medusalocker | ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106

General

Target

ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.sample
Size

333KB
Sample

240227-wjk9ssfh7w
MD5

e2132d123382278c9646ae2ebbe3b3a7
SHA1

f2b257bb84b29ba0c73faf854e39470ace9801a7
SHA256

ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106
SHA512

c703eb197ae7abcd3f1cd53d82f832de24e4263dfdc018bb573f895d1d507585d0944225d9ad510e8abbb757ffd8beba1d74084a3ffd2afd40dc2d550080991a
SSDEEP

6144:3kvY9W2QcboLKCwSuo0/WdjEXCNVDLNU3mxcK3PnXvBHkyEXq:3kw9XbCwSuo0/EEXCNJprX1kyEXq

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">51uEjINpvTs22gSSlpljltHBo1qbd0mDW1/uO+hCOFeAOkjQD/EB5rhTZCY8CWz2La0UgYqFsz0D+4jPWvzmjIuzTruXAr93dUSq3mJts2J857yF3cANZtRy33Av7chK/btT1DtlCXoSgEjmMuR6uWcCr1DqaZh2Hz8uY/NobwIcAWDQGQQeQtAaAy4cYvO7DzFkUukjV75eXHYZ1mY5RCAMckNAajNiaNYeK7c3dI9z+U4G1lKlzvDpz5uPfPr3ZnMqnREzC14xkTOZlYWJbMiu6t1LtZ15jJ8FRWpmwbXwhzDFwuSrg+dkA/UMtLDRHNPkDAuc6c+or3lB3hPpXZjFtGdUDSjBWoXPv6F5ucrYSQqhHj8N7khtFAu1aZadXN4CaaDYFRjCVdAothGtvHU+ghvqsAnJq/PZ+QzPFzuTEEMImYxi+e21vsY0v0hXwsG/PAvgQkITn2CgMuRfT+eBrCk1X9jjwlLWtUGeVQt7zu0Ed7ceJLUIlSujCRct0day7Zes3nc1EAAX7HAeAdzb75SY0iIWuh+aWym4MiFN/CMTrmh8LQtGGTUPei8UNjyImWdLKXy0TnRnuq6UoYUce814M4SOL7ZR9JTx0eS0EqnHGuSg3Rl42iqGbBuUYs+cyPBHPLwNtPLlS7HxHfxFWogFgby+i4/YdXek7UILY1nnJae/6uzYdl43eeFLkfUc5x1EaUbFCXeErq+iom0r7Qm1uVPwpCiE0YYZ1xBjXdR64PE/z8f/qDH5UP18JQeycM8VRKfCGs+Hgwdy1Fd9AQyFns1eekfAlG9cOVUdMx5ZZc8MdxaemWRMvvOms6q20yoywY1OMYxnlcNth8cF6OAOR+4P3Pa/I+0gD4LxWM4retJctBvZYIQQWqFCgTeRPZwTlOPtItwth49SkBe6ODFROkGmJ/isTR/F+57JvEHWQWi/4qPCaP5iX0blvHT//0cl2pau/D3xvsgGtv5fkalIGSI0Z7WRO9sndvG3u+/qIjkBYjQm5asVXdeD+3vpiMnMWOwF0aoySvEQHNGoOW1O+8hU2+pZZw0S9gSCtpJq5hY95UQSQ5+a5JR4gBRbT95FD2m8pri+Lr/0WRkk+HG475Q+miFLnz89PZQgXked3FLYga/umcaFny3wgEi171XJZqZY2TlJYq609q7Mb+1w9GLYArlPNzJuI0fWsaBSkiYBk1JgbMK5TrwU6a8MNARC/hnAem8o6FrszyB/z18w/yV6+Hf/+yBr89bBRzr/JMFbomY5jXTvzJAGuP22gH21C8O+FX/ancLd/Yd5a4CgqBpf/vIgg7P/YvohnwZaEZRL5Szibe7koymml3MVYxLDTEY72UcFM/PVZvKGgx9sovJIFX5L60tOelyJ3bks2cRdhAK+z67ZZpy9rGPNCsWiOVdWoxyDGjXydRUQNCz40SFm6LUDoYCoBjD/3hy0GNDZTW/LUDCeVadbldQtrqK2LOpBivaNm8oNuF57FyvP3s1c/TmSf9pDDVKsBOKOlDKWq1zVAVayxO/fdY4+dv9pfpyky65RwFj5z/zfBYGpgniwKtYGzEzeC2+OKjEy0L8evgZWGnkze/+VEtUSySbVnmi9xWdP6RLOzzCxjAGoi6/IzmrLBIDLA3Jko5j0UkwE0oLiIW1OzmyVTzSxYsFGoIKB2g2VL5gvUrjUzPKsukxDh9S/fnPAtuQ=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="ithelp01@securitymy.name ">ithelp01@securitymy.name </a> <br> <a href="ithelp01@yousheltered.com ">ithelp01@yousheltered.com </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div>  <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br>  </div> </div>  </div> </div> </body> </html>

Emails

href="ithelp01@securitymy.name

">ithelp01@securitymy.name

href="ithelp01@yousheltered.com

">ithelp01@yousheltered.com

Extracted

Path

C:\Program Files\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">40wwbdHs2nVIDn/4/hli72FgH4qDEayn5QOdYAfSYmve+0Tg2Kp5czQMOXDD7DW/0VT3F6RmRzv/PFiOvXKGbO6hY7DVr5ZYKFFO1XIsnYVrv41YRV3BVrejCGDkQdJ5KnjRBKsr2P10n/OxWUnuqb6TDTHTGdnQEZAbGeao29AMaRn6mXdqSiQ2KNCtyjVsUXy8XUt85UvJbEal8D3IPRDlcGVx/XIR/Wr7wRLssaU+zYRBamCwgkiDKA8miKv6e4o8XG6NBuHsM6YWzfnPcv0OIEWAIZ6WGjzmR9kbCWCtG28in79FzCQcK5YRaRvv6wuNkcWwdBRecWAWOsD8i3nm6wvKhSYlHQfH4TGuClboxEX7p60Q5MWPiYAHQEuz++dHcrG4YMapH3J44W1UZ6Qk2Rz/OoGSnQcdbI3gjLvGD/w/ZzEasZKPawVSgFrRxmQCPUfEdBanlDUpcW9PmmOsqCksIwZowgUKnVUrPX1+Tf4NCSYunfvjdBbU9Qa+ed2lEHUvKyTpdHt03M66POBxUj9o5AO7CJRDqv3pDSQIWs2QKPujbi2XGBq5HA0LpG7YIFL1WqzqqAPOx5plmY8t4FdSb92P24bgoak2nQ1N38suRKoIqR1KYicWLjCKdODS3VBpcrl+pvFHTgjcQxi8rP+U4joGW4sOxQYxEDuSsIwa8uXUdwtxkstQ7XeatDWanPZZAy/ZctTqEODohBTiN/AKVLi8l4QbUaLQ0zrZPbD7zEnMcEir0RgyHZpqWMit8ejVSzmGmc0ouNSgB0k1md8mkK2j/FBijVeGk0N4dIoN60oBK54TJ1ANIzIMLMRzqWxS3hSXPRMO3v8x34n3kJ1nIct2KLEoLg9FRJFVAlpIiuEms2brLoSrSQwND2e9eez03z+s8ZhtejugFKV1B2+uHcu7MAT+gBfgCtwUfmV08r9i8MsPNz3YVVLkiUs0uFWFhauvpob4yl+AsDcYn5hZOnVN4/LIEHj7HzzdjESpuT+mDsOMTJCosu/nNJfoYdCKloU7Xh8jmt2wc5yXGbuuDsg1DKD0+C/gw02TRrxeGdMLK1pt7wGZacJocyx+SphVdLrvP+HRHyanFcfv75HXtVlJGxvPyOw3zgt6zepD7sbxK3etiBFlParP3az1eHY+xvigWnGBumpvrc49rh+TtOFjypI/WUWzOk8vRhlQ1oLvm3cFkXUS+qPVivNSUCMD+3L9YCKYTzJZUGvhL6GrRfwxgNQEo1Vt1tZOvJnmsV/0aewyuTBO1MpsF+kLE/AKDNiOnZQ9pxIQXX7nrwcNu2RBaFqIsr3boY+kereKanKQaZ5nZyFBWjgGzMraz3Dd3jOBDCBsI1u7ru2nTJ4meqsa56qaraCO2eVhptItjLcgRavibM+jWlvpeBym5gEyWtsG2lHIhGQdtF+IKtQpYG4mopAY4hp9YW8FlNp/Gp3QWOlq7lAGSJzWBIvJzwLcmzdkoVWkWRDf7oqAKp+UnZr+kLS2R/MNVbgoHBYn8gj+2xaMCNTi9/2TKDOwcmvsLDrQ+xCS04ms3CdJS84CKPmtOfLrpEFybNs6r6YIFIgveSqVnJc+Pviz/eeZHrfS2uK1rx7/qm9PmxMdOWWhTdH5wwentOZjdvIvOQ/b+gv6JzvUpFMQAS7MtfziswHIy2DIZ8PzA/GS3b6HX+R5aX067jpOwpYiWVk=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="ithelp01@securitymy.name ">ithelp01@securitymy.name </a> <br> <a href="ithelp01@yousheltered.com ">ithelp01@yousheltered.com </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div>  <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br>  </div> </div>  </div> </div> </body> </html>

Emails

href="ithelp01@securitymy.name

">ithelp01@securitymy.name

href="ithelp01@yousheltered.com

">ithelp01@yousheltered.com

Targets

- Target
  
  ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.sample
- Size
  
  333KB
- MD5
  
  e2132d123382278c9646ae2ebbe3b3a7
- SHA1
  
  f2b257bb84b29ba0c73faf854e39470ace9801a7
- SHA256
  
  ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106
- SHA512
  
  c703eb197ae7abcd3f1cd53d82f832de24e4263dfdc018bb573f895d1d507585d0944225d9ad510e8abbb757ffd8beba1d74084a3ffd2afd40dc2d550080991a
- SSDEEP
  
  6144:3kvY9W2QcboLKCwSuo0/WdjEXCNVDLNU3mxcK3PnXvBHkyEXq:3kw9XbCwSuo0/EEXCNJprX1kyEXq
Score

10^/10

evasion persistence ransomware
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (3887) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes System State backups
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies Installed Components in the registry
  persistence
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2