medusalocker | 220201-tb2kpshagn

Sharing

Copy URL

Twitter E-mail

General

Target

220201-tb2kpshagn
Size

2.6MB
MD5

aa3684dd93b13628b626723bfe313dbc
SHA1

d2a08733f52ba0187dd43a45b7ea6953f69522bd
SHA256

02f250a3df59dec575f26679ebd25de7c1d5b4d9d08016685f87a3628a393f92
SHA512

22ffb71722f5afd6925d37628585dc182e3f2cfd6f472a522e8a418dcf7adf76c16aed6313c9a477e2cfa3b646bf450f2cffee8d37a51a63c926c5ef18450ac0
SSDEEP

24576:3z6+t2x6zy+jerMRSFJZLIMMXXKIdwjP3rWFhtCMzGkx8W9GTjneJN9U:3pMx6jKF7eXKYwj/e0kxTGT6JN2

Score

10^/10

medusalocker

Malware Config

Signatures

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 1 IoCs

Processes:

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Detects command variations typically used by ransomware 1 IoCs

Processes:

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_GENRansomware

MedusaLocker payload 1 IoCs

Processes:

resource yara_rule

sample family_medusalocker
Medusalocker family
medusalocker
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

220201-tb2kpshagn

resource	yara_rule
sample	family_medusalocker

resource
220201-tb2kpshagn

Files

220201-tb2kpshagn
.exe windows:6 windows x86 arch:x86

26e486a4fc4681c86953736558353af3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Users\Gh0St\Desktop\MedusaLockerInfo\MedusaLockerProject\MedusaLocker\Debug\MedusaLocker.pdb

Imports

kernel32

CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
CopyFileW
GetCurrentProcess
ReadConsoleW
GetTickCount
OpenProcess
CreateProcessW
TerminateProcess
WaitForSingleObject
FindFirstFileW
FindClose
SetVolumeMountPointW
GetVolumePathNamesForVolumeNameW
QueryDosDeviceW
FindVolumeClose
FindNextVolumeW
FindFirstVolumeW
GetDiskFreeSpaceW
GetEnvironmentVariableW
GetLogicalDrives
MoveFileExW
GetProcessHeap
HeapFree
HeapAlloc
GetLastError
CloseHandle
WriteFile
SetFilePointerEx
SetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetOEMCP
GetACP
IsValidCodePage
GetTimeZoneInformation
GetConsoleMode
GetConsoleCP
FlushFileBuffers
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetTimeFormatW
GetDateFormatW
SetConsoleCtrlHandler
WriteConsoleW
GetFileType
ReadFile
GetFileSizeEx
HeapQueryInformation
HeapSize
HeapReAlloc
GetCommandLineW
GetCommandLineA
CreateFileW
GetModuleFileNameW
Sleep
OpenMutexW
CreateMutexW
GetStdHandle
ResumeThread
ExitThread
DeleteFileW
RemoveDirectoryW
GetCurrentDirectoryW
SetCurrentDirectoryW
SetEnvironmentVariableW
EncodePointer
DecodePointer
RaiseException
FormatMessageW
WideCharToMultiByte
MultiByteToWideChar
GetStringTypeW
QueryPerformanceCounter
QueryPerformanceFrequency
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
GetCurrentThreadId
QueueUserWorkItem
GetModuleHandleExW
RtlCaptureStackBackTrace
IsProcessorFeaturePresent
CreateDirectoryW
FindFirstFileExW
FindNextFileW
GetDiskFreeSpaceExW
GetFileAttributesExW
GetFileInformationByHandle
SetEndOfFile
SetFileAttributesW
SetFileTime
GetTempPathW
AreFileApisANSI
CreateHardLinkW
SetLastError
InitializeCriticalSectionAndSpinCount
CreateEventW
SwitchToThread
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
GetModuleHandleW
GetProcAddress
WaitForSingleObjectEx
GetExitCodeThread
GetNativeSystemInfo
CompareStringW
LCMapStringW
GetLocaleInfoW
GetCPInfo
SetEvent
ResetEvent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetStartupInfoW
GetCurrentProcessId
InitializeSListHead
VirtualQuery
FreeLibrary
LocalFree
CreateTimerQueue
SignalObjectAndWait
CreateThread
SetThreadPriority
GetThreadPriority
GetLogicalProcessorInformation
CreateTimerQueueTimer
ChangeTimerQueueTimer
DeleteTimerQueueTimer
GetNumaHighestNodeNumber
GetProcessAffinityMask
SetThreadAffinityMask
RegisterWaitForSingleObject
UnregisterWait
OutputDebugStringW
GetCurrentThread
GetThreadTimes
FreeLibraryAndExitThread
GetModuleHandleA
LoadLibraryExW
GetVersionExW
VirtualAlloc
VirtualProtect
VirtualFree
SetProcessAffinityMask
DuplicateHandle
ReleaseSemaphore
InterlockedPopEntrySList
InterlockedPushEntrySList
InterlockedFlushSList
QueryDepthSList
UnregisterWaitEx
WaitForMultipleObjectsEx
LoadLibraryW
RtlUnwind
HeapValidate
GetSystemInfo
ExitProcess
GetDriveTypeW
GetFullPathNameW

advapi32

CryptDestroyKey
RegCreateKeyW
RegDeleteValueW
RegOpenKeyExW
RegSetValueExW
CryptAcquireContextW
CryptReleaseContext
CryptGenKey
GetTokenInformation
OpenProcessToken
StartServiceW
QueryServiceStatusEx
OpenServiceW
OpenSCManagerW
EnumDependentServicesW
DeleteService
ControlService
CloseServiceHandle
CryptDuplicateKey
CryptEncrypt
CryptImportKey
CryptExportKey
RegCloseKey

shell32

SHEmptyRecycleBinW

ole32

CoInitialize
IIDFromString
CoCreateInstance
CoGetObject
CLSIDFromString
CoUninitialize
CoInitializeEx
CoInitializeSecurity

oleaut32

SysStringByteLen
SetErrorInfo
SysAllocString
VariantChangeType
GetErrorInfo
CreateErrorInfo
SysFreeString
SysAllocStringByteLen
VariantClear
VariantInit

crypt32

CryptStringToBinaryA

mpr

WNetGetConnectionW

netapi32

NetApiBufferFree
NetShareEnum

iphlpapi

GetAdaptersInfo
IcmpCreateFile
IcmpCloseHandle
IcmpSendEcho

ws2_32

inet_addr

rstrtmgr

RmGetList
RmStartSession
RmRegisterResources
RmEndSession
RmShutdown

Sections

.textbss
Size: - Virtual size: 949KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text
Size: 2.0MB - Virtual size: 2.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 505KB - Virtual size: 504KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.msvcjmc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 1024B - Virtual size: 777B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.00cfg
Size: 512B - Virtual size: 260B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 79KB - Virtual size: 79KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

26e486a4fc4681c86953736558353af3

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

advapi32

shell32

ole32

oleaut32

crypt32

mpr

netapi32

iphlpapi

ws2_32

rstrtmgr

Sections

.textbss Size: - Virtual size: 949KB

.text Size: 2.0MB - Virtual size: 2.0MB

.rdata Size: 505KB - Virtual size: 504KB

.data Size: 20KB - Virtual size: 28KB

.idata Size: 8KB - Virtual size: 8KB

.msvcjmc Size: 1KB - Virtual size: 1KB

.tls Size: 1024B - Virtual size: 777B

.00cfg Size: 512B - Virtual size: 260B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 79KB - Virtual size: 79KB

.textbss
Size: - Virtual size: 949KB

.text
Size: 2.0MB - Virtual size: 2.0MB

.rdata
Size: 505KB - Virtual size: 504KB

.data
Size: 20KB - Virtual size: 28KB

.idata
Size: 8KB - Virtual size: 8KB

.msvcjmc
Size: 1KB - Virtual size: 1KB

.tls
Size: 1024B - Virtual size: 777B

.00cfg
Size: 512B - Virtual size: 260B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 79KB - Virtual size: 79KB