Overview

overview

10

Static

static

10

57504bca0f...0N.exe

windows7-x64

10

57504bca0f...0N.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    57504bca0f333befa73476e449f6a8a0N.exe

  • Size

    333KB

  • Sample

    240813-e2j11sthmf

  • MD5

    57504bca0f333befa73476e449f6a8a0

  • SHA1

    c207f136cda100bb9b319d3276914f697ccb3499

  • SHA256

    96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a

  • SHA512

    cfe9f07fadbf874b9694990c631c8562ad511bbedd7ea91451d80a5c934f4c1036596b0043e441d3078a37cfef6bba818264ef64044606d77657e7a4a0c29bfc

  • SSDEEP

    6144:AemY9cZrt2pF+M9htFl/1M0lpj9G/OaZE8A8otk1:n9cm+M9vFl/1HrN2otk1

Score
10/10
medusalockerdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\How_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">w781dI+Y3CPyxFGLDYoIfZNB6YaYWGRuvNHLxPJYb33H1zTbcRF8crNfCKaV2aEZ8yW2McqbwJTaql0SKlfWA5J4sHi8SRFgJoIvZvvrN5ON0exukWHFoBarfGeGLbSK3wt2UUSx3LIjmdbvHFi+3u3Zu+Aaga2Obl4VbIuql4iYhj07LEjhGPVOD1whMWuhbPSKh8wQ8Ey5RA6MKTch7UnjOgRDsv4RoNYe+N+ruvsu8So+4TQ8UKvmq8L1eLD0sczqUIc35CEm5qUKfIvByQJHmbUL/3h9AapxYbx/fzzzgv99RDKXFewTUOlxlupR3SiL94kAgh3H3hZ26eBMBV2QoRatlTFWgsIJX/eC0kIk+D+KY2G3WXpGTpUMqISGHVI1yK7wBNLn1n5Z/EFOLK/Q2GdfJjp0uw3JSb2pHr/XiwjIX8DaiyQoKKb4kDacMV7ccaY2YKsYmdEoUU8J9GNSjBLK4CLjR8uKplNgkprx/USQWWvG9YcK8RkBsBcqTjOS4X7a20GsWIsRn8F2305tmi22+jjqFqZVii+EI5LdJD9VXR2cincBBrINNGh8k4anbpTgMuhtqP0w2qxEtkUz5YwEfo0umw6ZPaa/mFy6sVzNRFqofdf7MA0CBEVp0ESSxw5mgiPC/ahS82Q9zn0l6jd77CP2PnGFPWZMDBVhEGl8l5A1yDGIxMTZFVnayN660Nyejp5yNsEBlLQ8LipI+OSbrT2l4FsZ6RqhNhsMjrCJQMBDG3nMLxSwqVKXyijyoz4PjlB6yDdnNMlpA3Qca+I9DbqG4wDka9Eb1tyS/wBLJp5ANr+3BWG55YBvIxmF2fY9yQJ7sruiRO27JHV4MrJlVdWaureB/WujRe8uqilQJaR4JRgnz2HZUB99fiHbrw1hcMxajqk4+tGdc5yFrgsgYVdgU321iSw3AGdpnMBfO6QGgoKNMTRkE8OVKV7YWEdxuyxdhz+/cqKY4PNpRULcmXoIhzEWxorX641OcTcoGA5ZKdTURpjfEJxHsJchNldPB7tGqSGpRVvRHw4zGWAXxiSn2pi9r6RDblS4p7so3enM6VQ8HOoNvhleuhlvEfgOw4/8T4OmzEYUmBDtHl1mJ7ySczTdq33KGU1SUfN4Ej9pYuoS1OZ+5fplRzXhCQ2wQO2p7GVZbtwnDaUACuKNe7yR91Gur+6ry9weYOw0JUH+7z3K9VedgQlXkOk8tYKeAa1p1VkVBjqVm7jN6yrDrYcTFq9igyc7wdxWdXxZIhd90yav72KTky5ACzzJ1dOC8gNE00tZNQKpV9XhnWwJYFk/DV8dSxha+JPugokX4ejrTlCyqY5hLK3L1B6pw96sOt7+M2byqoxYO5K10eEEuK5H7+7a5XnrXB8UtK0YT3gPWVrbjM7H406zXhRpau4ZEq0XdKtdfUi8SgDXHYZjyOp1fLQDdwQoqh59EFyQLAnPVflSqxCyAci3e2ovLQ+pOtwnwKg97SRGn3rVzFSTREgPYpOIb1sUJAM6Vx/N4T9WoDJbavSl11iRwpLU+CJLz3Pd7QaEIk+Nj/eVMkUvG1jRTGdhlLUz13wFDqOb2qMqnOwIdRD7IYqEjUOI4V1qCiqjaMzGdRUxU7PLNDb3x0O4jtOWhxA6KV4xBrGrr1H/91EG86TU8Tet2LPlhnFUUhtO6f1ak3M3O23jBOKR68vuKMQG1fyiRHU=</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Extracted

Path

C:\Program Files\How_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">ZQcEAKXtPfpIK5Nb2BGn0h0KxmiVyWwH/c2BFl1D4SWFkWvFmqzr1GKhb+lRNcr4pPu64dDIud60C+cDMaY6kwZZuQn1dd404KKzJ1NLoE5+W6zWPQUWsSxHWyWQ8HVD/PesHMCjoSd8qOTmyrAEWaM2Y45ZMpjTmJ+PD+QikzZ/yYiSEfbWdNRRQD++gBYOLwG+WVyUAyVuNyfve2aIU+ETj3ZbMBapL+5F8OSgfarJxrp/0OKPmoh9jlz7RKZJyC838OEg4YPZ6SnAvz2kQVMVdaaZR/CoNIT4550LWG0fATbMz5CgHmGlWUZDvG3uU2KDqdT+S7RZi/DB1aVBiOkTSZ9Dn685a87Febu3CX5qO1tecWhygAgdc4YcQNXOBS5nsYxh7FK5i8l0OM0vtCfp2uJqnIOsM8eIRMu8Gsur/vRGGafAkyulEvQQIWCYh2EDeSxfJ5R+KJ4rd0yvu9cqJLYumpWYSV+vBC+J3da/c42Sr52/pVLROvRWhuy3MipVIxpajxInheN170gi9f4zq39ibjlyRsIFp7DSqBISjEy+s6RNOrtu0JntXe8XXcXDhevGSJ/Xe9R7dM5O1RXq9VuApDicncGTfbX9qb6ScrCoOH75TFCx9UVWhw29NLYqrWiBLn47SNqTg+lDe/4UY95OOIsKARCdGgv7K6Qj1H6+tpVLVpu67tUPpHV9cRer5vsw3L+Lp3u+Ej3z53+tyTBvgy1/AEQW0j1JK3ZjW0SGXB9AQDWrtsWlwC915oC4HOL7BGu1igLg1pI37Jiz/bGWlmSlf39ISXziacdlomElX5hwCsfgp+gyFVIpewYT4GDhR8QQeQNnPfFPC6wH2iIfAFXNYg8WotK8as+W8hiyJZU3q83nDJ++UsH4fbabbmOSL7Q1Rz3LhvFnL2ySGWDxPtkG1gXCp+i4JYJER2uOqTskJQqQvQwUQBygxSjTX2ba6l3YvV9wNZAS04pf0k6NPTZAIQwG1Aq8T4atQl0gQoKmF3jy7J8L86Q3aJu/GuGUfxfLSwJA5scNTcN3v2xCH7755qmBfl+FfaqHWPPofSHOQ+f3YK038OalQfoZHpK9SNursKbgrHIhxAZAZ11452xKdVpbhkoW2XOhmgxGjFXumgkHBpHZAfas7TGwbNhS1998306HeVh/9pA3Zz+DKn+ZZ0D+Bpn5M03VLO9XOjYH1chXLkoa+t+RM0lPVbiKdRKu8FYqtoAUWd4u0TgC3bHv5+XkOWU6knSyiFFoSRH350DcU3MVUXwGJqW2Z8RYy4S2Hk0WDxsjLFALCe9oQcFHpEz04L3lwyar7tavKEWqyDecCqSi0fQ7WCxK34N3FMMsupDTdCrQPtiG4MGsYvRkdnk5k4JyHcr2nC6aNCpWX+i5wFW9UZbMQnfh/YN/EXGdOjEUrRMRd7rjoFiUOV7bJdvXF+kQMSIsfuHO9lbIKGZYGe5AV0qipf2WJEz+/D1FpOHHuaFnCB1ysNUxPmEfBKK0/udIPdnAbkmVuspXRTrkjUWhTUNvl6kho7MYs5CVxXrr/Z9GDOM8dqtRJyqE6EpzO8BuxsSx7xEtaFbfZ3I0Dt+OvDxei5ZqgvOxB7MatjkJ0mBxV9p0bpsrwjUCOXFjRa/DLys4L018JUtB+bcMq9KHAtKqijuLQ1orsAAsEIycV0RjJx5SDTkl2A3avK6uHJxCakY=</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Targets

    • Target

      57504bca0f333befa73476e449f6a8a0N.exe

    • Size

      333KB

    • MD5

      57504bca0f333befa73476e449f6a8a0

    • SHA1

      c207f136cda100bb9b319d3276914f697ccb3499

    • SHA256

      96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a

    • SHA512

      cfe9f07fadbf874b9694990c631c8562ad511bbedd7ea91451d80a5c934f4c1036596b0043e441d3078a37cfef6bba818264ef64044606d77657e7a4a0c29bfc

    • SSDEEP

      6144:AemY9cZrt2pF+M9htFl/1M0lpj9G/OaZE8A8otk1:n9cm+M9vFl/1HrN2otk1

    Score
    10/10
    defense_evasiondiscoveryevasionexecutionimpactransomwarepersistence

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (7557) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks