Resubmissions
30-11-2023 10:51
231130-mx5qxsah79 1029-06-2023 20:59
230629-zs72psfa95 1029-06-2023 16:29
230629-tzp7ksec27 10Analysis
-
max time kernel
150s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
29-06-2023 16:29
Behavioral task
behavioral1
Sample
medusa.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
medusa.exe
Resource
win10v2004-20230621-en
General
-
Target
medusa.exe
-
Size
235KB
-
MD5
f6f120d1262b88f79debb5d848ac7db9
-
SHA1
1339282f9b2d2a41326daf3cf284ec2ae8f0f93c
-
SHA256
1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281
-
SHA512
1067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd
-
SSDEEP
6144:c5vMUmRTTgwnfeP+Jx1cLNAIyBcc9WrEWUC4wQh/6BeX:/U8Tgufnx1cLNncgQWUUQh/+e
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW_TO_RECOVER_DATA.html
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 9 IoCs
resource yara_rule behavioral1/memory/828-55-0x0000000000100000-0x00000000001B2000-memory.dmp family_medusalocker behavioral1/memory/828-248-0x0000000000100000-0x00000000001B2000-memory.dmp family_medusalocker behavioral1/memory/828-318-0x0000000000100000-0x00000000001B2000-memory.dmp family_medusalocker behavioral1/memory/828-415-0x0000000000100000-0x00000000001B2000-memory.dmp family_medusalocker behavioral1/memory/828-869-0x0000000000100000-0x00000000001B2000-memory.dmp family_medusalocker behavioral1/memory/828-925-0x0000000000100000-0x00000000001B2000-memory.dmp family_medusalocker behavioral1/memory/1008-929-0x0000000000050000-0x0000000000102000-memory.dmp family_medusalocker behavioral1/memory/828-932-0x0000000000100000-0x00000000001B2000-memory.dmp family_medusalocker behavioral1/memory/828-933-0x0000000000100000-0x00000000001B2000-memory.dmp family_medusalocker -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" medusa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" medusa.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (281) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\CopyInvoke.crw => C:\Users\Admin\Pictures\CopyInvoke.crw.marlock07 medusa.exe File renamed C:\Users\Admin\Pictures\DebugCompress.png => C:\Users\Admin\Pictures\DebugCompress.png.marlock07 medusa.exe File renamed C:\Users\Admin\Pictures\NewMount.raw => C:\Users\Admin\Pictures\NewMount.raw.marlock07 medusa.exe File opened for modification C:\Users\Admin\Pictures\PingEnter.tiff medusa.exe File renamed C:\Users\Admin\Pictures\PingEnter.tiff => C:\Users\Admin\Pictures\PingEnter.tiff.marlock07 medusa.exe File renamed C:\Users\Admin\Pictures\ShowReceive.tif => C:\Users\Admin\Pictures\ShowReceive.tif.marlock07 medusa.exe -
Executes dropped EXE 1 IoCs
pid Process 1008 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/828-55-0x0000000000100000-0x00000000001B2000-memory.dmp upx behavioral1/memory/828-248-0x0000000000100000-0x00000000001B2000-memory.dmp upx behavioral1/memory/828-318-0x0000000000100000-0x00000000001B2000-memory.dmp upx behavioral1/memory/828-415-0x0000000000100000-0x00000000001B2000-memory.dmp upx behavioral1/memory/828-869-0x0000000000100000-0x00000000001B2000-memory.dmp upx behavioral1/memory/828-925-0x0000000000100000-0x00000000001B2000-memory.dmp upx behavioral1/files/0x000b00000001231a-927.dat upx behavioral1/files/0x000b00000001231a-928.dat upx behavioral1/memory/1008-929-0x0000000000050000-0x0000000000102000-memory.dmp upx behavioral1/memory/828-932-0x0000000000100000-0x00000000001B2000-memory.dmp upx behavioral1/memory/828-933-0x0000000000100000-0x00000000001B2000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" medusa.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3518257231-2980324860-1431329550-1000\desktop.ini medusa.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: medusa.exe File opened (read-only) \??\I: medusa.exe File opened (read-only) \??\R: medusa.exe File opened (read-only) \??\X: medusa.exe File opened (read-only) \??\L: medusa.exe File opened (read-only) \??\M: medusa.exe File opened (read-only) \??\N: medusa.exe File opened (read-only) \??\P: medusa.exe File opened (read-only) \??\S: medusa.exe File opened (read-only) \??\A: medusa.exe File opened (read-only) \??\F: medusa.exe File opened (read-only) \??\H: medusa.exe File opened (read-only) \??\E: medusa.exe File opened (read-only) \??\K: medusa.exe File opened (read-only) \??\W: medusa.exe File opened (read-only) \??\O: medusa.exe File opened (read-only) \??\Q: medusa.exe File opened (read-only) \??\T: medusa.exe File opened (read-only) \??\U: medusa.exe File opened (read-only) \??\V: medusa.exe File opened (read-only) \??\B: medusa.exe File opened (read-only) \??\G: medusa.exe File opened (read-only) \??\J: medusa.exe File opened (read-only) \??\Z: medusa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1924 vssadmin.exe 980 vssadmin.exe 752 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe 828 medusa.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeBackupPrivilege 1208 vssvc.exe Token: SeRestorePrivilege 1208 vssvc.exe Token: SeAuditPrivilege 1208 vssvc.exe Token: SeIncreaseQuotaPrivilege 1704 wmic.exe Token: SeSecurityPrivilege 1704 wmic.exe Token: SeTakeOwnershipPrivilege 1704 wmic.exe Token: SeLoadDriverPrivilege 1704 wmic.exe Token: SeSystemProfilePrivilege 1704 wmic.exe Token: SeSystemtimePrivilege 1704 wmic.exe Token: SeProfSingleProcessPrivilege 1704 wmic.exe Token: SeIncBasePriorityPrivilege 1704 wmic.exe Token: SeCreatePagefilePrivilege 1704 wmic.exe Token: SeBackupPrivilege 1704 wmic.exe Token: SeRestorePrivilege 1704 wmic.exe Token: SeShutdownPrivilege 1704 wmic.exe Token: SeDebugPrivilege 1704 wmic.exe Token: SeSystemEnvironmentPrivilege 1704 wmic.exe Token: SeRemoteShutdownPrivilege 1704 wmic.exe Token: SeUndockPrivilege 1704 wmic.exe Token: SeManageVolumePrivilege 1704 wmic.exe Token: 33 1704 wmic.exe Token: 34 1704 wmic.exe Token: 35 1704 wmic.exe Token: SeIncreaseQuotaPrivilege 1796 wmic.exe Token: SeSecurityPrivilege 1796 wmic.exe Token: SeTakeOwnershipPrivilege 1796 wmic.exe Token: SeLoadDriverPrivilege 1796 wmic.exe Token: SeSystemProfilePrivilege 1796 wmic.exe Token: SeSystemtimePrivilege 1796 wmic.exe Token: SeProfSingleProcessPrivilege 1796 wmic.exe Token: SeIncBasePriorityPrivilege 1796 wmic.exe Token: SeCreatePagefilePrivilege 1796 wmic.exe Token: SeBackupPrivilege 1796 wmic.exe Token: SeRestorePrivilege 1796 wmic.exe Token: SeShutdownPrivilege 1796 wmic.exe Token: SeDebugPrivilege 1796 wmic.exe Token: SeSystemEnvironmentPrivilege 1796 wmic.exe Token: SeRemoteShutdownPrivilege 1796 wmic.exe Token: SeUndockPrivilege 1796 wmic.exe Token: SeManageVolumePrivilege 1796 wmic.exe Token: 33 1796 wmic.exe Token: 34 1796 wmic.exe Token: 35 1796 wmic.exe Token: SeIncreaseQuotaPrivilege 1384 wmic.exe Token: SeSecurityPrivilege 1384 wmic.exe Token: SeTakeOwnershipPrivilege 1384 wmic.exe Token: SeLoadDriverPrivilege 1384 wmic.exe Token: SeSystemProfilePrivilege 1384 wmic.exe Token: SeSystemtimePrivilege 1384 wmic.exe Token: SeProfSingleProcessPrivilege 1384 wmic.exe Token: SeIncBasePriorityPrivilege 1384 wmic.exe Token: SeCreatePagefilePrivilege 1384 wmic.exe Token: SeBackupPrivilege 1384 wmic.exe Token: SeRestorePrivilege 1384 wmic.exe Token: SeShutdownPrivilege 1384 wmic.exe Token: SeDebugPrivilege 1384 wmic.exe Token: SeSystemEnvironmentPrivilege 1384 wmic.exe Token: SeRemoteShutdownPrivilege 1384 wmic.exe Token: SeUndockPrivilege 1384 wmic.exe Token: SeManageVolumePrivilege 1384 wmic.exe Token: 33 1384 wmic.exe Token: 34 1384 wmic.exe Token: 35 1384 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 828 wrote to memory of 1924 828 medusa.exe 27 PID 828 wrote to memory of 1924 828 medusa.exe 27 PID 828 wrote to memory of 1924 828 medusa.exe 27 PID 828 wrote to memory of 1924 828 medusa.exe 27 PID 828 wrote to memory of 1704 828 medusa.exe 30 PID 828 wrote to memory of 1704 828 medusa.exe 30 PID 828 wrote to memory of 1704 828 medusa.exe 30 PID 828 wrote to memory of 1704 828 medusa.exe 30 PID 828 wrote to memory of 980 828 medusa.exe 32 PID 828 wrote to memory of 980 828 medusa.exe 32 PID 828 wrote to memory of 980 828 medusa.exe 32 PID 828 wrote to memory of 980 828 medusa.exe 32 PID 828 wrote to memory of 1796 828 medusa.exe 34 PID 828 wrote to memory of 1796 828 medusa.exe 34 PID 828 wrote to memory of 1796 828 medusa.exe 34 PID 828 wrote to memory of 1796 828 medusa.exe 34 PID 828 wrote to memory of 752 828 medusa.exe 36 PID 828 wrote to memory of 752 828 medusa.exe 36 PID 828 wrote to memory of 752 828 medusa.exe 36 PID 828 wrote to memory of 752 828 medusa.exe 36 PID 828 wrote to memory of 1384 828 medusa.exe 38 PID 828 wrote to memory of 1384 828 medusa.exe 38 PID 828 wrote to memory of 1384 828 medusa.exe 38 PID 828 wrote to memory of 1384 828 medusa.exe 38 PID 1056 wrote to memory of 1008 1056 taskeng.exe 43 PID 1056 wrote to memory of 1008 1056 taskeng.exe 43 PID 1056 wrote to memory of 1008 1056 taskeng.exe 43 PID 1056 wrote to memory of 1008 1056 taskeng.exe 43 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" medusa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" medusa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" medusa.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\medusa.exe"C:\Users\Admin\AppData\Local\Temp\medusa.exe"1⤵
- UAC bypass
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:828 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1924
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:980
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:752
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
C:\Windows\system32\taskeng.exetaskeng.exe {0CD7E597-E49E-4D13-84BA-37A24EA211DD} S-1-5-21-3518257231-2980324860-1431329550-1000:VWMLZJGN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
PID:1008
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD52d8ba2ec1a0af5609c2165e1ac95c13e
SHA1a7ff54895e7747b5188a379f2430971d2538e8a6
SHA2566b3a5a37a18c2f378cf24aeebcbc3a4edfedc3a0b2db421df92996e532765594
SHA51281ba7d05af14322ad1c9bda60f1687fbaa23a2f24500fe8da6cdb684c0327c7e922c6a284a937e1b93d3bae1829d62e7738488367312d54c0de19a77aa1428ee
-
Filesize
235KB
MD5f6f120d1262b88f79debb5d848ac7db9
SHA11339282f9b2d2a41326daf3cf284ec2ae8f0f93c
SHA2561bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281
SHA5121067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd
-
Filesize
235KB
MD5f6f120d1262b88f79debb5d848ac7db9
SHA11339282f9b2d2a41326daf3cf284ec2ae8f0f93c
SHA2561bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281
SHA5121067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd
-
Filesize
536B
MD5226637558ac3e9492fa296028f37d4da
SHA1b7cb5cae6dd9873dff3b57e7508999e6f276e4f7
SHA256038f1fa4e83340950555b73c9c648e99e4a5a53ab6fde439275286151a090032
SHA5120514bbff6c1c6463e7330b99d78a09390ce17738d32bc82ed57eae94d283729061834cb5fa7d127f86ea85dc95d310ae0d9d22614cad4eaf5de95df4e4fb57cb