Overview

overview

10

Static

static

10

d39cbfca5b...da.exe

windows7-x64

10

d39cbfca5b...da.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    18-03-2024 13:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d39cbfca5b4af90e9557d6349d2a68da.exe

  • Size

    669KB

  • MD5

    d39cbfca5b4af90e9557d6349d2a68da

  • SHA1

    9322449f3647b82c920e30bbf95f8ce25f875c7a

  • SHA256

    212e7f5ed4a581b4d778dfef226738c6db56b4b4006526259392d03062587887

  • SHA512

    0aea822b94e81d1849d1e9713e019784a474885bfbfa6e88c066098cf2cf145706c33a5fcd00a616530a3414492747bdf68ea953433dfa7780bf0edf6b3f9ee7

  • SSDEEP

    12288:dQA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8DrKD/KeX:Tuf4wTuV2Ux3uIZeUBi2Te6HWGKrKe

Score
10/10
medusalockerevasionransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW_TO_RECOVER_DATA.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">E50BE3FC73F605C711BEB1F1DCC15607FFC3F1506B9565DF006090D2407359BFEA5E34BF4F872CF872CFCD411FB55B0D7ED6FEA4C278DDDB64B148BCAA46A7C9<br>32128DA5B35BB99349DB6160EAA7CC80D2A441CACFED71C3D93955D0714E0D34606813770FC499EA3D6C9A6CC566CA74BF4D6E3C504AB635D2E6B1B1DA4C<br>CA1D69A766CCA01CEA73C0A4FBA6CBC10042E750577CB67C7F90D09D18D56794DEA550C2D9D905086EBDA807E289241AEEA3BED81D4044919D03277EE340<br>EBAB3D3B5A9EB552960B23D152C202A482D5F154BAE60DA1A1CAE5714B4D5EBF83022BA0BE2C1C76EDA0445F2CFEA2BBB59DF1C7143BC6A9C260B7D06446<br>4825F6E63459814587911F2FB4A144992F459DE4FA9327C4C5BF157DDBC488FC744AC74AF514BC5F864BF24ED7A3C4A9ACDCBFA3B31ABA93FC40F11827AC<br>9BB538867E8C722EEC27CB31C251CA0CE6B5B44CED609C0E9A0241755A1B2ABDCAB83003BF1ACC5B770927CDA9C232E13BAE3EA834B6B34E7CAF11C7F8D3<br>DEAE6C2EF7999CD4D3F62D10EF11B71DEEDC04EEF770339B96405978E12B92324C5A9239C2DA241D3054B6FC2593646031739DD4DF305AA1FFDCBF1A9A1C<br>4D9B9A48B14A7320A1004B1E1B7CA5D436E585B1002C551BD8D82BB846C102E4BA4A3FAAD0806AC4EF7A45B7D009220807060205D7B322137151C61943C2<br>AD3DB8B45F4C83E89C147CD9966A</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="mailto:ithelp@decorous.cyou ">ithelp@decorous.cyou m </a> <br><a href="mailto:ithelp@wholeness.business">ithelp@wholeness.business</a> <br> <b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>
Emails

href="mailto:ithelp@decorous.cyou

">ithelp@decorous.cyou

href="mailto:ithelp@wholeness.business">ithelp@wholeness.business</a>

Signatures

  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

    ransomwaremedusalocker
  • MedusaLocker payload 1 IoCs
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (213) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\d39cbfca5b4af90e9557d6349d2a68da.exe
    "C:\Users\Admin\AppData\Local\Temp\d39cbfca5b4af90e9557d6349d2a68da.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3044
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:3000
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2552
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2668
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2868
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2496
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2484
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1940
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {179CCC37-5B2D-4B68-B118-0D0891BC1F50} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Users\Admin\AppData\Roaming\svhost.exe
      C:\Users\Admin\AppData\Roaming\svhost.exe
      2⤵
      • Executes dropped EXE
      PID:1836

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

3
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW_TO_RECOVER_DATA.html
    Filesize

    4KB

    MD5

    d1341cd1b8f8ec9196bb2d2c9d4ba113

    SHA1

    aaef4ec7e7b649a9d40799114362839dc887bd3c

    SHA256

    413af1a6042f99c8a9b7a65d6c95b290a5de8b177a675eadd73b9986866aaa99

    SHA512

    7840c0e5d354bf990dbc3077569d4d12e112fddf31a5c52e5372303a6c106c8e1fa39287e4fe08fa8d7873070329ce63d7423afeac0b552a4ced7721ae6d155e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\svhost.exe
    Filesize

    669KB

    MD5

    d39cbfca5b4af90e9557d6349d2a68da

    SHA1

    9322449f3647b82c920e30bbf95f8ce25f875c7a

    SHA256

    212e7f5ed4a581b4d778dfef226738c6db56b4b4006526259392d03062587887

    SHA512

    0aea822b94e81d1849d1e9713e019784a474885bfbfa6e88c066098cf2cf145706c33a5fcd00a616530a3414492747bdf68ea953433dfa7780bf0edf6b3f9ee7

    Download Submit
  • C:\Users\Default\NTUSER.DAT.LOG2
    Filesize

    536B

    MD5

    b4cc0af3f40fc56e1fb1cbeb9390df35

    SHA1

    27f5505831ed9008d465a8682dbfdb2a9ca216c2

    SHA256

    f9491e7dbdabb9bf2a1c5c9e18ba78df07b9f7cd36263c02e0018924d1a4e03f

    SHA512

    b1e53c8b7b6e6c5f872384396bf84b27f6b5c931daac505657f3a0f8950d1d6d34292bf4cef1ccb4948bb76e229f9394b7bdc11fa73629bce6daa1556364fa11

    Download Submit