medusalocker

General

Target

1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.zip
Size

231KB
Sample

240718-l12m1atcmq
MD5

c619d1b49a183011ea3dc99347aaa77f
SHA1

271e7714874f2577fcda702c19b42e3471094a1e
SHA256

6f768b5db1b4c7ec2df1a8d012814e8903b0a1f0b1d3b7bdfff447a2cd24a281
SHA512

b717f2b06314826a15783786af2da26eb3d9e8598854535a0567d66b9227b3a0db7234e7eec58add7d078de6f5f3d91169a2612ea0a6e23deebe52904475ba09
SSDEEP

6144:BjVD0s8mf31trSqSgdRF7Kt5CIWR0XYI6r4J7V0zqO5x69:BRDhhteXgs5i4Jh0zbj69

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW_TO_RECOVER_DATA.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">97FE3153AA70DFCCCFAC3485B9A0F23C6C368A00BAB9395EAEF8F5E4DFDBA0C7BD7AE2B0FB6177BF3DB08306BA75B15852681CBB193A8EF0E4CCAB6627B42584<br>0586DBC188A756FCF1360CB41EEE32D82B0861DF32BFC7CF914716329EC16065EDA6FB4209663F1573D14F569E31923CE8DDD9D2671C8DCB708C9C0F318E<br>4B33167AD27D423D7185737B99FECE0A11B5A97F58B0A5F3E8884E92A018EE187F03E535EB80DD0D71AC4ABA73F5EC3B3E7194B254F55BC7FED673BF76B2<br>A356408EB641A5BBFBEC49DC43C741109B2CA47B07D2029AFC91D267A8F83838407DC20220F71F419756923100BA92DC61448B2500E352E488F4AD5E28CB<br>77C8D7AD4E9BC60D97DD3E876E599E0D595AF9215A8C01A49F1AD701DAB503FB33433A52B2357D19ADC0BBDE35FCBCD9A9354887A6E90E3CFA2E68AC9A4D<br>35F8751CD8E868A116C177B618535F65D30A8F65138B22C166060F3FD1F0202FE695407743DBF900E7168370A13B8BAD7335321DCAC83A8B4AB8D0F34842<br>DA0B32CA02BE5DBA390A7B9EF9C7EB08039A0E9A9DD2B869A1CA2DDFBAA245F425C81124B78066741F0A78461574362729E85021E3DA9E5717D4ED864579<br>02D15C4BC96D90E0D1B165A31EC72957987F94601EBCD2289DA1A4000625807E9367A00DB451F4344DBF4F9F9676BDFA39AB18412C086F4FFAA6494CD70F<br>A64878EC3504F6AF07958D612545</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Extracted

Path

\Device\HarddiskVolume1\HOW_TO_RECOVER_DATA.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">A5ABF83DADBD296C52E46DA9699E92BE4F5A0F00EAD7D4CEE64A7CB5AC395C72B263628EBB34CE1F6AB00B4121B700846AFD8DAD69D95FA61C6A9414145F90CC<br>F55A7DF03846D0FBFC1EC7898F68D80DF9408586322AABDD529EA3FF6C096F7A2178A84A4B82E05214C2950F719BD65E9A2A006B58A8F32F197A1DDA1781<br>477C2C31EEA69EB5DB91DC6D943A768A2CB1E0121EE4D39E59D41E470DFBE8AF8B326A6E0D4B681603087C5F57BC775455D5F999F0C49AC47A0A90DE509E<br>33B33C7FA87660B40A93AB081750B47B36E05F9878AA41761DE1F0F2A333272A5B2E9F59F376EBA1D2F361A46DB247915E0A9215500FF8430EC2542C0BFC<br>B806B853A463493816157DFE2040CAED040C00E9D6A1E7696FC157794B9AFF27A7D36E5900D2685BCCFE69745165FE7EF614541FC205D2B75306AAED1A7F<br>FCD7DBA7A3C899DFD1FB6CFF2145CDB8DA69DCE54DC117F954F17AEE255E3464A25B7C8EE7343412D5A2516D68D7C5CFDC516EE086EBCF1158F3C3E4056F<br>4559077769E144331D109524BEE17A0BD490E36DD3BB729FA682D5ABCBDE6D18596E1E3E3B03B6FB6474728BDCA7F34A57F7A2C2049C559B2FD45DD35F19<br>2ED7B0F69083ECCEFB3C2A594D756988BAFBB3F7017462C841FF0EA55399A6F67C8A8E89A271CF21E612F8EAF3AD86787AB6C78BC09CE9F0AAF3E54EEB5E<br>38BE9DD718C3B3720619E9BCBF71</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Targets

- Target
  
  1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
- Size
  
  235KB
- MD5
  
  f6f120d1262b88f79debb5d848ac7db9
- SHA1
  
  1339282f9b2d2a41326daf3cf284ec2ae8f0f93c
- SHA256
  
  1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281
- SHA512
  
  1067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd
- SSDEEP
  
  6144:c5vMUmRTTgwnfeP+Jx1cLNAIyBcc9WrEWUC4wQh/6BeX:/U8Tgufnx1cLNncgQWUUQh/+e
Score

10^/10

medusalocker defense_evasion evasion execution impact ransomware spyware stealer trojan upx
- MedusaLocker
  Ransomware with several variants first seen in September 2019.
  ransomware medusalocker
- MedusaLocker payload
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (283) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2
- Target
  
  out.upx
- Size
  
  669KB
- MD5
  
  3f002221f0a15187df187cb222d0cb6b
- SHA1
  
  0fa815635807c05c2f0e85f0f09362a8e90d1324
- SHA256
  
  ae00ad8ba6abc6ddac815187f1285cba597d0af8fa4d5ffe429bffb3b6140b5b
- SHA512
  
  08bab72bb09b96685f949845858cbaa4f709f7069971ad1f36849cd3f8fde699c1a2d1c0ae5ee397d57057c81c98f6be41c64caaa5e9435d92e10fa1623660d5
- SSDEEP
  
  12288:gQA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8DdI:Muf4wTuV2Ux3uIZeUBi2Te6HW4I
Score

1^/10
behavioral3 behavioral4