Overview

overview

10

Static

static

10

medusa.exe

windows7-x64

10

medusa.exe

windows10-2004-x64

10

Resubmissions

30-11-2023 10:51

231130-mx5qxsah79 10

29-06-2023 20:59

230629-zs72psfa95 10

29-06-2023 16:29

230629-tzp7ksec27 10

Analysis

  • max time kernel
    150s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    29-06-2023 16:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    medusa.exe

  • Size

    235KB

  • MD5

    f6f120d1262b88f79debb5d848ac7db9

  • SHA1

    1339282f9b2d2a41326daf3cf284ec2ae8f0f93c

  • SHA256

    1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281

  • SHA512

    1067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd

  • SSDEEP

    6144:c5vMUmRTTgwnfeP+Jx1cLNAIyBcc9WrEWUC4wQh/6BeX:/U8Tgufnx1cLNncgQWUUQh/+e

Score
10/10
medusalockerevasionransomwarespywarestealertrojanupx

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW_TO_RECOVER_DATA.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">B796AD9A428FE26214C71E98A6C989E781B447EE3E0026FF740FE4C8527BAD8CC3AA5846FA36DB171C21317032E610726A15DDE50CD2A25CCF308CA00661A236<br>FFEFB2FE7947F5241760F3A8C4D5B94299AE82FD1A16D3D1BE056D777ED4A6961405050AB2327ADB677244686BF7705E4F606AF590CE68D85BF029ADC513<br>FC452933BCA42804936062C07E2B4CAD88B9E4F106CDB405B89EB4D39868B2B3D53A8222F0BCBDA17EC875466FA4C4654548AF0C7D00AA32F84B1DE818DB<br>2211A3C241EEAF0BEC22AFE9511A03ED03E77B8C04BDF4016AD4C7DD350651F199519CB783ABA9D3C01DA7DA9EECDBB65693556666F8A660F74570FBA3F8<br>FE9BC8BAE902DED640FEDDF0A19EA1EDA45AC077294632DAD3D575867E757B86E98A4EFB12C3824E665BAFFCDCE7C73642187C790E64F300325CB50816F8<br>1EF54F9E1C143F6D1F4E57E94A464627D3E872C1C2A27AF6AE51FA7C8E9978E013C896F5981190FDB5B21B1D4BA29E5256EC8201D84D55DB5FF98C6760E9<br>DB01D5663776D3D3C15154E853064E73F530158652DFA00088F4BB7CA1CACD35BE641470A6745017F6B123CD12A9A0D441F5E3C0E2FAFAE541843C98B4B5<br>248AA765D831EC36C5FCA1A6074E2731F6E0FB647DA6F2E131FA67205143877102380695B9F5F9AB8108194A9FACE5F04F1C44D6F54A1BA34DFD9C4F6ACE<br>B620BEB7F0424751FF1307FF664D</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Signatures

  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

    ransomwaremedusalocker
  • MedusaLocker payload 9 IoCs
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (281) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\medusa.exe
    "C:\Users\Admin\AppData\Local\Temp\medusa.exe"
    1⤵
    • UAC bypass
    • Modifies extensions of user files
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:828
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1924
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1704
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:980
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1796
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:752
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1384
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1208
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {0CD7E597-E49E-4D13-84BA-37A24EA211DD} S-1-5-21-3518257231-2980324860-1431329550-1000:VWMLZJGN\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Users\Admin\AppData\Roaming\svhost.exe
      C:\Users\Admin\AppData\Roaming\svhost.exe
      2⤵
      • Executes dropped EXE
      PID:1008

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW_TO_RECOVER_DATA.html
    Filesize

    4KB

    MD5

    2d8ba2ec1a0af5609c2165e1ac95c13e

    SHA1

    a7ff54895e7747b5188a379f2430971d2538e8a6

    SHA256

    6b3a5a37a18c2f378cf24aeebcbc3a4edfedc3a0b2db421df92996e532765594

    SHA512

    81ba7d05af14322ad1c9bda60f1687fbaa23a2f24500fe8da6cdb684c0327c7e922c6a284a937e1b93d3bae1829d62e7738488367312d54c0de19a77aa1428ee

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svhost.exe
    Filesize

    235KB

    MD5

    f6f120d1262b88f79debb5d848ac7db9

    SHA1

    1339282f9b2d2a41326daf3cf284ec2ae8f0f93c

    SHA256

    1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281

    SHA512

    1067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svhost.exe
    Filesize

    235KB

    MD5

    f6f120d1262b88f79debb5d848ac7db9

    SHA1

    1339282f9b2d2a41326daf3cf284ec2ae8f0f93c

    SHA256

    1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281

    SHA512

    1067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd

    Download Submit

  • C:\Users\Default\NTUSER.DAT.LOG2
    Filesize

    536B

    MD5

    226637558ac3e9492fa296028f37d4da

    SHA1

    b7cb5cae6dd9873dff3b57e7508999e6f276e4f7

    SHA256

    038f1fa4e83340950555b73c9c648e99e4a5a53ab6fde439275286151a090032

    SHA512

    0514bbff6c1c6463e7330b99d78a09390ce17738d32bc82ed57eae94d283729061834cb5fa7d127f86ea85dc95d310ae0d9d22614cad4eaf5de95df4e4fb57cb

    Download Submit

  • memory/828-318-0x0000000000100000-0x00000000001B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/828-415-0x0000000000100000-0x00000000001B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/828-869-0x0000000000100000-0x00000000001B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/828-925-0x0000000000100000-0x00000000001B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/828-55-0x0000000000100000-0x00000000001B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/828-248-0x0000000000100000-0x00000000001B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/828-932-0x0000000000100000-0x00000000001B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/828-933-0x0000000000100000-0x00000000001B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1008-929-0x0000000000050000-0x0000000000102000-memory.dmp

    Filesize

    712KB

    Download