Overview

overview

10

Static

static

10

706cf72e86...a6.exe

windows7-x64

10

706cf72e86...a6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    23-06-2024 22:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe

  • Size

    5.6MB

  • MD5

    095db264f03dba2cb16f1e3acaf60d27

  • SHA1

    2b1bb5b5aedcc0dd95eb694ae53aa4ce108c85bb

  • SHA256

    706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6

  • SHA512

    7706cdcb52fc5318ee6a14c9ba580980d7af4e851485de8662ac997359dbac140ad1cb8f31d9e71ee9574cb0307e4167c8a5e807cffabca6b093682f4d1232ea

  • SSDEEP

    98304:uv9Vu+MMjYAMHlaWnAskRRZfhck06/o/Di+R1MI064hHgjhxCJpGdKeeO53LSNpw:uv988KlaOARRZfCxDbxRj6HgbCbvSLSh

Score
10/10
medusalockerdefense_evasionevasionexecutionimpactransomwarespywarestealertrojanvmprotect

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\Recovery_Instructions.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">A51DC086E8C082A88A6CA30761BC0E9753834425EF92C7196280CFDF192B6157EB52F085D53AA6D17D8648CE33AC886CD845A21752F510B2634FD96564DDF626<br>CD94B459B47C63EFAF5C325E012CCC13CECF716B5C257DAB92AC68FD5534E05E65DF36612B0CBC9FE770BA7149EA284FE4EE99CDFA3572326CFCCB1C93D3<br>4B7EBC7FDE3DE1EABDF213DE7431D486A4B77245647DEA172E8206EFEAE7EB0E56CA0FA14E0353CEFCBDF1C0A137B2E65B76CB88AA0BC35696EA572D64DD<br>C72AAEFDDCF67A56709EB6F2D20488E1380A25CDD09D137F2FB4C7EE0E74F790209C566DE20771F90198513D37D3382D1BEDA425A856BDD7365906E85402<br>4310630698273B0A29315425AB11BC631C1A269FFCB8F819836080563EF7A32D47E85DFEF1B3C35FF6BAEC4F4008FC42645F72930FFCFB385AF70EDEF4AD<br>A88ACF1E917AF1E06611CF5A2FE765AA84C94FF847413CBCDE25298AC8AD62B42C8073BD176F1A9DB39E6B98A05E9571ACAB6EE9F5272B29DA8F924DF04D<br>D3F1CC88D7ABF4C477340EDC69F8B21861BD8DE7E03199A0A46881126A9D16C9175A2FD1820464564815C78969E4DE7135F6877D3095E6266DC8049BB4D4<br>A5672FCBABD5DC945B9A95D8147BF8DFEA0F3E0809C8ED3661379ACF2AF90A1894A40D1BDDAB15D4F984E3DAC053FCAA237F11A568D88655333EBE51D417<br>9CD5DF0C5204A53448E9E5BFBB8F</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED!</b><br><br> YOUR FILES ARE SAFE! JUST MODIFIED ONLY. (RSA+AES) <br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMENANTLY DESTROY YOUR FILE.<br> DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES.<br><br> NO SOFTWARE AVAILABLE ON INTERNET CAN HELP YOU. WE ONLY HAVE<br> SOLUTION TO YOUR PROBLEM.<br><br> WE GATHERED HIGHLY CONFIDENTIAL/PERSORNAL DATA. THESE DATA<br> ARE CURRENTLY STORED ON A PRIVATE SERVER. THIS SERVER WILL BE<br> IMMEDIATELY DESTROYED AFTER YOUR PAYMENT. WE ONLY SEEK MONEY<br> AND DO NOT WANT TO DAMAGE YOUR REPUTATION. IF YOU DECIDE TO<br> NOT PAY, WE WILL RELEASE THIS DATA TO PUBLIC OR RE-SELLER.<br><br> YOU WILL CAN SEND US 2-3 NON-IMPORTANT FILES AND WE WILL<br> DECRYPT IT FOR FREE TO PROVE WE ARE ABLE TO GIVE YOUR FILES<br> BACK.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a href="">http://gvlay6u4g53rxdi5.onion/8-BEr5s2CLhrmCqH4xxg229SZxlkjCyDmc-C3Yb9AWivII0mKImA8vDCXa9FEVGPdvk</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open "{{URL}}". <br> 4. Start a chat and follow the further instructions. <br><br> <b>If you can't use the above link, use the email:</b><br> <a href=" [email protected] ? "> [email protected] </a> <hr> <a href=" [email protected] ? ">[email protected] </a> <hr> MAKE CONTACT AS SOON AS POSSIBLE. YOUR DECRYPTION KEY IS ONLY STORED <br> TEMPORARLY. IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Signatures

  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

    ransomwaremedusalocker
  • MedusaLocker payload 5 IoCs
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 5 IoCs
  • Detects command variations typically used by ransomware 5 IoCs
  • Detects executables packed with VMProtect. 6 IoCs
  • Renames multiple (199) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • VMProtect packed file 6 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe
    "C:\Users\Admin\AppData\Local\Temp\706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:348
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2600
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2776
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2792
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2656
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2504
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2916
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2696
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {34C2551B-EF1C-4D09-8380-AEEDEA5FD343} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Users\Admin\AppData\Roaming\svhost.exe
      C:\Users\Admin\AppData\Roaming\svhost.exe
      2⤵
      • Executes dropped EXE
      PID:2380

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\svhost.exe
    Filesize

    5.6MB

    MD5

    095db264f03dba2cb16f1e3acaf60d27

    SHA1

    2b1bb5b5aedcc0dd95eb694ae53aa4ce108c85bb

    SHA256

    706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6

    SHA512

    7706cdcb52fc5318ee6a14c9ba580980d7af4e851485de8662ac997359dbac140ad1cb8f31d9e71ee9574cb0307e4167c8a5e807cffabca6b093682f4d1232ea

    Download Submit

  • C:\Users\Default\NTUSER.DAT.LOG2
    Filesize

    536B

    MD5

    b0bda30fd38dad6371ec013dfa8581cc

    SHA1

    8d61942d74fdd735158dcd86705df3b02f63b095

    SHA256

    ddf8cd0d51c0e91ebb69c13019480862ecf48ad87b05be45bbc6cd7244b9f72c

    SHA512

    a6744dca56518dd8f0e5e1f18ee91a60c65b58abda1952bd6b3a26ecca28a750ce3dd18e221bfe960da3740f9a917442fb5b227c4afa7031dd36d3afbdbbf268

    Download Submit

  • \Device\HarddiskVolume1\Boot\Recovery_Instructions.html
    Filesize

    4KB

    MD5

    bd0954af014b0f99ecaf238863e2e192

    SHA1

    d9224531e440f833d429e96ff4de645824f2c6bb

    SHA256

    2519e5acce537f89c74d017f5b5e1b1abc491c629375a5db927b9f16f34f5ad3

    SHA512

    1a17d705126ce60db880b7bd5be6b856e86b11a5b991f376ac6b636d8b7148a88c6804f66f10be5a1a8fad059f6e2596046a99ea1e589d7792d9b7c244e785a5

    Download Submit

  • memory/348-11-0x00000000012F0000-0x0000000001C7C000-memory.dmp

    Filesize

    9.5MB

    Download

  • memory/348-7-0x0000000001397000-0x00000000016D9000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/348-9-0x00000000012F0000-0x0000000001C7C000-memory.dmp

    Filesize

    9.5MB

    Download

  • memory/348-0-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/348-5-0x00000000012F0000-0x0000000001C7C000-memory.dmp

    Filesize

    9.5MB

    Download

  • memory/348-4-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/348-630-0x00000000012F0000-0x0000000001C7C000-memory.dmp

    Filesize

    9.5MB

    Download

  • memory/348-2-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2380-635-0x0000000000200000-0x0000000000201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2380-637-0x0000000000200000-0x0000000000201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2380-638-0x0000000000F50000-0x00000000018DC000-memory.dmp

    Filesize

    9.5MB

    Download