Resubmissions
30-11-2023 10:51
231130-mx5qxsah79 1029-06-2023 20:59
230629-zs72psfa95 1029-06-2023 16:29
230629-tzp7ksec27 10Analysis
-
max time kernel
281s -
max time network
246s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2023 10:51
Behavioral task
behavioral1
Sample
medusa.exe
Resource
win7-20231020-en
windows7-x64
18 signatures
600 seconds
Behavioral task
behavioral2
Sample
medusa.exe
Resource
win10-20231023-en
windows10-1703-x64
17 signatures
600 seconds
Behavioral task
behavioral3
Sample
medusa.exe
Resource
win10v2004-20231127-en
windows10-2004-x64
19 signatures
600 seconds
Behavioral task
behavioral4
Sample
medusa.exe
Resource
win11-20231128-en
windows11-21h2-x64
23 signatures
600 seconds
General
-
Target
medusa.exe
-
Size
235KB
-
MD5
f6f120d1262b88f79debb5d848ac7db9
-
SHA1
1339282f9b2d2a41326daf3cf284ec2ae8f0f93c
-
SHA256
1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281
-
SHA512
1067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd
-
SSDEEP
6144:c5vMUmRTTgwnfeP+Jx1cLNAIyBcc9WrEWUC4wQh/6BeX:/U8Tgufnx1cLNncgQWUUQh/+e
Malware Config
Extracted
Path
\Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">F09A2668849B835134F26ED3E1F0A99CB3B2C1333E9A2D59872EF190839AEA80EE6E3A4B50939EECE855AA917D98C97E438B785D15F6FB11473C09F44A5698C2<br>2BC5615708099C64CAABABE678187D23A9434A0E62AE708821A90A650E4A64FF76B00B6C9F11BAD12E77A16FAA54F24EE541B9F05FF52378EA4A9AF5D9EF<br>7A0AF1354917B37290702ECEF848A6CB9E4FC9B4DFCB00E2792DD1AFBFFBA3740B52376033B2E064430E9D2CB1B5C0CD2C4C2D3D889A6D287567C18AD801<br>4E9450DEAD4AA4B0B194251C1483F0A822B3BB62281489B3D38913C667FA6120548AE07B9DD09D5FFC98372D06E2B4DAC6A1D4F2A20E696DBB7E1369E794<br>0B51541536241BF6E63959A086E738C6183B658CEF2B983FD03F449CB156242A9A2847AE3EA14347F6606E7387E125339887359D41B4373690E3E24758D1<br>81EA39DFEB09EF27A13DA4B4C2DA2448E3009A80553F7B53BB2B2B4FCC94A1A2410439B5754ACC0CDF510979ECDBEEE0FC7B2A29C90BE03B9A09FAAED80D<br>7F5E7F585B6B26A430EBBEA977C373E00DBE92502634896896A8A4139ADA133DC5EBB53E297B1DE8BAE17D29CD828AD262DDB00D537E37F761B53405A8E7<br>A26A63206BA5B1B6609A7494866F716CBDE7E0540E232F144236C611B685707024D3EDFC62A5729A793ABBA9BE9D11AE66FFB83CCA7279562D3638B3598F<br>1BEEA7DE87D490101979E817753E</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br>
</a>
4. Start a chat and follow the further instructions. <br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 22 IoCs
resource yara_rule behavioral3/memory/4860-174-0x0000000000580000-0x0000000000632000-memory.dmp family_medusalocker behavioral3/memory/4860-601-0x0000000000580000-0x0000000000632000-memory.dmp family_medusalocker behavioral3/memory/4860-602-0x0000000000580000-0x0000000000632000-memory.dmp family_medusalocker behavioral3/memory/4860-603-0x0000000000580000-0x0000000000632000-memory.dmp family_medusalocker behavioral3/memory/4860-604-0x0000000000580000-0x0000000000632000-memory.dmp family_medusalocker behavioral3/memory/4732-609-0x0000000000450000-0x0000000000502000-memory.dmp family_medusalocker behavioral3/memory/4860-610-0x0000000000580000-0x0000000000632000-memory.dmp family_medusalocker behavioral3/memory/4860-611-0x0000000000580000-0x0000000000632000-memory.dmp family_medusalocker behavioral3/memory/4860-612-0x0000000000580000-0x0000000000632000-memory.dmp family_medusalocker behavioral3/memory/4860-613-0x0000000000580000-0x0000000000632000-memory.dmp family_medusalocker behavioral3/memory/4860-614-0x0000000000580000-0x0000000000632000-memory.dmp family_medusalocker behavioral3/memory/4860-615-0x0000000000580000-0x0000000000632000-memory.dmp family_medusalocker behavioral3/memory/4860-616-0x0000000000580000-0x0000000000632000-memory.dmp family_medusalocker behavioral3/memory/4860-629-0x0000000000580000-0x0000000000632000-memory.dmp family_medusalocker behavioral3/memory/4860-630-0x0000000000580000-0x0000000000632000-memory.dmp family_medusalocker behavioral3/memory/4860-631-0x0000000000580000-0x0000000000632000-memory.dmp family_medusalocker behavioral3/memory/4860-633-0x0000000000580000-0x0000000000632000-memory.dmp family_medusalocker behavioral3/memory/4860-634-0x0000000000580000-0x0000000000632000-memory.dmp family_medusalocker behavioral3/memory/4860-635-0x0000000000580000-0x0000000000632000-memory.dmp family_medusalocker behavioral3/memory/4860-637-0x0000000000580000-0x0000000000632000-memory.dmp family_medusalocker behavioral3/memory/4860-639-0x0000000000580000-0x0000000000632000-memory.dmp family_medusalocker behavioral3/memory/4860-641-0x0000000000580000-0x0000000000632000-memory.dmp family_medusalocker -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" medusa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" medusa.exe -
Renames multiple (192) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 4732 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral3/memory/4860-0-0x0000000000580000-0x0000000000632000-memory.dmp upx behavioral3/memory/4860-174-0x0000000000580000-0x0000000000632000-memory.dmp upx behavioral3/memory/4860-601-0x0000000000580000-0x0000000000632000-memory.dmp upx behavioral3/memory/4860-602-0x0000000000580000-0x0000000000632000-memory.dmp upx behavioral3/memory/4860-603-0x0000000000580000-0x0000000000632000-memory.dmp upx behavioral3/memory/4860-604-0x0000000000580000-0x0000000000632000-memory.dmp upx behavioral3/files/0x0007000000023243-605.dat upx behavioral3/files/0x0007000000023243-607.dat upx behavioral3/memory/4732-608-0x0000000000450000-0x0000000000502000-memory.dmp upx behavioral3/memory/4732-609-0x0000000000450000-0x0000000000502000-memory.dmp upx behavioral3/memory/4860-610-0x0000000000580000-0x0000000000632000-memory.dmp upx behavioral3/memory/4860-611-0x0000000000580000-0x0000000000632000-memory.dmp upx behavioral3/memory/4860-612-0x0000000000580000-0x0000000000632000-memory.dmp upx behavioral3/memory/4860-613-0x0000000000580000-0x0000000000632000-memory.dmp upx behavioral3/memory/4860-614-0x0000000000580000-0x0000000000632000-memory.dmp upx behavioral3/memory/4860-615-0x0000000000580000-0x0000000000632000-memory.dmp upx behavioral3/memory/4860-616-0x0000000000580000-0x0000000000632000-memory.dmp upx behavioral3/memory/4860-629-0x0000000000580000-0x0000000000632000-memory.dmp upx behavioral3/memory/4860-630-0x0000000000580000-0x0000000000632000-memory.dmp upx behavioral3/memory/4860-631-0x0000000000580000-0x0000000000632000-memory.dmp upx behavioral3/memory/4860-633-0x0000000000580000-0x0000000000632000-memory.dmp upx behavioral3/memory/4860-634-0x0000000000580000-0x0000000000632000-memory.dmp upx behavioral3/memory/4860-635-0x0000000000580000-0x0000000000632000-memory.dmp upx behavioral3/memory/4860-637-0x0000000000580000-0x0000000000632000-memory.dmp upx behavioral3/memory/4860-639-0x0000000000580000-0x0000000000632000-memory.dmp upx behavioral3/memory/4860-641-0x0000000000580000-0x0000000000632000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" medusa.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3455265224-196869244-2056873367-1000\desktop.ini medusa.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: medusa.exe File opened (read-only) \??\O: medusa.exe File opened (read-only) \??\Q: medusa.exe File opened (read-only) \??\T: medusa.exe File opened (read-only) \??\V: medusa.exe File opened (read-only) \??\I: medusa.exe File opened (read-only) \??\K: medusa.exe File opened (read-only) \??\L: medusa.exe File opened (read-only) \??\W: medusa.exe File opened (read-only) \??\Z: medusa.exe File opened (read-only) \??\F: medusa.exe File opened (read-only) \??\G: medusa.exe File opened (read-only) \??\P: medusa.exe File opened (read-only) \??\S: medusa.exe File opened (read-only) \??\B: medusa.exe File opened (read-only) \??\E: medusa.exe File opened (read-only) \??\M: medusa.exe File opened (read-only) \??\R: medusa.exe File opened (read-only) \??\U: medusa.exe File opened (read-only) \??\X: medusa.exe File opened (read-only) \??\Y: medusa.exe File opened (read-only) \??\A: medusa.exe File opened (read-only) \??\H: medusa.exe File opened (read-only) \??\J: medusa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 45 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000007b57a08b1100557365727300640009000400efbe874f77487e5780562e000000c70500000000010000000000000000003a0000000000ca39000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 7e003100000000007e57885613004465736b746f7000680009000400efbe874fdb497e5788562e000000f90500000000010000000000000000003e0000000000c31613014400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003900000016000000 NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 NOTEPAD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 NOTEPAD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 7c003100000000007b57a28b11005075626c69630000660009000400efbe874fdb497e5780562e000000f80500000000010000000000000000003c00000000007fc328005000750062006c0069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003600000016000000 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell NOTEPAD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff NOTEPAD.EXE -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1012 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe 4860 medusa.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3880 OpenWith.exe 3856 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2492 wmic.exe Token: SeSecurityPrivilege 2492 wmic.exe Token: SeTakeOwnershipPrivilege 2492 wmic.exe Token: SeLoadDriverPrivilege 2492 wmic.exe Token: SeSystemProfilePrivilege 2492 wmic.exe Token: SeSystemtimePrivilege 2492 wmic.exe Token: SeProfSingleProcessPrivilege 2492 wmic.exe Token: SeIncBasePriorityPrivilege 2492 wmic.exe Token: SeCreatePagefilePrivilege 2492 wmic.exe Token: SeBackupPrivilege 2492 wmic.exe Token: SeRestorePrivilege 2492 wmic.exe Token: SeShutdownPrivilege 2492 wmic.exe Token: SeDebugPrivilege 2492 wmic.exe Token: SeSystemEnvironmentPrivilege 2492 wmic.exe Token: SeRemoteShutdownPrivilege 2492 wmic.exe Token: SeUndockPrivilege 2492 wmic.exe Token: SeManageVolumePrivilege 2492 wmic.exe Token: 33 2492 wmic.exe Token: 34 2492 wmic.exe Token: 35 2492 wmic.exe Token: 36 2492 wmic.exe Token: SeIncreaseQuotaPrivilege 1652 wmic.exe Token: SeSecurityPrivilege 1652 wmic.exe Token: SeTakeOwnershipPrivilege 1652 wmic.exe Token: SeLoadDriverPrivilege 1652 wmic.exe Token: SeSystemProfilePrivilege 1652 wmic.exe Token: SeSystemtimePrivilege 1652 wmic.exe Token: SeProfSingleProcessPrivilege 1652 wmic.exe Token: SeIncBasePriorityPrivilege 1652 wmic.exe Token: SeCreatePagefilePrivilege 1652 wmic.exe Token: SeBackupPrivilege 1652 wmic.exe Token: SeRestorePrivilege 1652 wmic.exe Token: SeShutdownPrivilege 1652 wmic.exe Token: SeDebugPrivilege 1652 wmic.exe Token: SeSystemEnvironmentPrivilege 1652 wmic.exe Token: SeRemoteShutdownPrivilege 1652 wmic.exe Token: SeUndockPrivilege 1652 wmic.exe Token: SeManageVolumePrivilege 1652 wmic.exe Token: 33 1652 wmic.exe Token: 34 1652 wmic.exe Token: 35 1652 wmic.exe Token: 36 1652 wmic.exe Token: SeIncreaseQuotaPrivilege 4372 wmic.exe Token: SeSecurityPrivilege 4372 wmic.exe Token: SeTakeOwnershipPrivilege 4372 wmic.exe Token: SeLoadDriverPrivilege 4372 wmic.exe Token: SeSystemProfilePrivilege 4372 wmic.exe Token: SeSystemtimePrivilege 4372 wmic.exe Token: SeProfSingleProcessPrivilege 4372 wmic.exe Token: SeIncBasePriorityPrivilege 4372 wmic.exe Token: SeCreatePagefilePrivilege 4372 wmic.exe Token: SeBackupPrivilege 4372 wmic.exe Token: SeRestorePrivilege 4372 wmic.exe Token: SeShutdownPrivilege 4372 wmic.exe Token: SeDebugPrivilege 4372 wmic.exe Token: SeSystemEnvironmentPrivilege 4372 wmic.exe Token: SeRemoteShutdownPrivilege 4372 wmic.exe Token: SeUndockPrivilege 4372 wmic.exe Token: SeManageVolumePrivilege 4372 wmic.exe Token: 33 4372 wmic.exe Token: 34 4372 wmic.exe Token: 35 4372 wmic.exe Token: 36 4372 wmic.exe -
Suspicious use of SetWindowsHookEx 27 IoCs
pid Process 5028 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 3880 OpenWith.exe 4424 NOTEPAD.EXE 4424 NOTEPAD.EXE 3856 OpenWith.exe 3856 OpenWith.exe 3856 OpenWith.exe 3856 OpenWith.exe 3856 OpenWith.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4860 wrote to memory of 2492 4860 medusa.exe 87 PID 4860 wrote to memory of 2492 4860 medusa.exe 87 PID 4860 wrote to memory of 2492 4860 medusa.exe 87 PID 4860 wrote to memory of 1652 4860 medusa.exe 90 PID 4860 wrote to memory of 1652 4860 medusa.exe 90 PID 4860 wrote to memory of 1652 4860 medusa.exe 90 PID 4860 wrote to memory of 4372 4860 medusa.exe 92 PID 4860 wrote to memory of 4372 4860 medusa.exe 92 PID 4860 wrote to memory of 4372 4860 medusa.exe 92 PID 3880 wrote to memory of 4424 3880 OpenWith.exe 107 PID 3880 wrote to memory of 4424 3880 OpenWith.exe 107 PID 3856 wrote to memory of 1012 3856 OpenWith.exe 110 PID 3856 wrote to memory of 1012 3856 OpenWith.exe 110 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" medusa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" medusa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" medusa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\medusa.exe"C:\Users\Admin\AppData\Local\Temp\medusa.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4860 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe1⤵
- Executes dropped EXE
PID:4732
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5028
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\Acrobat Reader DC.lnk.marlock072⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4424
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\Firefox.lnk.marlock072⤵
- Opens file in notepad (likely ransom note)
PID:1012
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235KB
MD5f6f120d1262b88f79debb5d848ac7db9
SHA11339282f9b2d2a41326daf3cf284ec2ae8f0f93c
SHA2561bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281
SHA5121067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd
-
Filesize
235KB
MD5f6f120d1262b88f79debb5d848ac7db9
SHA11339282f9b2d2a41326daf3cf284ec2ae8f0f93c
SHA2561bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281
SHA5121067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd
-
Filesize
536B
MD5a666c53abf827032202dd665670778ac
SHA11230224f62cbd26aeba3a8ad9d73ac8cd0872390
SHA256f14257579176812a53a38f08718edab717fc83ee08b55397af61047205554826
SHA51211aa047a234db9a9cf15cff9def90cd4b0f1ce28e48e5e1731892f8a4d4f149e1487735d3695f5c2226ccc8f8dd33ac1e47a43825895ae00bc86051512c1bbfd
-
Filesize
8KB
MD53b6babe2a37ca43cc9efd477392ca853
SHA1dd597c541192afb3709df2e732a25b5acffb67e9
SHA25603884381b2b4753cb5ee70ec13fd1c203b96816d716560c44c88e0f0ef976d37
SHA51298dff415981cc0047947cf54c5998bfb932904cff7b9bd8d52b2deac7a9c90df6f199b580dd2f94f9c83c2efa8b253877403f08a6dd56ef100900103f7945485
-
Filesize
8KB
MD59e822b9d5a12fc6b095f8e098a4479d0
SHA1c5823bac0ddeecddc6ec53529da2137fd71ee7b2
SHA2568e759cbf969d6d6ecb550c917c378bcfe00613eae16b324930b1a397872eeda5
SHA51274dc7f0e94758b9a43cd122306de7b291768cf01e218101584a5940ddb8e4a2e3ddcaa28bd5860d191a7605b7929af89467657801c82592b58b15c51166dec06
-
Filesize
4KB
MD5f13cb978ef246b68849b84a0f0040f79
SHA139fa5109e02706b1414bb061189efa9598f25e30
SHA25664f96198b3b23b69a5a718d484ffb0fefeaea1c0e98123f0313c1920c4627dbe
SHA512a281e768aa080e3d319b16cd1e530280b87e75a51909d1383b953d19f5fcacc847a3612eb3b6baa0cc9780a6636cb9bfdb4c03de3b26a22b38c7b0c35fbf7856