Overview

overview

10

Static

static

10

2024070372...er.exe

windows7-x64

10

2024070372...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2024 09:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe

  • Size

    1.3MB

  • MD5

    728cb2fb25ddc3b86db2e1f72cf48dd3

  • SHA1

    2bd7722674d804c3087d63a51fe0287ff04229d9

  • SHA256

    6112da76e670a9c450c3f55c1bcafe22ddd199983470ab8d7e24c03688524387

  • SHA512

    450b947b902e8119a6166bdef63dfca0dc0aa51b008d31247f68402929dc0feec9467c3497c72ec3bfd56269989baff2b5bf6e9b3aa92b6ba0f44d77c0e802b9

  • SSDEEP

    12288:QmHAIqyfF/5ebyz1dpPlRnMRTD410ALP68kG3Jz4S9FUmnyJtgoiOHmabd8ornXn:HHRFfauvpPXnMKqJtfiOHmUd8QTH3

Score
10/10
defense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\da-DK\!!!HOW_TO_DECRYPT!!!.mht

Ransom Note
From: =?utf-8?B?0RFQctTF0YDQcNC60IXQvdC+IEludGVybmV0IED4cGxvseVyIDEz?= Subject: Date: San, 00 Jan 2000 00:00:00 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft MimeOLE =EF=BB=BF<!DOCTYPE HTML> <!DOCTYPE html PUBLIC "" "">=20 <HTML lang=3D"ru">=20 <HEAD>=20 <META = content=3D"IE = 3D11.0000" http-equiv=3D"X - UA - Compatible">=20 <META charset=3D"utf-8">=20 <TITLE>!!!HOW_TO_DECRYPT!!!</TITLE>=20 <LINK href=3D"style.css" rel=3D"stylesheet">=20 <META name=3D"GENERATOR" content=3D"MSHTML 11.00.10570.1001">=20 </HEAD>=20 <BODY>=20 <p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><span class=3DSpellE><b>=20 <span lang=3DEN-US style=3D'font-size:20.0pt;font-family:"Times New Roman","serif";mso-bidi-font-family:Arial;color:#C9211E'>=20 All your valiable data has been encrypted!</span></b></span></p><BR><BR>=20 <p class=3DMsoNormal style=3D'text-align:justify;text-justify:inter-ideograph'>=20 <span class=3DSpellE><span lang=3DEN-US style=3D'font-size:13.0pt;font-family:"Times New Roman","serif";mso-bidi-font-family:Arial'>=20 Hello!<BR>Sorry, but we have inform you that your order has been blocked due to the issue of securities. Make sure your data is not blocked.=20 All your valuable files were encrypted with strong encryption algorithms AES-256 + RSA-2048 + CHACHA and renamed. You can read about these algorithms in Google.=20 Your unique encryption key is stored securely on our server and your data can be decrypted quickly and securely.<BR><BR>=20 We can prove that we can decrypt all of your data. Please just send us 3 small encrypted files which are randomly stored on your server.=20 We will decrypt these files and send them to you as a proof. Please note that files for free test decryption should not contain valuable information.<BR><BR>=20 As you know information is the most valuable resource in the world. That's why all of your confidential data was uploaded to our servers.=20 If you need proof, just write us and we will show you that we have your files. If you will not start a dialogue with us in 72 hours=20 we will be forced to publish your files in the Darknet. Your customers and partners will be informed about the data leak by email or phone.<BR><BR>=20 This way, your reputation will be ruined. If you will not react, we will be forced to sell the most important information such as databases=20 to interested parties to generate some profit.<BR><BR>Please understand that we are just doing our job. We don't want to harm your company.=20 Think of this incident as an opportunity to improve your security. We are opened for dialogue and ready to help you. We are professionals,=20 please don't try to fool us.<BR></span></span></p><BR><BR><p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><b>=20 <span lang=3DEN-US style=3D'font-size:14.0pt;font-family:"Times New Roman","serif";mso-bidi-font-family:Arial'>=20 If you want to resolve this situation,<BR>please write to ALL of these 2 email addresses:<BR>=20 [email protected]<BR>[email protected]<BR>In subject line please write your ID: 15173074851192133587</span></b></p><BR><BR>=20 <p class=3DMsoNormal style=3D'text-align:justify;text-justify:inter-ideograph'><b>=20 <span lang=3DEN-US style=3D'font-family:"Times New Roman","serif";mso-bidi-font-family: Arial;color:#C9211E'>=20 Important!<BR>=20 * We asking to send your message to ALL of our 2 email adresses because for various reasons, your email may not be delivered.<BR>=20 * Our message may be recognized as spam, so be sure to check the spam folder.<BR>=20 * If we do not respond to you within 24 hours, write to us from another email address. Use Gmail, Yahoo, Hotmail, or any other well-known email service.<BR>=20 Important<BR>=20 * Please don't waste the time, it will result only additinal damage to your company!<BR>=20 * Please do not try to decrypt the files yourself. We will not be able to help you if files will be modified.<BR>=20 </span></b></p>=20 <BR>=20 </BODY><BR>=20 </HTML>
URLs

http-equiv=3D"X

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (717) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes System State backups 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Drops file in Drivers directory 13 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 39 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 13 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe
    "C:\Users\Admin\AppData\Local\Temp\20240703728cb2fb25ddc3b86db2e1f72cf48dd3medusalocker.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3436
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
      2⤵
      • Interacts with shadow copies
      PID:228
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
      2⤵
      • Interacts with shadow copies
      PID:4348
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4296
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4752
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4376
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2860
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4520
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2304
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4836
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2316
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1940
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4976
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2216
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe /set {default} recoveryenabled No
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1540
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:4556
    • C:\Windows\SYSTEM32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:4400
    • C:\Windows\SYSTEM32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:3736
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4336
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\202407~1.EXE >> NUL
      2⤵
        PID:4612
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1412
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4440,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:8
      1⤵
        PID:116
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
        1⤵
        • Drops file in System32 directory
        PID:2372

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2367C848C1C8A11F6F3502EDA2855348.1btc
        Filesize

        824B

        MD5

        f825e0285e56dc0bdf4d638a4f9507da

        SHA1

        576d2b292e349b5e9091945e591677d49ce605b0

        SHA256

        3698ac77f77d3a0a2a0406f287cc006087d89a07d855ace1b08edaafaec47d01

        SHA512

        e54b19e9ac2e9a5617f486b21ea4071196b8d13cecf1f27a1a6229d56731256b9f43f5f889e77feaac4df5e8d8d7f71aa45c7fe0517ce96ca891e516db9bd672

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.1btc
        Filesize

        814B

        MD5

        f2aaaa6a79258309613789ac50f845db

        SHA1

        5d2fee86d02acd8f81aa3aaa18ee26c47b0caf9b

        SHA256

        6aa9c9c7cf19ba4e59ea00a2b3df6aa843310b9f61a5fdf4e2dfe8b3a842790c

        SHA512

        aafa09c7d073c695299fa860371cdce360587a8e1b02776145248357aac09de7d6ce85d32470249d38e709653ee7c1ff27ed9c73a2b96ffadbc74c21b84b3c53

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.1btc
        Filesize

        842B

        MD5

        72b5b45e086f05351cbb59c135f8b006

        SHA1

        693281f77336c17141be210be4a840bcd3f7f613

        SHA256

        196686971424dcea3463199d3e6904ba950d2e1bc37092501221ac693e1816d0

        SHA512

        5436d532ada04e5d270e80a6402460b3a5a2695043b1355f98081214babe9b9e03bc1715e44a5324d70c9871f50ff25ed58ea6ee2a674113f723578d9ae8d169

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F.1btc
        Filesize

        700B

        MD5

        897ee1f15ffeaf1a72903f24d7877247

        SHA1

        941b9fd34ef75688b7b8b87dc184033efefcb3e7

        SHA256

        919d98650f30ee7a7f32ec30a515b07ec6c4dc408b4c7476c710fa4ddf87d14c

        SHA512

        c0ccc2e6881fe895840c2eb2d1ff45d8b723ab81be03cb244960784b776314decc12ea936d4a85307c5a5c242426af9414ba0d94526b6e765ae123416da8791b

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7.1btc
        Filesize

        770B

        MD5

        e9f01332401e643deccabfcb294ac3bd

        SHA1

        62fcee05d3055a416f9867208936e8f56d97ae66

        SHA256

        1f4afdf97f00eb76e94eb798daab3581fae062eed840ba12621ff46d3570e6a0

        SHA512

        0dbb01aace59f93a447c7fbe00bcbb292f70da827f13e12f065404fa70c875723f40c6598020ae10fce93c43fce5a5131a21fa93cb5353f9d4c604c6c0b9a588

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
        Filesize

        290B

        MD5

        ff51eb94d634d2871caa30ec33d09dc1

        SHA1

        dd8d38b2f22e151da928bbf9f6ee673ffd1a61f3

        SHA256

        6cd5841cbd7bd291db200bfd4c6f5b79a75d0fc4747d2e183c8846b01125c812

        SHA512

        47c32c5f8629b1c842c4cf22fda0ed23687cfc679a233240fdb3197576ca915d08a0f6778288d50d870f956f9fcbf7d13408f1afb8f38bed3e4fb7545d9011dc

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.1btc
        Filesize

        842B

        MD5

        655f4258dab1c4cd39af55015236d7ee

        SHA1

        9f865b4d89105f29e309c46b92bf03d0c554a9fa

        SHA256

        68f1d3a251806a01b79ebc2cf93d4e3af973b96d427bf2f42f911d15eca340d6

        SHA512

        6b44bc94967cd49ac7992ea1328e2f2515aab1cd9ea88000b743079f83e07fe5fbca1f62cb6c6901875e1feef2dddf20b27574a6598492c8b0ccca243d793d33

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB5E2F83CE9B8330B0590B7CD2E5FF2E.1btc
        Filesize

        782B

        MD5

        18dc905467a2ecfa7b27cf8f0e43a611

        SHA1

        cd2ba2e5ccf04b9f5a59d9964384eb56e75b369f

        SHA256

        cff6bfb51ce88ef42b6fec3a89ad590bec1b500473ae23cb59fe6effe3ede07e

        SHA512

        a1f7e799bfb77a5dcfe1e3edf16c399d2cd87836c82fc48fb81ae9e79d94ee5a38f3e1f26083a2f7684c22a6b5bd4cd973ad31cd72c1841355bf87c1011ff2ea

        Download Submit

      • \Device\HarddiskVolume1\Boot\da-DK\!!!HOW_TO_DECRYPT!!!.mht
        Filesize

        4KB

        MD5

        c9adc207ece8f4e5743c9de9c2f8e766

        SHA1

        577a5e4874b0f4fcd6d5c70fbe6137298f571fa3

        SHA256

        7de544b06816575355f2992daa7b580bf2f91e52fd73be0b0b66c043ba5db1e3

        SHA512

        155d255dfcebca5823e688bd468364e8e56233618b236dc8b311bbcf316b05a08cfc05c7bf697e0294d626b95ccbbe2584f77922d50d30441ba8675838040815

        Download Submit

      • memory/2372-1105-0x0000027698B80000-0x0000027698B81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2372-1112-0x0000027698DC0000-0x0000027698DC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2372-1109-0x0000027698CE0000-0x0000027698CE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2372-1108-0x0000027698CC0000-0x0000027698CC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2372-1107-0x0000027698B80000-0x0000027698B81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2372-1103-0x0000027698AE0000-0x0000027698AE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2372-1075-0x00000276947D0000-0x00000276947E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2372-1069-0x0000027694770000-0x0000027694780000-memory.dmp

        Filesize

        64KB

        Download