Overview

overview

10

Static

static

10

0715240d1a...ce.exe

windows7-x64

9

07fec2205c...42.exe

windows7-x64

10

10dc6e128c...c0.exe

windows7-x64

3

133bf8be0c...de.exe

windows7-x64

10

139a8bb2c5...c1.exe

windows7-x64

10

19f7d53c4a...a0.exe

windows7-x64

10

2896b38ec3...9c.exe

windows7-x64

10

2d301697ff...f4.exe

windows7-x64

3337576503...d8.exe

windows7-x64

3

3e04fe9f42...f1.exe

windows7-x64

10

3e6fbc358e...45.exe

windows7-x64

10

3f7458e658...df.exe

windows7-x64

434ea9832e...27.exe

windows7-x64

10

47792144c9...6f.exe

windows7-x64

10

5114aae6e8...8c.exe

windows7-x64

10

537a2fd4d2...ba.exe

windows7-x64

3

55754358dd...1c.exe

windows7-x64

1

5b1caa9bec...c1.exe

windows7-x64

1

60c24a4c6b...21.exe

windows7-x64

9

63396a28b7...cc.exe

windows7-x64

9

78d4fce0c2...2e.exe

windows7-x64

3

7c27b9fef6...33.exe

windows7-x64

3

81689f1be9...ed.exe

windows7-x64

10

995a91e668...55.exe

windows7-x64

10

9d90421b2e...56.exe

windows7-x64

10

a597d34bc2...40.exe

windows7-x64

10

a5e6df754a...d1.exe

windows7-x64

10

add2850732...6b.exe

windows7-x64

10

b098486c49...0d.exe

windows7-x64

10

b923f1d2ec...ed.exe

windows7-x64

10

bbdac308d2...4b.exe

windows7-x64

9

c3fb821138...c1.exe

windows7-x64

9

Analysis

  • max time kernel
    1800s
  • max time network
    1445s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16-07-2024 08:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe

  • Size

    678KB

  • MD5

    168447d837fc71deeee9f6c15e22d4f4

  • SHA1

    80ad29680cb8cecf58d870ee675b155fc616097f

  • SHA256

    add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b

  • SHA512

    f8e123b601b5df3e89109fcc2e215e014b0d99b382d7cfb1a8cfd55790525c4e5504ee668ac30108c1bebf32e312e0c33edb5737c7ae166b59f791269bd66112

  • SSDEEP

    12288:cPJ4U1TYQivI2qZ7aSgLwkFVpzUvest4ZEbjJLuDJVoM7:J6TYVQ2qZ7aSgLwuVfstRJLIYM

Score
10/10
medusalockerdefense_evasionevasionexecutionimpactransomwarespywarestealertrojan

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\How_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">EC5E044C3D968BBADBA2A18CF7F0EEF0B29127A403C6A19F5A9482F9EEEB5FDA487CB83A333B4E776E8E829E445E99734B5DCB54CC74E6E0A309C28B60CAE4B1<br>F1A78E012A362E4F25E13F898634F21833E205059AA687F12D512D4F591A07382DF1D59016DC9BDA3841654AAC85B41093E4EFA18FE309780FB29387E516<br>B89164DCF34312984FEFAB01DF6AA7909C92E436A8801D2E0E45A6200FE0E45D3033C046B6CEEE06581340798E49E9900CFEAA7B9BD522D43D1C8F91A469<br>2B4834D7D8BF0632B3C4F15ABB3649444BCAA4EB689FC8ACCFFF4EA2CBE783CD2BF9C99F974612273BC50C4AB1608146AF7CAD98A31AE46567599424840E<br>4FB3A11F210F0F877688BBD9DE4960F923CD5AC822C2470D43801FECB5EC5CB4390053E67B08FEA4DFEF6488630AC07DACFBE3ED0C545C8A2E6597BB25EF<br>BC6EBBF67F96274C33DAE92E4AF923E95586C76738712B22F2E3AC397D11B42AB411AB63FC1086E77AC8032CCA63A7BB1416EA3885F82E7197D28DACB736<br>CCEF14256B778BA5D5F70FCA3E53D98DBABA760CAACD06857816C1A1FAAAA05BCBA50B8319AA0FCADEBBDCF9EE8755F20F5F8E7779ED9BAE27737DAC1505<br>D3D77229A1F9213DE36672650FE9C5E7A8E73C746D19FAA29F82641D0550019D1D88E7D7972EFD5AF55F5D4CB0554DC0F63176D1D70BFDFE3463D42CF95E<br>8D7124109F61C7ACD58216B32C01</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a></a><br> <br><br> <br> </a> <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> http://gvlay6u4g53rxdi5.onion/4-Ou6Lexab8jffZWVlLWqoNJwExq9kefkK-ldtD8iaDjRAkN31SIhqP55i3r1y05K9q
URLs

http://gvlay6u4g53rxdi5.onion/4-Ou6Lexab8jffZWVlLWqoNJwExq9kefkK-ldtD8iaDjRAkN31SIhqP55i3r1y05K9q

Signatures

  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

    ransomwaremedusalocker
  • MedusaLocker payload 1 IoCs
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (215) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
    "C:\Users\Admin\AppData\Local\Temp\add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1200
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1668
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2904
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2788
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:764
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2844
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2852
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1912
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {A836D282-0D6C-4915-B61C-6F1DBDB40748} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Users\Admin\AppData\Roaming\svhost.exe
      C:\Users\Admin\AppData\Roaming\svhost.exe
      2⤵
      • Executes dropped EXE
      PID:1316
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {D92841F7-351B-4267-B749-DCE1034DE37C} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2992
    • C:\Users\Admin\AppData\Roaming\svhost.exe
      C:\Users\Admin\AppData\Roaming\svhost.exe
      2⤵
      • Executes dropped EXE
      PID:820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\svhost.exe
    Filesize

    678KB

    MD5

    168447d837fc71deeee9f6c15e22d4f4

    SHA1

    80ad29680cb8cecf58d870ee675b155fc616097f

    SHA256

    add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b

    SHA512

    f8e123b601b5df3e89109fcc2e215e014b0d99b382d7cfb1a8cfd55790525c4e5504ee668ac30108c1bebf32e312e0c33edb5737c7ae166b59f791269bd66112

    Download Submit

  • C:\Users\Admin\Documents\MeasureMerge.xlsx
    Filesize

    16KB

    MD5

    9149704ce19b62a9dac2daf0ec7e0cd0

    SHA1

    55057155239ace6f6b38cbfb25f51dabdba2ee2f

    SHA256

    0faf31813df0da66fcdfbf3daec527c875087eb6f24984dd93f85d5b964542ca

    SHA512

    587999e6c577a9eb0d4d720114ef979d533d3c79e017b720f100ea9b5e41527189fb08c5826fd272ab3fc5c2bfd784462a5faf11cd53734634e9dcdea21f4cf2

    Download Submit

  • C:\Users\Default\NTUSER.DAT.LOG2
    Filesize

    536B

    MD5

    db1ff786a0d84c92d2e2dc65bd17164b

    SHA1

    744831e26a27474df085a2ce5af3813009ac5720

    SHA256

    cab2d80c34530b2a84af08e02fa3f404460c9533ba9589439f32a5194975c985

    SHA512

    f2fd15887a6c5f2fc92a13aa68bbf7c30d379903649a89f4335196d4e73df338fff5ef66172f4258cfebe9965fd57e5fc843dff1196385761ee8ab93540e348e

    Download Submit

  • \Device\HarddiskVolume1\Boot\How_to_back_files.html
    Filesize

    4KB

    MD5

    7baec8629c76d5121f134aa237bed9e1

    SHA1

    27dc88997451fdf753edcf3a17a9db07058ebb2a

    SHA256

    ebdf1646eef81f674d09b84c173afb78bb76435a6062fc3938519ef89c709852

    SHA512

    f83bb2eb478cb8fddf5b9eb099fa64eaae5d009dfa13b247a36d67b66a5700b40d915db6e2f3f1ab26ac8cefaa7a1e4122f2c3afdf973ab7439934dcfcfe792a

    Download Submit