Overview

overview

10

Static

static

10

951facf3f3...aa.exe

windows7-x64

10

951facf3f3...aa.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.sample

  • Size

    335KB

  • Sample

    240227-wdpd9sfd76

  • MD5

    971e7aa8b0f947b99c9efaeff6ec6829

  • SHA1

    8736231b49625d21d51e9def26234fd30ec94643

  • SHA256

    951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa

  • SHA512

    4c639ab003b32363bfb8a3d4d25db5bcab535f228267f9d50d80d4c18e8b304ce6266e486bb29f475b994356694dc84bbafc52e06bceeba768411026dd42f4cc

  • SSDEEP

    6144:Ss39QEhvsfBm9LA8CwumYTyBR/APygP9cnPRpjbeVPDGsIFvrMqu:z9dSSA8CwumYTyBJAPyglgq1f2rMqu

Score
10/10
medusalockerevasionpersistenceransomware

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\da-DK\HOW_TO_BACK_FILES.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">{{IDENTIFIER}}</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a></a><br> <br><br> <br> <br> <br> <a><br> </a> <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="crypt_group@outlook.com ">crypt_group@outlook.com </a> <br> <a href="uncrypthelp@yahoo.com ">uncrypthelp@yahoo.com </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> {{URL}}
Emails

href="crypt_group@outlook.com

">crypt_group@outlook.com

href="uncrypthelp@yahoo.com

">uncrypthelp@yahoo.com

Targets

    • Target

      951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.sample

    • Size

      335KB

    • MD5

      971e7aa8b0f947b99c9efaeff6ec6829

    • SHA1

      8736231b49625d21d51e9def26234fd30ec94643

    • SHA256

      951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa

    • SHA512

      4c639ab003b32363bfb8a3d4d25db5bcab535f228267f9d50d80d4c18e8b304ce6266e486bb29f475b994356694dc84bbafc52e06bceeba768411026dd42f4cc

    • SSDEEP

      6144:Ss39QEhvsfBm9LA8CwumYTyBR/APygP9cnPRpjbeVPDGsIFvrMqu:z9dSSA8CwumYTyBJAPyglgq1f2rMqu

    Score
    10/10
    evasionpersistenceransomware

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (7546) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4
T1490

Resource Development

Reconnaissance

Tasks