medusalocker | cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30

General

Target

cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.sample
Size

335KB
Sample

240227-wjsnwaff26
MD5

794f3eb31688ca56a4f7ca6f4691d3e3
SHA1

6f6e458805f8da94f820f2aff6a201b70482273d
SHA256

cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30
SHA512

cd7e6feda73af8d569466b9ea5ed46c4784c404afcaec6b1582d1fa8a1c00b18aea8b7851f298e1eb740e328dbd5d5ad932c13036699b05e5807ad85641e0dff
SSDEEP

6144:5Y9zfajnC6iGm15k66Clhdq8yZXlkV68pr2g1PJbmVhMqu:m9WHm15k66ClHq8yZVypIMqu

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">GSl6EDNW42u75LMbipw+bt6GDVQadOOb8MsqhI0xKt3BzDNy5y9+SgUP3YZbi3QsthhrnF99c5qo2T5iIsgE5WXqtZRaPR0DzvhNiM18kj6Y2H5swo5rzjh1OyZ7j0H3dBJ+Gj0Ubv/Ajapc6reKjwhR7EJ2CRptacw3kq3lTOTEnsaYITUAgxuzkPcJq9HDPYak5hOCMqH2EQSnv/0hg8CkUJiylUvQzbRJWIHYI0dei80uLaEwrkkkGPhW79r8NaMHGM0YksaubHLMJSdVR6QAAHEclQSjoSMeS0TJ0gaFch6khGNhtu8zzndNTCbiPfe/DuO75hcXojEvApNK2uFXTCrOuGzkuMy5eQC6NQBwfQMyyDoMCYszM6t321Wq5E3qShJN2kMbVvRzY4uXTUn39H6PzdMkDxya8Au1vTLLIcCC+pKIhXX+hzUQ6aoGKqz+rCIugyLczDCCuUgy4vC6xLu+l3UjEx/O0X/97WQwMoi0odNUD8J+pY8OwzQVf69mQ7jsG4L3a5s2CQA3Mpq5ZMxfoJtrhZkbaySWM+2IzwriSxWh3LJ6bH4qIbsYTATCse0b4yfQgi3BPlUdeTLYKTExg6qcc6tbMsWpqSGm+5gM+AwmVmXNbi3Swdsj/WHEX2+Hw1vvW45b9Qu1o5XCV83LNN8xnY2CIE6pA9KwqKGjSTYlDUtuwsyFbzDu0lBb3JUv+tBQlcANoe+V4FemUE8+fEpKOIPXguw3qUCQDq75SmVkFtM8hFgPAQ4g7oMfyb5mL72syKobCJhfzxjwshw/1WR3CaEHQJBkQNtOm61U8Gz/mt8lAnUEQaYfg/4Xy8IcBbQRAHAQd11P1KAMPySy49HajLzdTXAWMpn37KJY1jxMVqZF360IPRpOeluX/TaucHwAaLRKqM4XA1CPjGPDhvWYDQ9YCynol+RtARUp30y+sBqdx0Sjj3CWjZae0d15mNG2d9qEWlO/Md8Wq58IzU42HV4/XKTC23ORlVJUX3cFf/KzejkU6Wc7qkS8TZlKSPlmdf0oAwUu8KyGbXRfe0ylULY7eOefrZkADC3J++8dpRvGM1d0arGcB5Tl36kDn2cpEXHcH4bLiXzjo8cN/JFjmE2wDZXVEUOQ9MXId+Q+O87pd49hNzn1m607mDiuM+i2SMbpBtMSPZPRwaxLClKE3HpA1pbO6cYmF8oH19ebhwxq3ues2aumYDfe0ZT0MGFAkm8u2kshDWDHE5NM/KuINVEoMUVFJ8uS3oK5vCengtt+ZQjwMUKXUHkITGhwyhzXuxeMAz4r1MFFYYLGiPMEmNDuiRzMla7V0ALwTUcY/8IoR9zPWKbuV6C6WnFoAc5eccOWJqtUAd7IMEPWIvRt86N3kMIEd/dmqwZ7sjV9vhf7TeKSxmhb/VFSL7fK1fc0dg1iNXxYA8lrxAUbU8hyF9APYy7hW8dtHEPB10J5yLJwCDTwDUsqaHQ3L1hcU5fiUoIdlm0UnYsPA+/KWsutcB1/PrAk111Me/b7IoY7YP7u8H3bL6yi7O5V6I9R4ujw0JtgiF0V3lQYi6COMVVqj6FMwR9+co+44q1wZQ+G2ZJIYSeoBUqZ7lLs9uGoO2VbXwkU60Hg6yBGx9L91GI9Xvs6p8uaXBi9pfAd+psmy4cAw0hdQ6yIxneZMjjUqQxLQL7xzP8n1dZR+4Ym2rdGeXY89VTsCYE=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="ithelp11@securitymy.name ">ithelp11@securitymy.name </a> <br> <a href="ithelp11@yousheltered.com ">ithelp11@yousheltered.com </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="ithelp11@securitymy.name

">ithelp11@securitymy.name

href="ithelp11@yousheltered.com

">ithelp11@yousheltered.com

Extracted

Path

\Device\HarddiskVolume1\Boot\bg-BG\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">E8Y1Vj9z3go+HjTGCXwrRjdsDvkK6OvHxjSAOZpYkuuRwY5nFH/UuXg5c+EuJqr2zJ3Sk4C4BKXvLoRRzbw7mKJa64a0p5bIbE99ftBv1Lxq7ZW2Z3g0YBD1gwAOSiWXYHKH6FizZo+Q8+j4GURto/WnJRRZbR8G6TvD0hOlNsj9myzxuZ/uO6RnTYFHkqnOTlJdBXTumN58xA8sPJunNbUmaScF4T+Uf4vvbnQpd9Lgbws3HJiXEkFa7j0bXUhU3zL/sWvrjmA6C8UiUA6M4PhhvGWXiArtbDV72rTlB54aJW6nUI6fMJPrNDKQZdS0YY/2VFV8Kx91KUQbvjczGkokNdfcBMImo82aKD/HewCFFuRJ58/Wsqx5uozxSmgMkOa+sInxOnxS8pJnaAhBksKpRfouLI+o0RF0NtXCM5+eFcxX2K5qynOXGtKl8qu0bdp7z8mClzLZEBfxTfPmHxKnaZqOI4j65yZsX/7d4F6IJ8f9odTcoUzkZDnUEqu4n6NbkPnv/4IxHCxCDPXL9KfdUuX3DJKsGxnHIQrql2J1BucIv/GPUB/yUyZe4LrfTBohjIMNqelDrspc/kE2FROKXHzFKcWcUFeVYw0i+BFxVxGbWcHeIS2KAvEh7K0XMo4Pwlt3OkLizTQVWBtbHSGEDY+xM++HWBA5c9rJSDc2Gb8JlzCji+yNf304qQ89Eem+fq858Y13yfM7aRMY2AYzX6a0kxPd6P7VshxxaMrBUj0sQtv5/NsXTnnPFttiEwmv27qcCmD8+Ew29WZTvQaAz0IXd0g9GOv7KqA9nYWsMpedViWF33oADhprUsd1A21MW0RiBpSfxePnmXRCnlqZyRHpbiY2nEn8AnegbO19aWI3KmZWdqfU3Nd5SS86bUGHY3OMiBt9SdSOD9XbLGUbxyT/DRqe4V+3ENhx0b4v6kNHuG01H60yM43hppWmem9vFm1J8IYSRNqTAt9iibWglCc09CoaPUMzKsMU84vEsksvP5qLSWZJejiwba2sWnjoQ6LcWab5/kMPBtvzX4JPe1bgDQtGzQSs8bwv5rPVrQvokqMQYedqAUCx8U07oEUOkkfzNWp7KtV/frCC5u9Q3j9xNy74bbQNp2KCIbDaONw37x25oFn4lpL0IxmKGFfGCiTY5z8DPZJPMICNMtXZu4L7vTkkX4a1W39s74fL4hGFX1xVMDmmhig5a4aZKjRMlJ4kRR+jl83F9n7B/4jkW6igsVbs4ZuoYZdj3HuIts9ym39Ns1Otfds7r3jswfDhoxGMnrOyVIzKp4Yc9YzcSH68SPN300+HrLglPkcmDufJxdx+2/8gR/xR1j5CJS3nCFfdvbLwne2oK+YFmnT7utqDBTqNrS20kZKOYcDC8jI2/2FHxOqoVSWVxH6wXa9DKOfpmzsSfj3E7IWmLs5Ez6jGZrf7Fmc6hmwkfAKnkkB32Ed+q7QWc+O8zJdMpvqw9QScaGnhuCDySIpGoemmhLrKWproFTZ2AFtcdUiGw0uzL7+dp4e5ePtJ18xrhnfP1k9nvk81AIWfCtFyoqV8jPD15k1ImpnDnr0g8tj9IHosNo9TH/q4wON2eui9Nebp7sW7iEXMGp86wJpyUkE7D/szmaWB7/Naew+dSrKr6hlNqdKolU1cISonaa5MgUn788zCc27NJ2He/QXWa7vZfHEjFZomFbrVeJ84leE=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="ithelp11@securitymy.name ">ithelp11@securitymy.name </a> <br> <a href="ithelp11@yousheltered.com ">ithelp11@yousheltered.com </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="ithelp11@securitymy.name

">ithelp11@securitymy.name

href="ithelp11@yousheltered.com

">ithelp11@yousheltered.com

Targets

- Target
  
  cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.sample
- Size
  
  335KB
- MD5
  
  794f3eb31688ca56a4f7ca6f4691d3e3
- SHA1
  
  6f6e458805f8da94f820f2aff6a201b70482273d
- SHA256
  
  cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30
- SHA512
  
  cd7e6feda73af8d569466b9ea5ed46c4784c404afcaec6b1582d1fa8a1c00b18aea8b7851f298e1eb740e328dbd5d5ad932c13036699b05e5807ad85641e0dff
- SSDEEP
  
  6144:5Y9zfajnC6iGm15k66Clhdq8yZXlkV68pr2g1PJbmVhMqu:m9WHm15k66ClHq8yZVypIMqu
Score

10^/10

evasion persistence ransomware
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (7575) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes System State backups
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies Installed Components in the registry
  persistence
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2