General
-
Target
medusa.exe
-
Size
669KB
-
Sample
240411-xl1ypsdc9v
-
MD5
646698572afbbf24f50ec5681feb2db7
-
SHA1
70530bc23bad38e6aee66cbb2c2f58a96a18fb79
-
SHA256
26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0
-
SHA512
89bad552a3c0d8b28550957872561d03bf239d2708d616f21cbf22e58ae749542b07eee00fedac6fdb83c5969f50ea0f56fc103264a164671a94e156f73f160a
-
SSDEEP
12288:dQA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8D4KD/KeX:Tuf4wTuV2Ux3uIZeUBi2Te6HWdKrKe
Behavioral task
behavioral1
Sample
medusa.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
medusa.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
\Device\HarddiskVolume1\Boot\how_to_back_files.html
href="ithelp02@decorous.cyou
">ithelp02@decorous.cyou
href="ithelp02@wholeness.business
">ithelp02@wholeness.business
Extracted
\Device\HarddiskVolume1\Boot\how_to_back_files.html
href="ithelp02@decorous.cyou
">ithelp02@decorous.cyou
href="ithelp02@wholeness.business
">ithelp02@wholeness.business
Targets
-
-
Target
medusa.exe
-
Size
669KB
-
MD5
646698572afbbf24f50ec5681feb2db7
-
SHA1
70530bc23bad38e6aee66cbb2c2f58a96a18fb79
-
SHA256
26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0
-
SHA512
89bad552a3c0d8b28550957872561d03bf239d2708d616f21cbf22e58ae749542b07eee00fedac6fdb83c5969f50ea0f56fc103264a164671a94e156f73f160a
-
SSDEEP
12288:dQA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8D4KD/KeX:Tuf4wTuV2Ux3uIZeUBi2Te6HWdKrKe
-
MedusaLocker payload
-
Renames multiple (292) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Indicator Removal
2File Deletion
2