Analysis

  • max time kernel
    141s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    18-07-2024 10:00

General

  • Target

    1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe

  • Size

    235KB

  • MD5

    f6f120d1262b88f79debb5d848ac7db9

  • SHA1

    1339282f9b2d2a41326daf3cf284ec2ae8f0f93c

  • SHA256

    1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281

  • SHA512

    1067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd

  • SSDEEP

    6144:c5vMUmRTTgwnfeP+Jx1cLNAIyBcc9WrEWUC4wQh/6BeX:/U8Tgufnx1cLNncgQWUUQh/+e

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW_TO_RECOVER_DATA.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">97FE3153AA70DFCCCFAC3485B9A0F23C6C368A00BAB9395EAEF8F5E4DFDBA0C7BD7AE2B0FB6177BF3DB08306BA75B15852681CBB193A8EF0E4CCAB6627B42584<br>0586DBC188A756FCF1360CB41EEE32D82B0861DF32BFC7CF914716329EC16065EDA6FB4209663F1573D14F569E31923CE8DDD9D2671C8DCB708C9C0F318E<br>4B33167AD27D423D7185737B99FECE0A11B5A97F58B0A5F3E8884E92A018EE187F03E535EB80DD0D71AC4ABA73F5EC3B3E7194B254F55BC7FED673BF76B2<br>A356408EB641A5BBFBEC49DC43C741109B2CA47B07D2029AFC91D267A8F83838407DC20220F71F419756923100BA92DC61448B2500E352E488F4AD5E28CB<br>77C8D7AD4E9BC60D97DD3E876E599E0D595AF9215A8C01A49F1AD701DAB503FB33433A52B2357D19ADC0BBDE35FCBCD9A9354887A6E90E3CFA2E68AC9A4D<br>35F8751CD8E868A116C177B618535F65D30A8F65138B22C166060F3FD1F0202FE695407743DBF900E7168370A13B8BAD7335321DCAC83A8B4AB8D0F34842<br>DA0B32CA02BE5DBA390A7B9EF9C7EB08039A0E9A9DD2B869A1CA2DDFBAA245F425C81124B78066741F0A78461574362729E85021E3DA9E5717D4ED864579<br>02D15C4BC96D90E0D1B165A31EC72957987F94601EBCD2289DA1A4000625807E9367A00DB451F4344DBF4F9F9676BDFA39AB18412C086F4FFAA6494CD70F<br>A64878EC3504F6AF07958D612545</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Signatures

  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

  • MedusaLocker payload 5 IoCs
  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (283) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
    "C:\Users\Admin\AppData\Local\Temp\1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2980
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2104
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2328
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2800
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2740
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2172
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2768
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2908
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {357D4D85-432F-4996-9888-F5282D2EA105} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Users\Admin\AppData\Roaming\svhost.exe
      C:\Users\Admin\AppData\Roaming\svhost.exe
      2⤵
      • Executes dropped EXE
      PID:896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW_TO_RECOVER_DATA.html

    Filesize

    4KB

    MD5

    bfad23d9503e20d051531c3ce83ef00f

    SHA1

    08f9d2cb96872ea1e36bcf7f3b5fc89ee23fd6e4

    SHA256

    eee5b95ef9a3919d043822d16630349d0feee275072f62629296ee96451ea1d7

    SHA512

    a1d8270644a60deead846cb9c1e7d260dff94d1b2a62bc90c4b265992022d05857139224cb909d06ca161600058608fb37a232f97a6b9f4ffe69fdd378d1ff24

  • C:\Users\Admin\AppData\Roaming\svhost.exe

    Filesize

    235KB

    MD5

    f6f120d1262b88f79debb5d848ac7db9

    SHA1

    1339282f9b2d2a41326daf3cf284ec2ae8f0f93c

    SHA256

    1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281

    SHA512

    1067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd

  • C:\Users\Admin\Documents\PingDisconnect.xlsx

    Filesize

    16KB

    MD5

    5a03e19cb0d7cd12a74b99566ab6af46

    SHA1

    1042fad4368fefb6e3867103343c819ddde1f374

    SHA256

    9d04a364fbf098fc1e309de889b111c732058688924429ed4d826edb50856cb0

    SHA512

    d5f1e21fe9a7d4f9e9c3e7a75f1557348d63e9350866c282ad8d0ccf9f98a6c11ba687234afaac269b8a5a3b770895b29cc9bdd8dd21a5e04ed4048c8862970b

  • C:\Users\Default\NTUSER.DAT.LOG2

    Filesize

    536B

    MD5

    3f97004a8bd239e4c45c9c7b3ba1eaa8

    SHA1

    fe40742d4b4283d995142658877209054e9c5a34

    SHA256

    9763dfdb12e7f2bc64cd3d8bf9cea38fdd5063469b8ede34b2030c1dae0c6426

    SHA512

    8eb1906947b7253caf2d7d092d7002a61fa9a503e27a4367c3c0d3f885e77e56271f34b9191e72026ec9a4499fce4ca683999143908699449abc51384d81be07

  • memory/896-879-0x00000000001D0000-0x0000000000282000-memory.dmp

    Filesize

    712KB

  • memory/896-881-0x00000000001D0000-0x0000000000282000-memory.dmp

    Filesize

    712KB

  • memory/2980-0-0x00000000002D0000-0x0000000000382000-memory.dmp

    Filesize

    712KB

  • memory/2980-869-0x00000000002D0000-0x0000000000382000-memory.dmp

    Filesize

    712KB

  • memory/2980-873-0x00000000002D0000-0x0000000000382000-memory.dmp

    Filesize

    712KB

  • memory/2980-874-0x00000000002D0000-0x0000000000382000-memory.dmp

    Filesize

    712KB

  • memory/2980-883-0x00000000002D0000-0x0000000000382000-memory.dmp

    Filesize

    712KB