General
-
Target
2024-07-03_728cb2fb25ddc3b86db2e1f72cf48dd3_medusalocker
-
Size
1.3MB
-
Sample
240703-jq1lvatdlf
-
MD5
728cb2fb25ddc3b86db2e1f72cf48dd3
-
SHA1
2bd7722674d804c3087d63a51fe0287ff04229d9
-
SHA256
6112da76e670a9c450c3f55c1bcafe22ddd199983470ab8d7e24c03688524387
-
SHA512
450b947b902e8119a6166bdef63dfca0dc0aa51b008d31247f68402929dc0feec9467c3497c72ec3bfd56269989baff2b5bf6e9b3aa92b6ba0f44d77c0e802b9
-
SSDEEP
12288:QmHAIqyfF/5ebyz1dpPlRnMRTD410ALP68kG3Jz4S9FUmnyJtgoiOHmabd8ornXn:HHRFfauvpPXnMKqJtfiOHmUd8QTH3
Behavioral task
behavioral1
Sample
2024-07-03_728cb2fb25ddc3b86db2e1f72cf48dd3_medusalocker.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2024-07-03_728cb2fb25ddc3b86db2e1f72cf48dd3_medusalocker.exe
Resource
win10v2004-20240611-en
Malware Config
Extracted
C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\!!!HOW_TO_DECRYPT!!!.mht
[email protected]<BR>[email protected]<BR>In
http-equiv=3D"X
Extracted
\Device\HarddiskVolume1\Boot\da-DK\!!!HOW_TO_DECRYPT!!!.mht
[email protected]<BR>[email protected]<BR>In
http-equiv=3D"X
Targets
-
-
Target
2024-07-03_728cb2fb25ddc3b86db2e1f72cf48dd3_medusalocker
-
Size
1.3MB
-
MD5
728cb2fb25ddc3b86db2e1f72cf48dd3
-
SHA1
2bd7722674d804c3087d63a51fe0287ff04229d9
-
SHA256
6112da76e670a9c450c3f55c1bcafe22ddd199983470ab8d7e24c03688524387
-
SHA512
450b947b902e8119a6166bdef63dfca0dc0aa51b008d31247f68402929dc0feec9467c3497c72ec3bfd56269989baff2b5bf6e9b3aa92b6ba0f44d77c0e802b9
-
SSDEEP
12288:QmHAIqyfF/5ebyz1dpPlRnMRTD410ALP68kG3Jz4S9FUmnyJtgoiOHmabd8ornXn:HHRFfauvpPXnMKqJtfiOHmUd8QTH3
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (880) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
2