medusalocker | 77a164b6f3112876b7b2b2c8a7b9ee57997ddde6f4e6cd5235f41c1cd5478621

Sharing

Copy URL

Twitter E-mail

General

Target

samples2.zip
Size

4.6MB
Sample

240101-sv888afgd8
MD5

2e6f74d2c52a3c209bee0f46ed5cf877
SHA1

aecb04ae16e4d8882f58f4c5460660d8cd5858a7
SHA256

77a164b6f3112876b7b2b2c8a7b9ee57997ddde6f4e6cd5235f41c1cd5478621
SHA512

3e9298f2758604d868250285f363b023496435fa6df05e41853207d47d5ebcbab01f73d1e8d0b7f850eb81a21fbb2b3ce3a7fd0f946b245293afdb627d5e2e5e
SSDEEP

98304:wAw/1bUx9oAEEsk+GF7RoimhvGQtFHFxwEi0mD:wACFAfskbRJmh9HTwEbA

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_RECOVER_FILES.txt

Ransom Note

> WHAT HAPPEND? Important files on your network have been ENCRYPTED and now have the extension .CIBCJEAEBI. To recover your files, you need to follow the instructions below. > SENSITIVE DATA Sensitive data from your network has been DOWNLOADED. If you DON'T WANT to your sensitive data PUBLISHED on our leak blog, you must act quickly. LEAK BLOG: noescapemsqxvizdxyl7f7rmg5cdjwp33pg2wpmiaaibilb4btwzttad.onion Data includes: - Personal data of employees, resume, DL, SSN. - Complete network map, including credentials for local and remote services. - Private financial information including: customer data, accounts, budgets, annual reports, bank statements. - Production documentation, including: datagrams, diagrams, drawings. - And much more... Sample DOWNLOADED FILES are available in your user panel. > CAUTION DO NOT MODIFY ENCRYPTED FILES BY YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, THIS WILL RESULT IN PERMANENT DATA LOSS. > WHAT SHOULD I DO NEXT? You need to contact us: 1. Download and install TOR browser: https://www.torproject.org/ 2. Go to your user panel: noescaperjh3gg6oy7rck57fiefyuzmj7kmvojxgvlmwd5pdzizrb7ad.onion/9a327ded-8235-4391-8aa9-bd7cbeca8977

URLs

http://noescapemsqxvizdxyl7f7rmg5cdjwp33pg2wpmiaaibilb4btwzttad.onion

http://noescaperjh3gg6oy7rck57fiefyuzmj7kmvojxgvlmwd5pdzizrb7ad.onion/9a327ded-8235-4391-8aa9-bd7cbeca8977

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_RECOVER_FILES.txt

Ransom Note

> WHAT HAPPEND? Important files on your network have been ENCRYPTED and now have the extension .DEDBJGIBGH. To recover your files, you need to follow the instructions below. > SENSITIVE DATA Sensitive data from your network has been DOWNLOADED. If you DON'T WANT to your sensitive data PUBLISHED on our leak blog, you must act quickly. LEAK BLOG: noescapemsqxvizdxyl7f7rmg5cdjwp33pg2wpmiaaibilb4btwzttad.onion Data includes: - Personal data of employees, resume, DL, SSN. - Complete network map, including credentials for local and remote services. - Private financial information including: customer data, accounts, budgets, annual reports, bank statements. - Production documentation, including: datagrams, diagrams, drawings. - And much more... Sample DOWNLOADED FILES are available in your user panel. > CAUTION DO NOT MODIFY ENCRYPTED FILES BY YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, THIS WILL RESULT IN PERMANENT DATA LOSS. > WHAT SHOULD I DO NEXT? You need to contact us: 1. Download and install TOR browser: https://www.torproject.org/ 2. Go to your user panel: noescaperjh3gg6oy7rck57fiefyuzmj7kmvojxgvlmwd5pdzizrb7ad.onion/9a327ded-8235-4391-8aa9-bd7cbeca8977

URLs

http://noescapemsqxvizdxyl7f7rmg5cdjwp33pg2wpmiaaibilb4btwzttad.onion

http://noescaperjh3gg6oy7rck57fiefyuzmj7kmvojxgvlmwd5pdzizrb7ad.onion/9a327ded-8235-4391-8aa9-bd7cbeca8977

Targets

- Target
  
  samples2.zip
- Size
  
  4.6MB
- MD5
  
  2e6f74d2c52a3c209bee0f46ed5cf877
- SHA1
  
  aecb04ae16e4d8882f58f4c5460660d8cd5858a7
- SHA256
  
  77a164b6f3112876b7b2b2c8a7b9ee57997ddde6f4e6cd5235f41c1cd5478621
- SHA512
  
  3e9298f2758604d868250285f363b023496435fa6df05e41853207d47d5ebcbab01f73d1e8d0b7f850eb81a21fbb2b3ce3a7fd0f946b245293afdb627d5e2e5e
- SSDEEP
  
  98304:wAw/1bUx9oAEEsk+GF7RoimhvGQtFHFxwEi0mD:wACFAfskbRJmh9HTwEbA
Score

1^/10
behavioral1 behavioral2
- Target
  
  032e2e00ebb50fcd0c1b56a4cfb9479683e15de23e336556ea3783038e18b536
- Size
  
  458KB
- MD5
  
  e519c2dc8a09e0496670fe0338c4a8d5
- SHA1
  
  39988029bae6438cd10e0ee8f1b1059114f17bc1
- SHA256
  
  032e2e00ebb50fcd0c1b56a4cfb9479683e15de23e336556ea3783038e18b536
- SHA512
  
  b1ab3dde40086107b82ed442c3969091efe8027d31cf8f361e0bbbee6cf6ffada2ea386c9adda5ee42f8b6efd051bed2191cfec6278004c96d6d14780e1ca1cb
- SSDEEP
  
  6144:RubhTvoxjFEi8ny0/2Q05QQ/5hIu0OtUAG5Aa9P9Uc3qOrnsQyMJseIpSeN:R2vl38ewhZ04t7WP9U8q5dMpOx
Score

3^/10
behavioral3 behavioral4
- Target
  
  07e98c92e1f9859a16b31df6aa5bc83c0d11d4f5f9d8a8ce5d7ddc1a0655a73b
- Size
  
  394KB
- MD5
  
  92117db6e028061b49507c9538a19a79
- SHA1
  
  82e2a0ae177ea236133f9c20843d686a9844fb44
- SHA256
  
  07e98c92e1f9859a16b31df6aa5bc83c0d11d4f5f9d8a8ce5d7ddc1a0655a73b
- SHA512
  
  47a9beffae3da3173d3f7faa61965cb3128a7b8643d5cb32ff8251c8e1d3d88874814f906770008d7df14036d0865bbd09422d1fb8d42a17bc042764595c0f17
- SSDEEP
  
  6144:8dKBBpxQSZrRe1pWmYTCZvCeatD5+BLjVWA2oN+zffGvmH9fr334YaC7I20PY:8dKBHw8mYmtw5+5jX2oNwGvYj334YaC7
Score

8^/10

evasion spyware stealer
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops file in System32 directory
behavioral5 behavioral6
- Target
  
  0a045d39cbae62c5e73639b6a5a6bdc7948e13d5e960978d22b687d95e599b35
- Size
  
  225KB
- MD5
  
  19275ec337c79577d1b218afcc5fdf96
- SHA1
  
  c6fb78e7203073f9bfceda682c0fede8d5d645f7
- SHA256
  
  0a045d39cbae62c5e73639b6a5a6bdc7948e13d5e960978d22b687d95e599b35
- SHA512
  
  faaef2dee406f0ef52a80e413410a45b76903b3702ab14b8be8c946566fa80a87fa5b09bf643e00b75629b0355ba2044fba5d8713a526f0e8a935bd906a7eb7f
- SSDEEP
  
  6144:zrA1b71kw8TML7RiVhVPuV17rQ+LGsuUSpbO:zr7P8iVmVdQ+LqJE
Score

7^/10

persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral7 behavioral8
- Target
  
  2d713e13f7941f69ff7978a16736aac4019955895a79636eed1738c1f6a3e0d3
- Size
  
  299KB
- MD5
  
  cc774d4d12fb4adec6a429dfca946fba
- SHA1
  
  166dd3ce58b8f9f2ccecb62b2d9b4b2551c492ed
- SHA256
  
  2d713e13f7941f69ff7978a16736aac4019955895a79636eed1738c1f6a3e0d3
- SHA512
  
  980db118080fb428d78a5882a6ed0efcc0c3bf1139e7cb74f47e6ac4f8c5b09af359ab45a035fd8667f3d57706f79bb10ecb5077bd4137596935e93617b9c596
- SSDEEP
  
  3072:/DKW1LgppLRHMY0TBfJvjcTp5XfgPLW1vQIivNKxI2vaFbJQXQ6dvaE9FUtV:/DKW1Lgbdl0TBBvjc/4Pu+K+2iH29FU
Score

1^/10
behavioral10 behavioral9
- Target
  
  37a83fd6b1048433907502f8e50aabdcbae822388ea284e81e9ea1b199674732
- Size
  
  272KB
- MD5
  
  ab52181f06406966d678d7cabeb4353e
- SHA1
  
  3860bfb9a87f980b3f84fa817ec76000a4e007c3
- SHA256
  
  37a83fd6b1048433907502f8e50aabdcbae822388ea284e81e9ea1b199674732
- SHA512
  
  bb5671337664548658d09d5dc00b9d275ca0598f2dcba73dc9bf7b433ca728804a55ccf4cbe9fb87ebba6efd2ca2142d18a7071eb27fd71159511bca8781e197
- SSDEEP
  
  6144:8d/KXAuWM8uCempv+6OTxNXr779GqpGBtZrDQ:lwuWMLmYxNXfBcdDQ
Score

1^/10
behavioral11 behavioral12
- Target
  
  390b31934a8c6923fca53127953406a98231e4437a8523f242c072b0c38bb756
- Size
  
  253KB
- MD5
  
  039d8bcbc7ff29dd95075a4a9b58ca74
- SHA1
  
  36e23eeeabc22cbb11d39297af9ace9221b21c51
- SHA256
  
  390b31934a8c6923fca53127953406a98231e4437a8523f242c072b0c38bb756
- SHA512
  
  3fdd2b870c5dc5d23e467397ca754fdd1406bf201a4b0dda5a5abf2aeb24c093d977d49b074828f9eba481ba654f482a09d1730da1ba819078c9e6e0ab329789
- SSDEEP
  
  3072:ihEkXmeP9slEbXi9qPtD/H/MXC5ua1JYI0FCFS1nFZ8WtbX7ehO4tP8X6PtILdfs:TTzlE7iOwIGEHShXuQ4hWQ
Score

9^/10

ransomware
- Renames multiple (195) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
behavioral13 behavioral14
- Target
  
  4dc6bd447edc955f853e3d624be982a77e219a0d8d78c9009ecfd0b6bf18049d
- Size
  
  321KB
- MD5
  
  f54a7eccf761cf2ef0f41e0d4aa68062
- SHA1
  
  c1f9480f0f39a471b94b62c146c14c7aece1f0fa
- SHA256
  
  4dc6bd447edc955f853e3d624be982a77e219a0d8d78c9009ecfd0b6bf18049d
- SHA512
  
  d6dc3e85e3923e952f4265b98d2cc54e5968760936f261f84a09cdaade7655955752343bb763a2d6307173e10416e9fbac573aa64e55963f8e773b7eac0b25a6
- SSDEEP
  
  3072:7O1GVgQvlZmpwtZYhsWkVr42rSgO1GVg:78GVNuwzYin8GV
Score

1^/10
behavioral15 behavioral16
- Target
  
  5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d
- Size
  
  453KB
- MD5
  
  15e64cc4e12006fd7bf95cdfdb2ad674
- SHA1
  
  f4a7023d943749b9aa5c373cc84b5ee6f2845717
- SHA256
  
  5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d
- SHA512
  
  596b44694970ecef43a4238c0d2e547844b40c75697e962893a0b21f248136de5a1bf27da7651a5f4eef073f595e5015d63fa0f99a1e39185cfeb5c3bdaf5bbc
- SSDEEP
  
  6144:selkSPS7kiuw4SEtOvgs25TfCxFu/4grGsBNcRMr5p6LnTAOzarKJ7nkxXTv:selk4Sgiuw40vfnxIXNcw6rTcr4eTv
Score

10^/10

ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (154) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral17 behavioral18
- Target
  
  5e7d11d6bd11b09c4cc0c4ba54ebea19dcc06ae585d0508d3d8dba251075f4c6
- Size
  
  349KB
- MD5
  
  32fd9d7529be4555e48d1599dc0cd25f
- SHA1
  
  cfea66a8b70836a5107e1e5a109048d45d1d4a92
- SHA256
  
  5e7d11d6bd11b09c4cc0c4ba54ebea19dcc06ae585d0508d3d8dba251075f4c6
- SHA512
  
  8e3b18c93cb05b5c5a7b399deac35a19913dc052c4dac80d034e079ba8c73db84326bac9b40cbda3fa9a8fce7ddcf4d1b85b2ded13602d8d199370743454d383
- SSDEEP
  
  6144:65QvNzAcfLSs7w2bhafQEPx96w3KK6cDwSL0JVcBqS:6nmjd1Ev1L0
Score

7^/10

agilenet
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
behavioral19 behavioral20
- Target
  
  64c7d9f709c2e8f059e695db2b1dd84db7b1061ea0a445046603291749fb0920
- Size
  
  342KB
- MD5
  
  f5f5afa1ddfae14a1ee641478d5f7de7
- SHA1
  
  82ff3e26919e21139fd6a09e08e2bd740c9bec57
- SHA256
  
  64c7d9f709c2e8f059e695db2b1dd84db7b1061ea0a445046603291749fb0920
- SHA512
  
  3897764f58295da460a405cf4382e511f605e5bcfef3888933164985296f2108fae22ffd3c420039e3698850e1bf1e9eedb454e7d6ccbcbabc083202fa89b268
- SSDEEP
  
  6144:36fm00rx/Qdd1QkfRLT+vLtls6LEmynvPPGtZ0i976L21di:36Mk1HfRLqzPlLEmynvPBi97
Score

1^/10
behavioral21 behavioral22
- Target
  
  7db03ff8a8f7a96bff02870cd5975b06ac52f2816a7c4ee8f2473a301bea133a
- Size
  
  397KB
- MD5
  
  c9bfc252f334efd39b71a676aac1722b
- SHA1
  
  882c540a3d5e3b4a365408535c036f7386fc7814
- SHA256
  
  7db03ff8a8f7a96bff02870cd5975b06ac52f2816a7c4ee8f2473a301bea133a
- SHA512
  
  c61842051fcdaeb63b9771b2fdc9778d1f617fdca642171b5138ac34240705223887ba77c58a57dc608709c93d0759374c6eddeac2ee1260afdeb6be7df4bb8c
- SSDEEP
  
  1536:qyK9MV0CLSuOCWqeyGaOi2K+Sm6uCWqe+aOi2K+Sm6uuCuCWqeyGaOi2K+Sm6uCN:qX9M1uuNnAYy4AZ67vcgJFW
Score

1^/10
behavioral23 behavioral24
- Target
  
  81cb6442c2562274be3b9bc33c6fc5a4c5c43b0569494f857157eef1e9613178
- Size
  
  385KB
- MD5
  
  796fcd78944caebc3dae8a379b3daf51
- SHA1
  
  fa24e6c4618578095433a269490475c5fea50232
- SHA256
  
  81cb6442c2562274be3b9bc33c6fc5a4c5c43b0569494f857157eef1e9613178
- SHA512
  
  37d6931b7137ded51b5794e3378f576c28f1a154b27bb1c10bd9c25d08d6bdbd05795ef8f11f6ece56e0cd2c0a42d2ad2f79fa44ce58f3647079db193912dbd3
- SSDEEP
  
  1536:MRxxz9OQh+vvUUDOgM5pqKFd9sxJWXd0nEOfWGNeisAOtZKF+aOpN49OypTR9Ztt:MRxxpthDUDkSoh/d41p5g0
Score

1^/10
behavioral25 behavioral26
- Target
  
  8629ec2aedcf3d482ced397406a20fc49e64adf5eb52b717fa331730404de411
- Size
  
  393KB
- MD5
  
  da4712751ecfbe44d2715f0fcdba09d1
- SHA1
  
  6d86b21eeefa16e1ac3c19cb8a24e4589ded0283
- SHA256
  
  8629ec2aedcf3d482ced397406a20fc49e64adf5eb52b717fa331730404de411
- SHA512
  
  2a018b57f340d2b16798d04f8f69cec8bdb7bf12c412cd9f506ca10d82cc1ca631bfbca5be6ac7f72d4654eff3b975282730b834b153f5b742e6f481377daa44
- SSDEEP
  
  6144:sQ7TCaUsC8xj2RbR3ecyW/XMHtMo4zsYNPu:sTaUsCKQucB2Mo7u
Score

1^/10
behavioral27 behavioral28
- Target
  
  8b13ff52ff84eff160a5c0b8c80c7bd336e5bcfef7730ce7a5c499f112632bab
- Size
  
  239KB
- MD5
  
  8b1d78544683f817e6d557e5d52ffefd
- SHA1
  
  1087645986cac7f9153ba9a46cb9fa450c78497c
- SHA256
  
  8b13ff52ff84eff160a5c0b8c80c7bd336e5bcfef7730ce7a5c499f112632bab
- SHA512
  
  cdb670d399ca078e83acbb6a1d0663dd733b4516ac949f20ec963ff4f743505bb879c58a3f09ca94a9da3a45599733cfc6794793acab39fa58eb47ee4c7ee1b5
- SSDEEP
  
  3072:p8Fn3x+lIvPpe0vq9aqBJLxF2BhJA9ZDsjHmsW+lIvPpC5vq9aqBJLxFJ679Y:p8b153/CJLfihwsjGsW15a/CJLfm9
Score

8^/10

evasion persistence
- Disables Task Manager via registry modification
  evasion
- Adds Run key to start application
  persistence
behavioral29 behavioral30
- Target
  
  90b4871229a8654c4258d4d470475e891b7db88407f53653a110de8d70fa4811
- Size
  
  314KB
- MD5
  
  259d9f8bc15f10ef1ab2c317761c9090
- SHA1
  
  3c2aab8e61c9921dea686a1122baa6c1b49956f8
- SHA256
  
  90b4871229a8654c4258d4d470475e891b7db88407f53653a110de8d70fa4811
- SHA512
  
  81a7e3aff9f66aff436d2dabd93ce88499c15536ad3124977a284d8e7bf99be10a7b644ea4b4af32a6db4e1d5dbd823485a4179d928a58e748031416db92847e
- SSDEEP
  
  6144:9k0Ps14JKZ6JIpESQAko1/ndluhQyLTXBaW8GpjBlyQJNO0ww/LXz67:9BPZJev5Q/wd02yLTXBaLGpjBlyQDzwZ
Score

7^/10

spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Disables Task Manager via registry modification

Drops file in Drivers directory

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops file in System32 directory

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Renames multiple (195) files with added filename extension

Deletes shadow copies

Renames multiple (154) files with added filename extension

Enumerates connected drives

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Disables Task Manager via registry modification

Adds Run key to start application

Reads user/profile data of web browsers

Enumerates connected drives

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32