Behavioral task
behavioral1
Sample
f6108f33ce141564f1989471bd4e9747a1bc37e6c7d242caa3163a4495c85b8a.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
f6108f33ce141564f1989471bd4e9747a1bc37e6c7d242caa3163a4495c85b8a.exe
Resource
win10v2004-20230220-en
General
-
Target
10106272231.zip
-
Size
2.8MB
-
MD5
bcbccf230350d9f446b5564f7be94661
-
SHA1
5684ad2f6f7d0388694b9d6a4430da55d6e78140
-
SHA256
5592c91362b538d7592216ec062b518a587f25e192c935c92d1346a8325845e7
-
SHA512
c75202442c6337bf38ffa22c7ea653aedffb3e0f3baaad2a37674fa41f877dcc00c7469da62fa01f00906d141abad2558e7579bd9e5094365d9915efbd23523c
-
SSDEEP
49152:d83AOWdsAJy2Qmi5QXiRzTRHWcaoEWMOwVupk6y9GUbqpFEUwj3y2UACSjoxZ:6w5dZJnWKi9TR2NUwBvtqw3Slpz
Malware Config
Extracted
agenda
-
company_id
MmXReVIxLV
-
note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: MmXReVIxLV Domain: ueegj65kwr3v3sjhli73gjtmfnh2uqlte3vyg2kkyqq7cja2yx2ptaad.onion login: 6f031ccd-526a-4806-82a8-2e7d926243d4 password:
Signatures
-
Agenda family
-
MedusaLocker payload 1 IoCs
Processes:
resource yara_rule static1/unpack001/f6108f33ce141564f1989471bd4e9747a1bc37e6c7d242caa3163a4495c85b8a family_medusalocker -
Medusalocker family
Files
-
10106272231.zip.zip
Password: infected
-
f6108f33ce141564f1989471bd4e9747a1bc37e6c7d242caa3163a4495c85b8a.exe windows x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 102KB - Virtual size: 102KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 2KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ