Analysis
-
max time kernel
145s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-04-2023 15:58
Behavioral task
behavioral1
Sample
Medusa1.bin.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Medusa1.bin.exe
Resource
win10v2004-20230220-en
General
-
Target
Medusa1.bin.exe
-
Size
235KB
-
MD5
f6f120d1262b88f79debb5d848ac7db9
-
SHA1
1339282f9b2d2a41326daf3cf284ec2ae8f0f93c
-
SHA256
1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281
-
SHA512
1067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd
-
SSDEEP
6144:c5vMUmRTTgwnfeP+Jx1cLNAIyBcc9WrEWUC4wQh/6BeX:/U8Tgufnx1cLNncgQWUUQh/+e
Malware Config
Extracted
\Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 15 IoCs
resource yara_rule behavioral2/memory/384-163-0x0000000000FA0000-0x0000000001052000-memory.dmp family_medusalocker behavioral2/memory/384-164-0x0000000000FA0000-0x0000000001052000-memory.dmp family_medusalocker behavioral2/memory/384-537-0x0000000000FA0000-0x0000000001052000-memory.dmp family_medusalocker behavioral2/memory/384-808-0x0000000000FA0000-0x0000000001052000-memory.dmp family_medusalocker behavioral2/memory/384-809-0x0000000000FA0000-0x0000000001052000-memory.dmp family_medusalocker behavioral2/memory/384-810-0x0000000000FA0000-0x0000000001052000-memory.dmp family_medusalocker behavioral2/memory/384-811-0x0000000000FA0000-0x0000000001052000-memory.dmp family_medusalocker behavioral2/memory/2988-814-0x0000000000120000-0x00000000001D2000-memory.dmp family_medusalocker behavioral2/memory/384-816-0x0000000000FA0000-0x0000000001052000-memory.dmp family_medusalocker behavioral2/memory/384-817-0x0000000000FA0000-0x0000000001052000-memory.dmp family_medusalocker behavioral2/memory/384-818-0x0000000000FA0000-0x0000000001052000-memory.dmp family_medusalocker behavioral2/memory/384-819-0x0000000000FA0000-0x0000000001052000-memory.dmp family_medusalocker behavioral2/memory/384-820-0x0000000000FA0000-0x0000000001052000-memory.dmp family_medusalocker behavioral2/memory/384-821-0x0000000000FA0000-0x0000000001052000-memory.dmp family_medusalocker behavioral2/memory/384-822-0x0000000000FA0000-0x0000000001052000-memory.dmp family_medusalocker -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Medusa1.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Medusa1.bin.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\UnprotectStart.tiff => C:\Users\Admin\Pictures\UnprotectStart.tiff.marlock07 Medusa1.bin.exe File renamed C:\Users\Admin\Pictures\ExportRead.png => C:\Users\Admin\Pictures\ExportRead.png.marlock07 Medusa1.bin.exe File renamed C:\Users\Admin\Pictures\InitializeUpdate.crw => C:\Users\Admin\Pictures\InitializeUpdate.crw.marlock07 Medusa1.bin.exe File renamed C:\Users\Admin\Pictures\RestartPop.crw => C:\Users\Admin\Pictures\RestartPop.crw.marlock07 Medusa1.bin.exe File opened for modification C:\Users\Admin\Pictures\UnprotectStart.tiff Medusa1.bin.exe -
Executes dropped EXE 1 IoCs
pid Process 2988 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/384-133-0x0000000000FA0000-0x0000000001052000-memory.dmp upx behavioral2/memory/384-163-0x0000000000FA0000-0x0000000001052000-memory.dmp upx behavioral2/memory/384-164-0x0000000000FA0000-0x0000000001052000-memory.dmp upx behavioral2/memory/384-537-0x0000000000FA0000-0x0000000001052000-memory.dmp upx behavioral2/memory/384-808-0x0000000000FA0000-0x0000000001052000-memory.dmp upx behavioral2/memory/384-809-0x0000000000FA0000-0x0000000001052000-memory.dmp upx behavioral2/memory/384-810-0x0000000000FA0000-0x0000000001052000-memory.dmp upx behavioral2/memory/384-811-0x0000000000FA0000-0x0000000001052000-memory.dmp upx behavioral2/files/0x0006000000023158-812.dat upx behavioral2/files/0x0006000000023158-813.dat upx behavioral2/memory/2988-814-0x0000000000120000-0x00000000001D2000-memory.dmp upx behavioral2/memory/384-816-0x0000000000FA0000-0x0000000001052000-memory.dmp upx behavioral2/memory/384-817-0x0000000000FA0000-0x0000000001052000-memory.dmp upx behavioral2/memory/384-818-0x0000000000FA0000-0x0000000001052000-memory.dmp upx behavioral2/memory/384-819-0x0000000000FA0000-0x0000000001052000-memory.dmp upx behavioral2/memory/384-820-0x0000000000FA0000-0x0000000001052000-memory.dmp upx behavioral2/memory/384-821-0x0000000000FA0000-0x0000000001052000-memory.dmp upx behavioral2/memory/384-822-0x0000000000FA0000-0x0000000001052000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Medusa1.bin.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1013461898-3711306144-4198452673-1000\desktop.ini Medusa1.bin.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: Medusa1.bin.exe File opened (read-only) \??\O: Medusa1.bin.exe File opened (read-only) \??\U: Medusa1.bin.exe File opened (read-only) \??\V: Medusa1.bin.exe File opened (read-only) \??\X: Medusa1.bin.exe File opened (read-only) \??\Y: Medusa1.bin.exe File opened (read-only) \??\F: Medusa1.bin.exe File opened (read-only) \??\H: Medusa1.bin.exe File opened (read-only) \??\N: Medusa1.bin.exe File opened (read-only) \??\P: Medusa1.bin.exe File opened (read-only) \??\Q: Medusa1.bin.exe File opened (read-only) \??\R: Medusa1.bin.exe File opened (read-only) \??\W: Medusa1.bin.exe File opened (read-only) \??\I: Medusa1.bin.exe File opened (read-only) \??\T: Medusa1.bin.exe File opened (read-only) \??\S: Medusa1.bin.exe File opened (read-only) \??\A: Medusa1.bin.exe File opened (read-only) \??\B: Medusa1.bin.exe File opened (read-only) \??\E: Medusa1.bin.exe File opened (read-only) \??\G: Medusa1.bin.exe File opened (read-only) \??\J: Medusa1.bin.exe File opened (read-only) \??\K: Medusa1.bin.exe File opened (read-only) \??\M: Medusa1.bin.exe File opened (read-only) \??\Z: Medusa1.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe 384 Medusa1.bin.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 588 wmic.exe Token: SeSecurityPrivilege 588 wmic.exe Token: SeTakeOwnershipPrivilege 588 wmic.exe Token: SeLoadDriverPrivilege 588 wmic.exe Token: SeSystemProfilePrivilege 588 wmic.exe Token: SeSystemtimePrivilege 588 wmic.exe Token: SeProfSingleProcessPrivilege 588 wmic.exe Token: SeIncBasePriorityPrivilege 588 wmic.exe Token: SeCreatePagefilePrivilege 588 wmic.exe Token: SeBackupPrivilege 588 wmic.exe Token: SeRestorePrivilege 588 wmic.exe Token: SeShutdownPrivilege 588 wmic.exe Token: SeDebugPrivilege 588 wmic.exe Token: SeSystemEnvironmentPrivilege 588 wmic.exe Token: SeRemoteShutdownPrivilege 588 wmic.exe Token: SeUndockPrivilege 588 wmic.exe Token: SeManageVolumePrivilege 588 wmic.exe Token: 33 588 wmic.exe Token: 34 588 wmic.exe Token: 35 588 wmic.exe Token: 36 588 wmic.exe Token: SeIncreaseQuotaPrivilege 3840 wmic.exe Token: SeSecurityPrivilege 3840 wmic.exe Token: SeTakeOwnershipPrivilege 3840 wmic.exe Token: SeLoadDriverPrivilege 3840 wmic.exe Token: SeSystemProfilePrivilege 3840 wmic.exe Token: SeSystemtimePrivilege 3840 wmic.exe Token: SeProfSingleProcessPrivilege 3840 wmic.exe Token: SeIncBasePriorityPrivilege 3840 wmic.exe Token: SeCreatePagefilePrivilege 3840 wmic.exe Token: SeBackupPrivilege 3840 wmic.exe Token: SeRestorePrivilege 3840 wmic.exe Token: SeShutdownPrivilege 3840 wmic.exe Token: SeDebugPrivilege 3840 wmic.exe Token: SeSystemEnvironmentPrivilege 3840 wmic.exe Token: SeRemoteShutdownPrivilege 3840 wmic.exe Token: SeUndockPrivilege 3840 wmic.exe Token: SeManageVolumePrivilege 3840 wmic.exe Token: 33 3840 wmic.exe Token: 34 3840 wmic.exe Token: 35 3840 wmic.exe Token: 36 3840 wmic.exe Token: SeIncreaseQuotaPrivilege 4788 wmic.exe Token: SeSecurityPrivilege 4788 wmic.exe Token: SeTakeOwnershipPrivilege 4788 wmic.exe Token: SeLoadDriverPrivilege 4788 wmic.exe Token: SeSystemProfilePrivilege 4788 wmic.exe Token: SeSystemtimePrivilege 4788 wmic.exe Token: SeProfSingleProcessPrivilege 4788 wmic.exe Token: SeIncBasePriorityPrivilege 4788 wmic.exe Token: SeCreatePagefilePrivilege 4788 wmic.exe Token: SeBackupPrivilege 4788 wmic.exe Token: SeRestorePrivilege 4788 wmic.exe Token: SeShutdownPrivilege 4788 wmic.exe Token: SeDebugPrivilege 4788 wmic.exe Token: SeSystemEnvironmentPrivilege 4788 wmic.exe Token: SeRemoteShutdownPrivilege 4788 wmic.exe Token: SeUndockPrivilege 4788 wmic.exe Token: SeManageVolumePrivilege 4788 wmic.exe Token: 33 4788 wmic.exe Token: 34 4788 wmic.exe Token: 35 4788 wmic.exe Token: 36 4788 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 384 wrote to memory of 588 384 Medusa1.bin.exe 85 PID 384 wrote to memory of 588 384 Medusa1.bin.exe 85 PID 384 wrote to memory of 588 384 Medusa1.bin.exe 85 PID 384 wrote to memory of 3840 384 Medusa1.bin.exe 87 PID 384 wrote to memory of 3840 384 Medusa1.bin.exe 87 PID 384 wrote to memory of 3840 384 Medusa1.bin.exe 87 PID 384 wrote to memory of 4788 384 Medusa1.bin.exe 89 PID 384 wrote to memory of 4788 384 Medusa1.bin.exe 89 PID 384 wrote to memory of 4788 384 Medusa1.bin.exe 89 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" Medusa1.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Medusa1.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Medusa1.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Medusa1.bin.exe"C:\Users\Admin\AppData\Local\Temp\Medusa1.bin.exe"1⤵
- UAC bypass
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:384 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:588
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3840
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4788
-
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe1⤵
- Executes dropped EXE
PID:2988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235KB
MD5f6f120d1262b88f79debb5d848ac7db9
SHA11339282f9b2d2a41326daf3cf284ec2ae8f0f93c
SHA2561bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281
SHA5121067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd
-
Filesize
235KB
MD5f6f120d1262b88f79debb5d848ac7db9
SHA11339282f9b2d2a41326daf3cf284ec2ae8f0f93c
SHA2561bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281
SHA5121067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd
-
Filesize
536B
MD5ae0c4e587d0042a8e1f07c43e71b5c8d
SHA14ae8397054fafd6df9fa289a444384f5703c51a0
SHA2561a84fa041c4eafdffd402f5072b9f479677427a1be900d04d5558ab42178c103
SHA512460209040cf32020907c4f023d09421962a509bfbc84017f6ecff529f5dd799953343f8bc074ad78406c79a97da86989394566e9ea628a1805d617b676ce1909
-
Filesize
4KB
MD5704a5e75caee4e3769c43e43930601b9
SHA1967865725a62d69664629e348c8b5b50dff146f5
SHA2566c6724aebf60bfeea0395bc84b37658448549350cc19b03cdf5d13e7f85ba484
SHA512548fc008ac4441ba2a47fc4ad227b5c6eb0c5b88fca7b48bb0b6bd8903f210138978ca3cc824d5adfc0a492d263c0625354ce034f2304c50edf115480a229890