Resubmissions
30-11-2023 10:51
231130-mx5qxsah79 1029-06-2023 20:59
230629-zs72psfa95 1029-06-2023 16:29
230629-tzp7ksec27 10Analysis
-
max time kernel
60s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
29-06-2023 20:59
Behavioral task
behavioral1
Sample
medusa.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
medusa.exe
Resource
win10v2004-20230621-en
General
-
Target
medusa.exe
-
Size
235KB
-
MD5
f6f120d1262b88f79debb5d848ac7db9
-
SHA1
1339282f9b2d2a41326daf3cf284ec2ae8f0f93c
-
SHA256
1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281
-
SHA512
1067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd
-
SSDEEP
6144:c5vMUmRTTgwnfeP+Jx1cLNAIyBcc9WrEWUC4wQh/6BeX:/U8Tgufnx1cLNncgQWUUQh/+e
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW_TO_RECOVER_DATA.html
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 5 IoCs
resource yara_rule behavioral1/memory/2040-55-0x0000000000930000-0x00000000009E2000-memory.dmp family_medusalocker behavioral1/memory/2040-311-0x0000000000930000-0x00000000009E2000-memory.dmp family_medusalocker behavioral1/memory/2040-951-0x0000000000930000-0x00000000009E2000-memory.dmp family_medusalocker behavioral1/memory/2040-1003-0x0000000000930000-0x00000000009E2000-memory.dmp family_medusalocker behavioral1/memory/2040-1005-0x0000000000930000-0x00000000009E2000-memory.dmp family_medusalocker -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" medusa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" medusa.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (308) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\MergeSelect.tiff => C:\Users\Admin\Pictures\MergeSelect.tiff.marlock07 medusa.exe File opened for modification C:\Users\Admin\Pictures\MergeSelect.tiff medusa.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2040-55-0x0000000000930000-0x00000000009E2000-memory.dmp upx behavioral1/memory/2040-311-0x0000000000930000-0x00000000009E2000-memory.dmp upx behavioral1/memory/2040-951-0x0000000000930000-0x00000000009E2000-memory.dmp upx behavioral1/memory/2040-1003-0x0000000000930000-0x00000000009E2000-memory.dmp upx behavioral1/memory/2040-1005-0x0000000000930000-0x00000000009E2000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" medusa.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1437583205-2177757337-340526699-1000\desktop.ini medusa.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: medusa.exe File opened (read-only) \??\V: medusa.exe File opened (read-only) \??\W: medusa.exe File opened (read-only) \??\B: medusa.exe File opened (read-only) \??\E: medusa.exe File opened (read-only) \??\O: medusa.exe File opened (read-only) \??\X: medusa.exe File opened (read-only) \??\Z: medusa.exe File opened (read-only) \??\G: medusa.exe File opened (read-only) \??\I: medusa.exe File opened (read-only) \??\T: medusa.exe File opened (read-only) \??\L: medusa.exe File opened (read-only) \??\N: medusa.exe File opened (read-only) \??\P: medusa.exe File opened (read-only) \??\Q: medusa.exe File opened (read-only) \??\R: medusa.exe File opened (read-only) \??\F: medusa.exe File opened (read-only) \??\H: medusa.exe File opened (read-only) \??\J: medusa.exe File opened (read-only) \??\U: medusa.exe File opened (read-only) \??\Y: medusa.exe File opened (read-only) \??\A: medusa.exe File opened (read-only) \??\K: medusa.exe File opened (read-only) \??\M: medusa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1644 vssadmin.exe 1824 vssadmin.exe 304 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe 2040 medusa.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeBackupPrivilege 1504 vssvc.exe Token: SeRestorePrivilege 1504 vssvc.exe Token: SeAuditPrivilege 1504 vssvc.exe Token: SeIncreaseQuotaPrivilege 1172 wmic.exe Token: SeSecurityPrivilege 1172 wmic.exe Token: SeTakeOwnershipPrivilege 1172 wmic.exe Token: SeLoadDriverPrivilege 1172 wmic.exe Token: SeSystemProfilePrivilege 1172 wmic.exe Token: SeSystemtimePrivilege 1172 wmic.exe Token: SeProfSingleProcessPrivilege 1172 wmic.exe Token: SeIncBasePriorityPrivilege 1172 wmic.exe Token: SeCreatePagefilePrivilege 1172 wmic.exe Token: SeBackupPrivilege 1172 wmic.exe Token: SeRestorePrivilege 1172 wmic.exe Token: SeShutdownPrivilege 1172 wmic.exe Token: SeDebugPrivilege 1172 wmic.exe Token: SeSystemEnvironmentPrivilege 1172 wmic.exe Token: SeRemoteShutdownPrivilege 1172 wmic.exe Token: SeUndockPrivilege 1172 wmic.exe Token: SeManageVolumePrivilege 1172 wmic.exe Token: 33 1172 wmic.exe Token: 34 1172 wmic.exe Token: 35 1172 wmic.exe Token: SeIncreaseQuotaPrivilege 1460 wmic.exe Token: SeSecurityPrivilege 1460 wmic.exe Token: SeTakeOwnershipPrivilege 1460 wmic.exe Token: SeLoadDriverPrivilege 1460 wmic.exe Token: SeSystemProfilePrivilege 1460 wmic.exe Token: SeSystemtimePrivilege 1460 wmic.exe Token: SeProfSingleProcessPrivilege 1460 wmic.exe Token: SeIncBasePriorityPrivilege 1460 wmic.exe Token: SeCreatePagefilePrivilege 1460 wmic.exe Token: SeBackupPrivilege 1460 wmic.exe Token: SeRestorePrivilege 1460 wmic.exe Token: SeShutdownPrivilege 1460 wmic.exe Token: SeDebugPrivilege 1460 wmic.exe Token: SeSystemEnvironmentPrivilege 1460 wmic.exe Token: SeRemoteShutdownPrivilege 1460 wmic.exe Token: SeUndockPrivilege 1460 wmic.exe Token: SeManageVolumePrivilege 1460 wmic.exe Token: 33 1460 wmic.exe Token: 34 1460 wmic.exe Token: 35 1460 wmic.exe Token: SeIncreaseQuotaPrivilege 1464 wmic.exe Token: SeSecurityPrivilege 1464 wmic.exe Token: SeTakeOwnershipPrivilege 1464 wmic.exe Token: SeLoadDriverPrivilege 1464 wmic.exe Token: SeSystemProfilePrivilege 1464 wmic.exe Token: SeSystemtimePrivilege 1464 wmic.exe Token: SeProfSingleProcessPrivilege 1464 wmic.exe Token: SeIncBasePriorityPrivilege 1464 wmic.exe Token: SeCreatePagefilePrivilege 1464 wmic.exe Token: SeBackupPrivilege 1464 wmic.exe Token: SeRestorePrivilege 1464 wmic.exe Token: SeShutdownPrivilege 1464 wmic.exe Token: SeDebugPrivilege 1464 wmic.exe Token: SeSystemEnvironmentPrivilege 1464 wmic.exe Token: SeRemoteShutdownPrivilege 1464 wmic.exe Token: SeUndockPrivilege 1464 wmic.exe Token: SeManageVolumePrivilege 1464 wmic.exe Token: 33 1464 wmic.exe Token: 34 1464 wmic.exe Token: 35 1464 wmic.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2040 wrote to memory of 1644 2040 medusa.exe 28 PID 2040 wrote to memory of 1644 2040 medusa.exe 28 PID 2040 wrote to memory of 1644 2040 medusa.exe 28 PID 2040 wrote to memory of 1644 2040 medusa.exe 28 PID 2040 wrote to memory of 1172 2040 medusa.exe 31 PID 2040 wrote to memory of 1172 2040 medusa.exe 31 PID 2040 wrote to memory of 1172 2040 medusa.exe 31 PID 2040 wrote to memory of 1172 2040 medusa.exe 31 PID 2040 wrote to memory of 1824 2040 medusa.exe 33 PID 2040 wrote to memory of 1824 2040 medusa.exe 33 PID 2040 wrote to memory of 1824 2040 medusa.exe 33 PID 2040 wrote to memory of 1824 2040 medusa.exe 33 PID 2040 wrote to memory of 1460 2040 medusa.exe 35 PID 2040 wrote to memory of 1460 2040 medusa.exe 35 PID 2040 wrote to memory of 1460 2040 medusa.exe 35 PID 2040 wrote to memory of 1460 2040 medusa.exe 35 PID 2040 wrote to memory of 304 2040 medusa.exe 37 PID 2040 wrote to memory of 304 2040 medusa.exe 37 PID 2040 wrote to memory of 304 2040 medusa.exe 37 PID 2040 wrote to memory of 304 2040 medusa.exe 37 PID 2040 wrote to memory of 1464 2040 medusa.exe 39 PID 2040 wrote to memory of 1464 2040 medusa.exe 39 PID 2040 wrote to memory of 1464 2040 medusa.exe 39 PID 2040 wrote to memory of 1464 2040 medusa.exe 39 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" medusa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" medusa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" medusa.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\medusa.exe"C:\Users\Admin\AppData\Local\Temp\medusa.exe"1⤵
- UAC bypass
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2040 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1644
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1824
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:304
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
C:\Windows\system32\taskeng.exetaskeng.exe {53ECCF28-E365-4B67-BFF5-0BBE6E016405} S-1-5-21-1437583205-2177757337-340526699-1000:XVLNHWCX\Admin:Interactive:[1]1⤵PID:1460
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5cc660315e8fb1cdab34618592a34258b
SHA12e6a70afa70c84ad86d514cc60c6ede8b6f71796
SHA256c6c56714e6880c6783d94b40630fa39920a18df061eaa579881c5cbe7a6d8579
SHA512564ffa0b47bc9813d13c1d23f187a35c14a2d1c9da79a4b952d3e33bc21f552e0a0649f0a3b6407ee4568cea7240dc837fdd838b2aa000db6453b0c5f2e3df8e
-
Filesize
536B
MD5b05f1abd2019d89d0f7ed70bd61da678
SHA106b21256b9c91eee0c6d1f54a2322ba951db6b66
SHA256ab5a1d9ab526373609221dc42249af566ce992c5c28046f28bf6192194582207
SHA512d0eb88a70ba373ce71843f90049bc96a77dd137cee10db43938e352383aae731a7a872fe6d6849641a5672e0de452f24007bd119c7b2c056b4e1c47d70a84a86