Overview

overview

10

Static

static

10

4ef811b784...24.exe

windows7-x64

10

4ef811b784...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    09-01-2024 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ef811b784b985769645e03bc0b9cd24.exe

  • Size

    669KB

  • MD5

    4ef811b784b985769645e03bc0b9cd24

  • SHA1

    2e04a37b215dd2a95694b1c18dbe1dd35be5aa9f

  • SHA256

    4f9a833e79092006c06203a66b41fc9250bcebcee148fea404db75d52035131c

  • SHA512

    34e9a5a015b04ae904b50a0b2e466788db16d7eb43769fec156cab830932032174b3a43a206016332f99eb16571225dc1a0a0042ce2bca67de1821bbc08c039c

  • SSDEEP

    12288:dQA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8DBKD/KeX:Tuf4wTuV2Ux3uIZeUBi2Te6HWUKrKe

Score
10/10
medusalockerevasionransomwarespywarestealertrojan

Malware Config

Signatures

  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

    ransomwaremedusalocker
  • MedusaLocker payload 2 IoCs
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (283) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe
    "C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2536
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1968
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1728
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2764
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2616
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2608
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2652
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1744
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {54FE2C29-0BAC-40FD-80B8-A97D75CEB432} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Users\Admin\AppData\Roaming\svhost.exe
      C:\Users\Admin\AppData\Roaming\svhost.exe
      2⤵
      • Executes dropped EXE
      PID:912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\svhost.exe
    Filesize

    281KB

    MD5

    25577996bd81b3c7649d3379d288d67b

    SHA1

    505e80558cada747f6beac71bcbafb27d7ba749e

    SHA256

    bfd4cee8f4068e5489a0dce7248bc39ec1a24ed97c00fe9bc69ac31e6d12591b

    SHA512

    62a3ccaeb5f32f318baa05aae02d9f55e4f51276bc0c829efabbf4672ad6255d35a2488d6c7c54b47895330119aaba74ef329e0918604627d617065ad968d645

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svhost.exe
    Filesize

    92KB

    MD5

    c89c7f4705acb628e00c56966b54f0af

    SHA1

    91584344b182ef6f8be2a11b9c3255207c717036

    SHA256

    cd8925980225ea79877b4549a7ef2cf8304596e9f1d6cdbfaa08ef8e3a3257f0

    SHA512

    906db0dc9225862039091addfb6c6355103840f97b295841fc88e0fe9b7f6111b636e5d36ef5ec43e31e3591fe49cfdc4136bc89b706d2f491333c43bfb7d2f4

    Download Submit

  • C:\Users\Default\NTUSER.DAT.LOG2
    Filesize

    536B

    MD5

    9db174e2091b616001dea9911dba4ec0

    SHA1

    e4ca40b6c20d93e71d114c52ce0d274e7f96e7e1

    SHA256

    d5dcd80c06595e196fb717b0e51b3fdcaa74949d1c16632729b0ab8baa6c1585

    SHA512

    3d49feb746e63deddb68982932be5381838bc00de0241a60064436a612d3d8f81b03be6834092e47ee2f72aad14bc1d4765feca91e01b4f942e8c1c4be21fbdd

    Download Submit