Behavioral task
behavioral1
Sample
528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe
Resource
win10v2004-20240704-en
General
-
Target
d5f2ff838910ac0122366f261be209021747b53e9f4e7e75aec59710696e34b2
-
Size
389KB
-
MD5
578d9403c546be4adcbd7288e393aad5
-
SHA1
16a46e5452c6c2c063607707799a6bf3d3df38b0
-
SHA256
d5f2ff838910ac0122366f261be209021747b53e9f4e7e75aec59710696e34b2
-
SHA512
268994ea20df0527125d8804b2f070ffab42ad7c08722d5c37b463d79a94b79ac925ed2085b0d51a0f38416bd531722e15ab46cb4fb095612ba92e2014cec78f
-
SSDEEP
12288:zn//2W2oVMhClYsdFW0uvUOcWrQIDzKaVdIYFpdn:5voClYxrvD3MI6aXtFLn
Malware Config
Signatures
-
MedusaLocker payload 1 IoCs
Processes:
resource yara_rule static1/unpack001/528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263 family_medusalocker -
Medusalocker family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource unpack001/528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263
Files
-
d5f2ff838910ac0122366f261be209021747b53e9f4e7e75aec59710696e34b2.zip
Password: infected
-
528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe windows:6 windows x64 arch:x64
e21e79f22d20e648f922d95d15e45b27
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
crypt32
CryptStringToBinaryA
mpr
WNetGetConnectionW
kernel32
lstrcatW
Process32FirstW
lstrcpyW
GetCurrentProcess
WaitForSingleObject
CreateProcessW
CreateEventW
SetEvent
WaitForSingleObjectEx
GetLogicalDrives
FindNextFileW
WaitForMultipleObjects
GetQueuedCompletionStatus
ResumeThread
PostQueuedCompletionStatus
GetExitCodeThread
TerminateThread
CreateThread
ExitProcess
CreateIoCompletionPort
HeapCreate
HeapFree
HeapLock
HeapAlloc
HeapDestroy
Process32NextW
HeapSize
CreateToolhelp32Snapshot
OpenProcess
TerminateProcess
GetShortPathNameW
GetEnvironmentVariableW
FlushFileBuffers
WideCharToMultiByte
DeleteCriticalSection
DeleteFileW
FindClose
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
FindFirstFileW
GetComputerNameW
OpenMutexW
FindNextVolumeW
GetVolumePathNamesForVolumeNameW
FindVolumeClose
SetVolumeMountPointW
GetLastError
GetVolumeNameForVolumeMountPointW
CreateMutexW
GetModuleFileNameW
FindFirstVolumeW
MoveFileW
CloseHandle
SetFileAttributesW
CreateFileW
GetProcessHeap
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
GetACP
IsValidCodePage
FindFirstFileExW
RtlUnwind
HeapReAlloc
GetTimeZoneInformation
SetStdHandle
GetFullPathNameW
GetCurrentDirectoryW
ReadConsoleW
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetTimeFormatW
GetDateFormatW
GetConsoleMode
GetConsoleCP
SetFilePointer
WriteFile
GetFileSizeEx
ReadFile
WriteConsoleW
SetEndOfFile
HeapUnlock
SetFilePointerEx
EncodePointer
DecodePointer
LocalFree
MultiByteToWideChar
GetStringTypeW
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
GetModuleHandleW
GetProcAddress
CompareStringW
LCMapStringW
GetLocaleInfoW
GetCPInfo
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
InitializeSListHead
RtlUnwindEx
RtlPcToFileHeader
RaiseException
FreeLibrary
LoadLibraryExW
GetDriveTypeW
GetFileInformationByHandle
GetFileType
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
GetModuleHandleExW
GetStdHandle
advapi32
CryptGenKey
RegOpenKeyExW
RegSetValueExW
RegCreateKeyExW
RegCloseKey
GetUserNameW
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptGetHashParam
CryptDestroyKey
CryptAcquireContextW
CryptEncrypt
CryptDecrypt
CryptExportKey
CryptImportKey
CryptReleaseContext
CloseServiceHandle
OpenSCManagerW
DeleteService
ControlService
OpenProcessToken
StartServiceW
OpenServiceW
GetTokenInformation
shell32
ShellExecuteExW
SHEmptyRecycleBinW
ShellExecuteW
SHGetFolderPathW
oleaut32
VariantClear
rstrtmgr
RmRegisterResources
RmStartSession
RmShutdown
RmEndSession
RmGetList
netapi32
NetShareEnum
NetApiBufferFree
iphlpapi
IcmpSendEcho
IcmpSendEcho2
IcmpParseReplies
GetAdaptersInfo
IcmpCreateFile
IcmpCloseHandle
ws2_32
inet_addr
Sections
.text Size: 749KB - Virtual size: 749KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 179KB - Virtual size: 178KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 230KB - Virtual size: 236KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 20KB - Virtual size: 20KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
_RDATA Size: 512B - Virtual size: 148B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc Size: 512B - Virtual size: 480B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 5KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ