Overview

overview

10

Static

static

10

c1d4014e65...60.exe

windows7-x64

10

c1d4014e65...60.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.sample

  • Size

    335KB

  • Sample

    240227-wg8mbafe79

  • MD5

    7b38d3f8dd025a9f713f44db5968ab17

  • SHA1

    594dfc74d743412d598ae1b87922c96aacce582b

  • SHA256

    c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60

  • SHA512

    067abd3eb8fc4c85f53003e0e898b85d9b4eebadeb26caef299e4110d3bce19247b73a4f955e142a09961ff4c87c41b1596a3755d1e226d91ff651cdb5ea0c6c

  • SSDEEP

    6144:/H39QEhvsfBm9LA8CwumYTyBR/APygP9cnPRpjbeVPDGsIFbrMqu:v9dSSA8CwumYTyBJAPyglgq1farMqu

Score
10/10
medusalockerevasionpersistenceransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\How_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">Oc/T5sDyMDfy6PxVglFHPc7G8RRZZ/1X+q3PffSfB748nZChTHkn12LqiYlInnwnKvUq4Nizi14vHoewDA1LF6lLWjgQqPQIu15K6zM29uadg/i+U4QFfA2wfcEphoh92OvN33sztzvShapa9QBWDIIKB1kJ5rG9x51Lt4ZGUt8VkAFhOi+fghmwgeoqu/PamPO44dPbN8HxUHOA96inDyQQwZ16ZAbEx4xZ7DVQNjSRetd3xHfHcqObszdFPFkmXF8HuetiCJVbLkW4t4h6ynrR1wTtnmHby/ipXjdJDRnA7FuwTcol05tFEdg47nLpU3+bHGr9daUUDzpulXkNkFg/NBqbaKJuzD1FxUBy9w9ENYHmhas8gr3RGiD2k+DcT/FAJ4QGKZC/WQ9uwwTYjB0LHEBmNiB/MFAV+QHnmnNeNt3khuQL0Lye1ktC4KFzH1OUytz6V7+sCjfltabtW7fhMEltmeqpHhu/ls2nqQuD8dchin6hquKECaYFFWBA/0tdG+5wbrkqwBP7FqlGhS01Uxo+AQ2nHlhb0KY1THRRf4izQjENe9grFmS4kI9iMkQdRv2/oWrxfxy86WH3BV90kw0PhCbXvwwZAUUzcgavlQDm3nWni8VSHxj7dYo1XmU/imQd3rwESciPSaKMfLm+iLHYcNEi1YOKXbChhu4RhPXYCQO883TXetBaTi9wR+oI8435BWRNZiDSGcXw6ZNTJchUhYLYxZUE9RpcMXBJd0Nb1V3uFaNyw+fEdvkVZkCn4lJWU1GUCTNTICDSQAaNLsiKytNko7rpxP4i5AXPaaWBc4CYvb0qM8Okj9Cyq9T7CMfegh7RMIFgaZlanHOWYKtdoMxcW5b0k5Hmsp802DIooMkwbTOIOLHTSRIKuLJy4xGKKTbJ3BxbFboonRkV7VoqMyYrV1s4R89+hFlaR3t7CADV+ASjSi76a/G8MPc4B1CZSRxPquXf5++m224g0DhP6NDvrdrcstKTndPrR9KoNrrOF7dNAm/JKhLH5Wbjn+pGDZS76rAaxSyB+GcfR+E9jpFIrLn7zXkYFIjtW7FBDumZCvkCj+Klf3AoGeDuaAUJgRBu8zbrD7P4CW2ohgL6Sr3dxXmmffQol3/Hp/l32dUTAMd4P7wAch6HrehW3+0yZzjiXcY3A1E10ML7eguQTJqNPa4WTQAuQwLuXnkMmdZZ9v6J9obU9tcIoZ9H6Bk1n9qvTTvEDCyy7eGQDypHS2SM3kTbbPsBJJ2FItkASeN4Dz4JCY32ExZzuVQ1vzwJQp1geO3z/TnmCjweSBgVB5lrPM9PQ0uTit0BWUb2xZVbrUhJLkjmTVq2Cdsj3s0AoPjYV9evFc5z7WYXej4g8Q4QAIeWHDJtb5tbnRAwB+xrT3GSZbOmGBGXw5zq28LBxK3BQDe7cOKomwZlmGLYsRM4rxG/O3NCLpkpXnzK0izt6T3J4/lBvBU7c+0P3eMu14DYGQe0DIZvDMvoPOXTnO9sCb4O5JQltE7rOWPOw5LRFettreTHMZvV3xfQWpxSZfCRkbocji900zY2vlu/nD2oLdldX9aRHE8BRWBT9yB38AqT0hUmuJbuJpQbdsS9qPVo16mlc8Jswz1VM1Ll0kqk5UhKbBZdKQKtEPNrBm4LUnGo+IZCida+wZqcOk6fFrA0zXpEGnz9J9fvFJwuZwJNdcqSYUUpNGI=</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Extracted

Path

C:\Program Files\How_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">j3aSD+lFptXs0KIzAduRdMx72GE8V4K4BqtxiVs3Ydbq/dIMJOM0AZwJUFnR2uPRGK6DA+Q56FGJ81t2LKKdbJcdgYiL6Bv2WoQ3Z/RKMMexIIn9pgCCz1worh+7i8gnz0Exsn3YT0zOFjy0MYSGJHtAdBVDpRHHxp6M3/SUDkrpuvNWHDUWUyp5iRSkT55NvHXNviwZzdeIOeV7jv+xa/W9/bNHGSRmG/ZmB6sKt7iEPM5iSuG75J3AP5jcDb8ItjU3mNhRVtRsTyH+rzcZiP1uE+3JAgU9vjaHrkQMUjrOfVU7odeSQcd9sRZ8YzTUznERpt8goASpvuPj3WSEj5zotprucBXzKq10jXttaEo0GrKdBA1HjBt6kS6QvYLwyz+8n7AhVGXtA5g+XZ1M3/8AyBXDrwRqExtlaDRW/W9D6HkQc10pbFUi3+G+RrQwOilAmhi09wcL0TOLZKCA5HtuXI8RpyS6RtyjP7u4di7/ZZX4YcIMzISwghHOVZJBzHTlbSgKLhb2BeXq6syuPPkZPOklvazyLFLJPbU90+S72I/W4qj17gd2URhZAihiM+52vTGOzIyN9NbO7sTymULoDI0jTF5s2I58evbc7itky5eroP8tgdohEIc8BdLsU1Q2/46smbioLW0f5cjRiJ8wfTt+YdamnjudM02sbi5+8G8GFvvN/BKP2hZukMvtvV+JWeS39XK53uE18w6tGTsbd1buM/CXQXcuZcBgMVGW5ngZkUh3UGnep9uO1lLnFOLhDlgl0J9NtGk9nH8JbCuVzthDdQjANEvCziBZ5SU4b9UprzCfpfw+e1RnF5n0OQMxH/K92H2raVH2ncS3dNp5ClFjgFktSUfKNBYMTzS9+dHkTk1hXGvgwztL623LovfTmkAqhHFmqOxnpjZYkbVksz3xDFXLfBgRXuRQwO0VPRtI4Xbyz+Sc+EATuJSoko1StrO9JkZwXxcUWnsvtiQG7fyQDXPigoRc05cMtBM8yvQLtDFIntI6sgyiUt2TwqOo3p2FXgEQaDB4lxl3j4YZeThaZJEb2X84COBo/bqTc7JFWIJuliz3QbLBjxjPGmdUBwxhyqNTjLnl8AaYVrpygCsq6m/GGR7c05hFZoRUo8t29JGjb96rmxm1KRM928Bt3h5PjyBHUp+lpQLOzqKJTgbutt5vnpjDE/Q2PczrkUIvqyKz6iw8U+3rL36SDAvYTSbFCZ/27oGonnwL4xNa49goEAOGCQruurBFQjJ9fNSimpQeBanxiPcN4kEC+iggJH+Znx8cKehM2MwRMWLb5cq/NzizIhXWlhbpwWY5+p1opvq9JnYR7t/MrdatqFXyjGl3w2YsX5vP7R9gfWhZf1RFJCDJFqNDfJKfhoMka+xzTIshFgSQ72cLS5oR5HjXjBXuVuU7JIg1/qLe3SW2R6Qd8THWfR/hksr6lebISsJ3G8I8NBXbPjBWJp6FgZb6kwEOMmqNs3RE3SY2aImqXU0hYUM5vMe4JsopXCbEey0PHoTWkcpTIMed5/L/drrI4+A0AV3oCD/mIVMJAToPagZ0coYgAXoauqmA4xam2tQdNR9WyLtoyYKHC9ZVZyDJLnI3V2IjNqkRTHkoAL3kUQBXmyyleGzPgBaT/8UzkN8FELRYXCx0TTdCqobiL9d2z7DUT49olgSDN3C3cnCQjQGAXkweh+BI/8gQdDs=</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Targets

    • Target

      c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.sample

    • Size

      335KB

    • MD5

      7b38d3f8dd025a9f713f44db5968ab17

    • SHA1

      594dfc74d743412d598ae1b87922c96aacce582b

    • SHA256

      c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60

    • SHA512

      067abd3eb8fc4c85f53003e0e898b85d9b4eebadeb26caef299e4110d3bce19247b73a4f955e142a09961ff4c87c41b1596a3755d1e226d91ff651cdb5ea0c6c

    • SSDEEP

      6144:/H39QEhvsfBm9LA8CwumYTyBR/APygP9cnPRpjbeVPDGsIFbrMqu:v9dSSA8CwumYTyBJAPyglgq1farMqu

    Score
    10/10
    evasionpersistenceransomware

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (7586) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies Installed Components in the registry

      persistence

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks