Overview

overview

10

Static

static

10

706cf72e86...a6.exe

windows7-x64

10

706cf72e86...a6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    56s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-06-2024 22:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe

  • Size

    5.6MB

  • MD5

    095db264f03dba2cb16f1e3acaf60d27

  • SHA1

    2b1bb5b5aedcc0dd95eb694ae53aa4ce108c85bb

  • SHA256

    706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6

  • SHA512

    7706cdcb52fc5318ee6a14c9ba580980d7af4e851485de8662ac997359dbac140ad1cb8f31d9e71ee9574cb0307e4167c8a5e807cffabca6b093682f4d1232ea

  • SSDEEP

    98304:uv9Vu+MMjYAMHlaWnAskRRZfhck06/o/Di+R1MI064hHgjhxCJpGdKeeO53LSNpw:uv988KlaOARRZfCxDbxRj6HgbCbvSLSh

Score
10/10
medusalockerevasionransomwarespywarestealertrojanvmprotect

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Recovery_Instructions.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">D8A68EE14C959F180CCB3453B80A2B395C20EEF3A89834D4D350C437A644E02A3D5BC3050C2FA4F72307A35AF1CEA2D9226FA4099C84DDEA3B28E8B3FF94B95C<br>4E3611A61F3CD917C6F4973D68A9492DFBE380C25F427A2A41C7497AAC16E3A171BD956E7268CB60A8212E8AEC352EF92F04C873F46FCCB6BA15B6B32D92<br>BC91B61897A0431887E9785FA1EDCBE9C539A6545DF0259A003AF405216B9F7220E79C3F1A33FCEB58676754ABCF022B9C0BF4239BE68D7040E770A577AD<br>BE8894761C5C16C9A4255AE0E747CA99A59F5E8B8695505E49F971D3492A82AA62E6750F37EC5FAA575EE712DC4A60DCFCAABE2995B5EB40F9868D517836<br>E14B44AEB0BFFD384C655BDB0FB03783F5131199E9501C07A4C66241CA214F06B125BF3C08AC75F92FDC49C39F0FACE78A7A2B44C74FBE5FE95802642581<br>96819D034944798A2C7DB661988AEC440EDF0890309CAFA39E47E01D2BEE7F3E863AA3CEE8D433D0E75C8071A6832CB65B08E40ADF027A6C72DDCD2B56F6<br>37D345FFD1DFC79034C38F239653004F144662D4B3AC40384C317E8407DCD1C234DA3A2B42AAF8BF527E5C5FC474219C087C859030721A0EC49DC24C10F0<br>8C9EC5CB3041D9D6D7523C0AF7E7D13BA404F5C2D75BDDA94B99CB6974DE6C1366ABDE34B7744E55071CBD271785BCDE5FE159C3DB30ED278DC3021CF371<br>1BFD01C74877C21D735F4D11F400</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED!</b><br><br> YOUR FILES ARE SAFE! JUST MODIFIED ONLY. (RSA+AES) <br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMENANTLY DESTROY YOUR FILE.<br> DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES.<br><br> NO SOFTWARE AVAILABLE ON INTERNET CAN HELP YOU. WE ONLY HAVE<br> SOLUTION TO YOUR PROBLEM.<br><br> WE GATHERED HIGHLY CONFIDENTIAL/PERSORNAL DATA. THESE DATA<br> ARE CURRENTLY STORED ON A PRIVATE SERVER. THIS SERVER WILL BE<br> IMMEDIATELY DESTROYED AFTER YOUR PAYMENT. WE ONLY SEEK MONEY<br> AND DO NOT WANT TO DAMAGE YOUR REPUTATION. IF YOU DECIDE TO<br> NOT PAY, WE WILL RELEASE THIS DATA TO PUBLIC OR RE-SELLER.<br><br> YOU WILL CAN SEND US 2-3 NON-IMPORTANT FILES AND WE WILL<br> DECRYPT IT FOR FREE TO PROVE WE ARE ABLE TO GIVE YOUR FILES<br> BACK.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a href="">http://gvlay6u4g53rxdi5.onion/8-BEr5s2CLhrmCqH4xxg229SZxlkjCyDmc-Y704QaVnyxK3PM2gYxproV4uHj2NbCIZ</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open "{{URL}}". <br> 4. Start a chat and follow the further instructions. <br><br> <b>If you can't use the above link, use the email:</b><br> <a href=" [email protected] ? "> [email protected] </a> <hr> <a href=" [email protected] ? ">[email protected] </a> <hr> MAKE CONTACT AS SOON AS POSSIBLE. YOUR DECRYPTION KEY IS ONLY STORED <br> TEMPORARLY. IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Signatures

  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

    ransomwaremedusalocker
  • MedusaLocker payload 4 IoCs
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 4 IoCs
  • Detects command variations typically used by ransomware 4 IoCs
  • Detects executables packed with VMProtect. 5 IoCs
  • Renames multiple (175) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • VMProtect packed file 5 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe
    "C:\Users\Admin\AppData\Local\Temp\706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:968
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3568
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4236
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3888
  • C:\Users\Admin\AppData\Roaming\svhost.exe
    C:\Users\Admin\AppData\Roaming\svhost.exe
    1⤵
    • Executes dropped EXE
    PID:1864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\svhost.exe
    Filesize

    5.6MB

    MD5

    095db264f03dba2cb16f1e3acaf60d27

    SHA1

    2b1bb5b5aedcc0dd95eb694ae53aa4ce108c85bb

    SHA256

    706cf72e86b19918cda7b573f549fa286ba005615ddf9cb4acd01cf09a0d20a6

    SHA512

    7706cdcb52fc5318ee6a14c9ba580980d7af4e851485de8662ac997359dbac140ad1cb8f31d9e71ee9574cb0307e4167c8a5e807cffabca6b093682f4d1232ea

    Download Submit

  • C:\Users\Default\ntuser.dat.LOG2
    Filesize

    536B

    MD5

    14242da9356ef42c4afead49406a1ad9

    SHA1

    4817f82fb5be1d978d5ccd6353081fbd57e4de9e

    SHA256

    c6b265ed7b61d7739bbdfbda28604854498a47689f5755adeab9b4dc4e1875fd

    SHA512

    27a4c37ddb5e5c8e68f30eacd4eae39e341cf38fd4c1eb5910a85480f6030796461028be53ad4dff2434c174b6e405b3807fbe1be30417040ed6601471bfdfd1

    Download Submit

  • \Device\HarddiskVolume1\Recovery_Instructions.html
    Filesize

    4KB

    MD5

    f6239fb8d7f65d8d88d9245e9adfc8fb

    SHA1

    cabde9c2531346d2d084edc7aaea1af76628cb63

    SHA256

    127aa4c8fb0d66a9159ca9fbf1a1b96b6dbc0d49ae8686a084c04ac324583fe9

    SHA512

    865d1237d15cea981ee6a35200e8ca85e992488c9f8746e663785a466630b1c5e3f15458aca796cbfcd5545dc4958ff6627273e9378a6075c78bd5f563bdd71e

    Download Submit

  • memory/968-1-0x0000000000E70000-0x00000000017FC000-memory.dmp

    Filesize

    9.5MB

    Download

  • memory/968-0-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/968-3-0x0000000000F17000-0x0000000001259000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/968-6-0x0000000000E70000-0x00000000017FC000-memory.dmp

    Filesize

    9.5MB

    Download

  • memory/968-554-0x0000000000E70000-0x00000000017FC000-memory.dmp

    Filesize

    9.5MB

    Download

  • memory/1864-557-0x00000000015A0000-0x00000000015A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1864-558-0x00000000006B0000-0x000000000103C000-memory.dmp

    Filesize

    9.5MB

    Download