ecf027d0e5c4e480a72a44b10a9328649c0a2de7

    SHA512

    c8e346dc3626152f0220d8d9fa750b5639d5a7ff8025d33b71bfed52bf31c2719606b3ebceb472106183316ee4cfa7bbf9b595a4631064669777fd1ad96abfee

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchostt.exe
    Filesize

    661KB

    MD5

    19ddac9782acd73f66c5fe040e86ddee

    SHA1

    24ceba1e2951cde8e41939da21c6ba3030fc531d

    SHA256

    dde3c98b6a370fb8d1785f3134a76cb465cd663db20dffe011da57a4de37aa95

    SHA512

    e7be7472241fdd26db48dbd0311afe821905f6d59dfb56e3dc035944b7346b0767a8af76d110c5f60c0ba0183ca3791e56d9b3c8b9ba887afa111aafc949c1d4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchostt.exe
    Filesize

    661KB

    MD5

    19ddac9782acd73f66c5fe040e86ddee

    SHA1

    24ceba1e2951cde8e41939da21c6ba3030fc531d

    SHA256

    dde3c98b6a370fb8d1785f3134a76cb465cd663db20dffe011da57a4de37aa95

    SHA512

    e7be7472241fdd26db48dbd0311afe821905f6d59dfb56e3dc035944b7346b0767a8af76d110c5f60c0ba0183ca3791e56d9b3c8b9ba887afa111aafc949c1d4

    Download Submit