Analysis
-
max time kernel
142s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
09-01-2024 19:05
Behavioral task
behavioral1
Sample
4ef811b784b985769645e03bc0b9cd24.exe
Resource
win7-20231129-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
4ef811b784b985769645e03bc0b9cd24.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
4ef811b784b985769645e03bc0b9cd24.exe
-
Size
669KB
-
MD5
4ef811b784b985769645e03bc0b9cd24
-
SHA1
2e04a37b215dd2a95694b1c18dbe1dd35be5aa9f
-
SHA256
4f9a833e79092006c06203a66b41fc9250bcebcee148fea404db75d52035131c
-
SHA512
34e9a5a015b04ae904b50a0b2e466788db16d7eb43769fec156cab830932032174b3a43a206016332f99eb16571225dc1a0a0042ce2bca67de1821bbc08c039c
-
SSDEEP
12288:dQA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8DBKD/KeX:Tuf4wTuV2Ux3uIZeUBi2Te6HWUKrKe
Malware Config
Extracted
Path
\Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">4CB884E686C4A903E35C87018D2AD8E56D647C4CEDAE3224B8933CF79437DDCCCDFC6CFE8ED6F5721F6C949394A6877C9F5DE74088C4199804C6B233C9AF7ED3<br>5A330BAD8D5E2D6041B3781968F3AA92CFAC63DDA2A0F8DB1F5A1CE8F31E281181EE9396AC86E3CE9C596DD643344A355E22BD6ACCB03514D6DBA924266A<br>55C83017BFF40EBEBDB6253322C90085EF7A77CD31FE4EC46E9B952E8227AE34ED729C79A87D7D5673DD7070EA237FC9379F9E8EE46FE9FECA7BC665CE65<br>D147F803537D3D715649E127E67FE233A9FAC1175B7CDACE862C0A01B348002144B2E8F065D367682CD67424ED74E6C7555552F387ED392C432FC7066250<br>80BC9448A949D680EC77404481842B2FEAB75C7469004B816CAFB6976F46F0767CE599997E60216F1897B93E5E7B29D3425232FD6223D2B32272528AA799<br>8BDC052CB4079485FD0135AE911C8AF534A75C9C004468DC04BBA9C5DC4DC387BE7EB238A8523F21D3B9C59DD9F81675B5CE6595AE83A2D3AEDC62F7936B<br>C29F98E319771F5F4C9C085241524B326D1C3FD16E7521DD2904C5A8BBD2468693FBABEB2B1DD903426DCC3AA4C118E34967B24F36969A007615BAF39AE7<br>E8BCD0C675989CBFE73342637829DF5CA6C0BCC75C2D911AAAEA21EADBC6CB1A506AFE7779143950374941803C728710890E6294A9FA0CD6A62DE25C870B<br>8A7216F13F8FFBE86CCE6B5C224C</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
4. Start a chat and follow the further instructions. <br><br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a>
<br><a href="[email protected]">[email protected]</a>
<br>
<b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 1 IoCs
Processes:
resource yara_rule behavioral2/files/0x000200000001fafe-689.dat family_medusalocker -
Processes:
4ef811b784b985769645e03bc0b9cd24.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4ef811b784b985769645e03bc0b9cd24.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 4ef811b784b985769645e03bc0b9cd24.exe -
Renames multiple (222) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid Process 412 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
4ef811b784b985769645e03bc0b9cd24.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4ef811b784b985769645e03bc0b9cd24.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
4ef811b784b985769645e03bc0b9cd24.exedescription ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3791175113-1062217823-1177695025-1000\desktop.ini 4ef811b784b985769645e03bc0b9cd24.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
4ef811b784b985769645e03bc0b9cd24.exedescription ioc Process File opened (read-only) \??\B: 4ef811b784b985769645e03bc0b9cd24.exe File opened (read-only) \??\R: 4ef811b784b985769645e03bc0b9cd24.exe File opened (read-only) \??\U: 4ef811b784b985769645e03bc0b9cd24.exe File opened (read-only) \??\V: 4ef811b784b985769645e03bc0b9cd24.exe File opened (read-only) \??\H: 4ef811b784b985769645e03bc0b9cd24.exe File opened (read-only) \??\P: 4ef811b784b985769645e03bc0b9cd24.exe File opened (read-only) \??\Q: 4ef811b784b985769645e03bc0b9cd24.exe File opened (read-only) \??\X: 4ef811b784b985769645e03bc0b9cd24.exe File opened (read-only) \??\Z: 4ef811b784b985769645e03bc0b9cd24.exe File opened (read-only) \??\G: 4ef811b784b985769645e03bc0b9cd24.exe File opened (read-only) \??\I: 4ef811b784b985769645e03bc0b9cd24.exe File opened (read-only) \??\K: 4ef811b784b985769645e03bc0b9cd24.exe File opened (read-only) \??\S: 4ef811b784b985769645e03bc0b9cd24.exe File opened (read-only) \??\T: 4ef811b784b985769645e03bc0b9cd24.exe File opened (read-only) \??\Y: 4ef811b784b985769645e03bc0b9cd24.exe File opened (read-only) \??\O: 4ef811b784b985769645e03bc0b9cd24.exe File opened (read-only) \??\W: 4ef811b784b985769645e03bc0b9cd24.exe File opened (read-only) \??\A: 4ef811b784b985769645e03bc0b9cd24.exe File opened (read-only) \??\E: 4ef811b784b985769645e03bc0b9cd24.exe File opened (read-only) \??\J: 4ef811b784b985769645e03bc0b9cd24.exe File opened (read-only) \??\L: 4ef811b784b985769645e03bc0b9cd24.exe File opened (read-only) \??\M: 4ef811b784b985769645e03bc0b9cd24.exe File opened (read-only) \??\N: 4ef811b784b985769645e03bc0b9cd24.exe File opened (read-only) \??\F: 4ef811b784b985769645e03bc0b9cd24.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
4ef811b784b985769645e03bc0b9cd24.exepid Process 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe 4744 4ef811b784b985769645e03bc0b9cd24.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
wmic.exewmic.exewmic.exedescription pid Process Token: SeIncreaseQuotaPrivilege 64 wmic.exe Token: SeSecurityPrivilege 64 wmic.exe Token: SeTakeOwnershipPrivilege 64 wmic.exe Token: SeLoadDriverPrivilege 64 wmic.exe Token: SeSystemProfilePrivilege 64 wmic.exe Token: SeSystemtimePrivilege 64 wmic.exe Token: SeProfSingleProcessPrivilege 64 wmic.exe Token: SeIncBasePriorityPrivilege 64 wmic.exe Token: SeCreatePagefilePrivilege 64 wmic.exe Token: SeBackupPrivilege 64 wmic.exe Token: SeRestorePrivilege 64 wmic.exe Token: SeShutdownPrivilege 64 wmic.exe Token: SeDebugPrivilege 64 wmic.exe Token: SeSystemEnvironmentPrivilege 64 wmic.exe Token: SeRemoteShutdownPrivilege 64 wmic.exe Token: SeUndockPrivilege 64 wmic.exe Token: SeManageVolumePrivilege 64 wmic.exe Token: 33 64 wmic.exe Token: 34 64 wmic.exe Token: 35 64 wmic.exe Token: 36 64 wmic.exe Token: SeIncreaseQuotaPrivilege 3308 wmic.exe Token: SeSecurityPrivilege 3308 wmic.exe Token: SeTakeOwnershipPrivilege 3308 wmic.exe Token: SeLoadDriverPrivilege 3308 wmic.exe Token: SeSystemProfilePrivilege 3308 wmic.exe Token: SeSystemtimePrivilege 3308 wmic.exe Token: SeProfSingleProcessPrivilege 3308 wmic.exe Token: SeIncBasePriorityPrivilege 3308 wmic.exe Token: SeCreatePagefilePrivilege 3308 wmic.exe Token: SeBackupPrivilege 3308 wmic.exe Token: SeRestorePrivilege 3308 wmic.exe Token: SeShutdownPrivilege 3308 wmic.exe Token: SeDebugPrivilege 3308 wmic.exe Token: SeSystemEnvironmentPrivilege 3308 wmic.exe Token: SeRemoteShutdownPrivilege 3308 wmic.exe Token: SeUndockPrivilege 3308 wmic.exe Token: SeManageVolumePrivilege 3308 wmic.exe Token: 33 3308 wmic.exe Token: 34 3308 wmic.exe Token: 35 3308 wmic.exe Token: 36 3308 wmic.exe Token: SeIncreaseQuotaPrivilege 3080 wmic.exe Token: SeSecurityPrivilege 3080 wmic.exe Token: SeTakeOwnershipPrivilege 3080 wmic.exe Token: SeLoadDriverPrivilege 3080 wmic.exe Token: SeSystemProfilePrivilege 3080 wmic.exe Token: SeSystemtimePrivilege 3080 wmic.exe Token: SeProfSingleProcessPrivilege 3080 wmic.exe Token: SeIncBasePriorityPrivilege 3080 wmic.exe Token: SeCreatePagefilePrivilege 3080 wmic.exe Token: SeBackupPrivilege 3080 wmic.exe Token: SeRestorePrivilege 3080 wmic.exe Token: SeShutdownPrivilege 3080 wmic.exe Token: SeDebugPrivilege 3080 wmic.exe Token: SeSystemEnvironmentPrivilege 3080 wmic.exe Token: SeRemoteShutdownPrivilege 3080 wmic.exe Token: SeUndockPrivilege 3080 wmic.exe Token: SeManageVolumePrivilege 3080 wmic.exe Token: 33 3080 wmic.exe Token: 34 3080 wmic.exe Token: 35 3080 wmic.exe Token: 36 3080 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4ef811b784b985769645e03bc0b9cd24.exedescription pid Process procid_target PID 4744 wrote to memory of 64 4744 4ef811b784b985769645e03bc0b9cd24.exe 90 PID 4744 wrote to memory of 64 4744 4ef811b784b985769645e03bc0b9cd24.exe 90 PID 4744 wrote to memory of 64 4744 4ef811b784b985769645e03bc0b9cd24.exe 90 PID 4744 wrote to memory of 3308 4744 4ef811b784b985769645e03bc0b9cd24.exe 93 PID 4744 wrote to memory of 3308 4744 4ef811b784b985769645e03bc0b9cd24.exe 93 PID 4744 wrote to memory of 3308 4744 4ef811b784b985769645e03bc0b9cd24.exe 93 PID 4744 wrote to memory of 3080 4744 4ef811b784b985769645e03bc0b9cd24.exe 95 PID 4744 wrote to memory of 3080 4744 4ef811b784b985769645e03bc0b9cd24.exe 95 PID 4744 wrote to memory of 3080 4744 4ef811b784b985769645e03bc0b9cd24.exe 95 -
System policy modification 1 TTPs 3 IoCs
Processes:
4ef811b784b985769645e03bc0b9cd24.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4ef811b784b985769645e03bc0b9cd24.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 4ef811b784b985769645e03bc0b9cd24.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 4ef811b784b985769645e03bc0b9cd24.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe"C:\Users\Admin\AppData\Local\Temp\4ef811b784b985769645e03bc0b9cd24.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4744 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:64
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3308
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3080
-
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe1⤵
- Executes dropped EXE
PID:412
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
669KB
MD54ef811b784b985769645e03bc0b9cd24
SHA12e04a37b215dd2a95694b1c18dbe1dd35be5aa9f
SHA2564f9a833e79092006c06203a66b41fc9250bcebcee148fea404db75d52035131c
SHA51234e9a5a015b04ae904b50a0b2e466788db16d7eb43769fec156cab830932032174b3a43a206016332f99eb16571225dc1a0a0042ce2bca67de1821bbc08c039c
-
Filesize
536B
MD5eaf665a7a450556a213fc92d2e3b4f3d
SHA1eb3497538df186d625992ac7ba3137eccec64895
SHA2566692462013a22690557d989c456d8908fc88dfdc3e90b986f39558f5d69599d1
SHA512a4046582df16288fbcf8a487a1f972bf9157fe895e3e3eb4dd89af3b054051a8778557320feef1645e746716d203543e898deae5235f4ab76f583f5ae2277f8b
-
Filesize
5KB
MD51d99835832ba292935e46c6fa8b24c81
SHA1a999cac3fd4e901ad17d638b5e0ba560b074a12c
SHA2567480a8a69e4a5d78d2ddd323508a60eb139e59125dbe2b63057cc261b542a880
SHA5121097b7dc7bb149c3288fbc18c39cc12cc7c19045d93764b08801e3843a993a4630785c2978123370e3cc72428d8f8024698c3abd1d01b8557943631798598b8b