e6b57ce63de7ec74e623a343175b41ccc09e68de26d30189f8fd50327ab648c5

Analysis

max time kernel
131s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
Size

1.2MB
MD5

6ed1340ddb072eb54f9f9a060e99d78b
SHA1

da6f3948b114abe18e71362a108df8aac8f6b7fb
SHA256

e6b57ce63de7ec74e623a343175b41ccc09e68de26d30189f8fd50327ab648c5
SHA512

da6673221531f2aa88f2515e8602726e9d4d31af42cb88123e6faf549a3814c58dcef4eaaa128ba786f8bced03af8ebe724b12d9393a7fde65c5cd983566e8b5
SSDEEP

12288:zmHAIqyfF/5ebyz1dpPlRnMRTD410ALP68kG3Jz4S9FUmnyJtgoiOHmabd8ornXu:qHRFfauvpPXnMKqJtfiOHmUd8QTH+

Score

10^/10

credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\!!!HOW_TO_DECRYPT!!!.mht

Ransom Note

From: =?utf-8?B?0RFQctTF0YDQcNC60IXQvdC+IEludGVybmV0IED4cGxvseVyIDEz?= Subject: Date: San, 00 Jan 2000 00:00:00 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft MimeOLE =EF=BB=BF<!DOCTYPE HTML> <!DOCTYPE html PUBLIC "" "">=20 <HTML lang=3D"ru">=20 <HEAD>=20 <META = content=3D"IE = 3D11.0000" http-equiv=3D"X - UA - Compatible">=20 <META charset=3D"utf-8">=20 <TITLE>!!!HOW_TO_DECRYPT!!!</TITLE>=20 <LINK href=3D"style.css" rel=3D"stylesheet">=20 <META name=3D"GENERATOR" content=3D"MSHTML 11.00.10570.1001">=20 </HEAD>=20 <BODY>=20 =20 =20 All your valiable data has been encrypted! =20 =20 =20 Hello! Sorry, but we have inform you that your order has been blocked due to the issue of securities. Make sure your data is not blocked.=20 All your valuable files were encrypted with strong encryption algorithms AES-256 + RSA-2048 + CHACHA and renamed. You can read about these algorithms in Google.=20 Your unique encryption key is stored securely on our server and your data can be decrypted quickly and securely. =20 We can prove that we can decrypt all of your data. Please just send us 3 small encrypted files which are randomly stored on your server.=20 We will decrypt these files and send them to you as a proof. Please note that files for free test decryption should not contain valuable information. =20 As you know information is the most valuable resource in the world. That's why all of your confidential data was uploaded to our servers.=20 If you need proof, just write us and we will show you that we have your files. If you will not start a dialogue with us in 72 hours=20 we will be forced to publish your files in the Darknet. Your customers and partners will be informed about the data leak by email or phone. =20 This way, your reputation will be ruined. If you will not react, we will be forced to sell the most important information such as databases=20 to interested parties to generate some profit. Please understand that we are just doing our job. We don't want to harm your company.=20 Think of this incident as an opportunity to improve your security. We are opened for dialogue and ready to help you. We are professionals,=20 please don't try to fool us. =20 =20 If you want to resolve this situation, please write to ALL of these 2 email addresses: =20 [email protected] [email protected] In subject line please write your ID: 16406006299838607087 =20 =20 =20 Important! =20 * We asking to send your message to ALL of our 2 email adresses because for various reasons, your email may not be delivered. =20 * Our message may be recognized as spam, so be sure to check the spam folder. =20 * If we do not respond to you within 24 hours, write to us from another email address. Use Gmail, Yahoo, Hotmail, or any other well-known email service. =20 Important =20 * Please don't waste the time, it will result only additinal damage to your company! =20 * Please do not try to decrypt the files yourself. We will not be able to help you if files will be modified. =20 =20 =20 </BODY> =20 </HTML>

Emails

[email protected] [email protected] In

URLs

http-equiv=3D"X

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1468 bcdedit.exe
2936 bcdedit.exe
Renames multiple (660) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes System State backups 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

4820 wbadmin.exe
2972 wbadmin.exe

pid	process
1468	bcdedit.exe
2936	bcdedit.exe

pid	process
4820	wbadmin.exe
2972	wbadmin.exe

Drops file in Drivers directory 13 IoCs

Processes:

2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\protocol.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\drivers\etc\services	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Windows\System32\drivers\etc\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe\" e"	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe

description	ioc	process
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe

Enumerates connected drives 3 TTPs 39 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\F:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\L:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened (read-only)	\??\T:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\S:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened (read-only)	\??\U:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened (read-only)	\??\V:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\P:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened (read-only)	\??\Y:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\H:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened (read-only)	\??\I:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened (read-only)	\??\K:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened (read-only)	\??\X:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\A:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened (read-only)	\??\J:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened (read-only)	\??\M:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened (read-only)	\??\R:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened (read-only)	\??\W:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened (read-only)	\??\D:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\B:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened (read-only)	\??\G:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened (read-only)	\??\Z:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened (read-only)	\??\E:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\N:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened (read-only)	\??\O:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened (read-only)	\??\Q:	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

Processes:

2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe

description	ioc	process
File opened for modification	C:\Windows\System32\config\ELAM.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\SYSTEM	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\6f0dd9cb-b396-4044-b549-64257a1f7069.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\6f0dd9cb-b396-4044-b549-64257a1f7069.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\SECURITY	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\0190d4f3-e2d5-4705-b175-f12fbe3cf0b5.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\DEFAULT	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\ResPriImageListLowCost	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\BCD-Template	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\6f0dd9cb-b396-4044-b549-64257a1f7069	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\ResPriHMImageList	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\0084dab3-a227-4676-ba9d-e609b300f572.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\6a051a47-3b0c-4546-a23a-bd7e4318b960.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\DRIVERS	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\ResPriImageList	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\config\DRIVERS.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Report policies	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\Application\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Mozilla Firefox\postSigningData.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Mozilla Firefox\postSigningData	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Crashpad\metadata.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Program Files\Mozilla Firefox\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Program Files\Crashpad\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\initial_preferences	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Crashpad\metadata	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\initial_preferences.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe

Drops file in Windows directory 64 IoCs

Processes:

wbadmin.exe2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exewbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{BF08E976-B92E-4336-B56F-2171179476C4}	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{E634F316-BEB6-4FB3-A612-F7102F576165}	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\SharedFileCache\ffb218cb78a2ca5b027e463f2a6bbb9c7036730212098e4fb7c330c70dcdfda4.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{662A0088-6FCD-45DD-9EA7-68674058AED5}	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{E634F316-BEB6-4FB3-A612-F7102F576165}.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_ea0aa4d6-aa48-4733-9e64-85ab59ce35b0	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{77924AE4-039E-4CA4-87B4-2F64180381F0}.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{79043ED0-7ED1-4227-A5E5-04C5594D21F7}.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\SharedFileCache\ffb218cb78a2ca5b027e463f2a6bbb9c7036730212098e4fb7c330c70dcdfda4.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_ea0aa4d6-aa48-4733-9e64-85ab59ce35b0.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Windows\Installer\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\SharedFileCache\e1ea7b2e20a22fbee6e9dd5d883e9f3cc75fdee790ea383a755da4381088ec52.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Panther\setupinfo.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180381}.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{9BE518E6-ECC6-35A9-88E4-87755C07200F}.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{B175520C-86A2-35A7-8619-86DC379688B9}	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{2BB73336-4F69-4141-9797-E9BD6FE3980A}	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{E634F316-BEB6-4FB3-A612-F7102F576165}.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Windows\Boot\PCAT\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_ea0aa4d6-aa48-4733-9e64-85ab59ce35b0.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{7DAD0258-515C-3DD4-8964-BD714199E0F7}	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\!!!HOW_TO_DECRYPT!!!.mht	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{79043ED0-7ED1-4227-A5E5-04C5594D21F7}	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{7DAD0258-515C-3DD4-8964-BD714199E0F7}.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{BF08E976-B92E-4336-B56F-2171179476C4}.inprocess	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\SharedFileCache\ffb218cb78a2ca5b027e463f2a6bbb9c7036730212098e4fb7c330c70dcdfda4	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.1btc	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
File opened for modification	C:\Windows\Installer\SourceHash{9BE518E6-ECC6-35A9-88E4-87755C07200F}	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 13 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
1456	vssadmin.exe
2888	vssadmin.exe
5052	vssadmin.exe
1228	vssadmin.exe
4344	vssadmin.exe
4796	vssadmin.exe
2868	vssadmin.exe
5032	vssadmin.exe
2064	vssadmin.exe
1764	vssadmin.exe
4476	vssadmin.exe
1812	vssadmin.exe
3788	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe

pid	process
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

vssvc.exewmic.exe

description	pid	process
Token: SeBackupPrivilege	3576	vssvc.exe
Token: SeRestorePrivilege	3576	vssvc.exe
Token: SeAuditPrivilege	3576	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3660	wmic.exe
Token: SeSecurityPrivilege	3660	wmic.exe
Token: SeTakeOwnershipPrivilege	3660	wmic.exe
Token: SeLoadDriverPrivilege	3660	wmic.exe
Token: SeSystemProfilePrivilege	3660	wmic.exe
Token: SeSystemtimePrivilege	3660	wmic.exe
Token: SeProfSingleProcessPrivilege	3660	wmic.exe
Token: SeIncBasePriorityPrivilege	3660	wmic.exe
Token: SeCreatePagefilePrivilege	3660	wmic.exe
Token: SeBackupPrivilege	3660	wmic.exe
Token: SeRestorePrivilege	3660	wmic.exe
Token: SeShutdownPrivilege	3660	wmic.exe
Token: SeDebugPrivilege	3660	wmic.exe
Token: SeSystemEnvironmentPrivilege	3660	wmic.exe
Token: SeRemoteShutdownPrivilege	3660	wmic.exe
Token: SeUndockPrivilege	3660	wmic.exe
Token: SeManageVolumePrivilege	3660	wmic.exe
Token: 33	3660	wmic.exe
Token: 34	3660	wmic.exe
Token: 35	3660	wmic.exe
Token: 36	3660	wmic.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe

description	pid	process	target process
PID 5068 wrote to memory of 1764	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 1764	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 3788	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 3788	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 4344	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 4344	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 4796	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 4796	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 5052	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 5052	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 2868	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 2868	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 5032	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 5032	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 2888	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 2888	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 4476	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 4476	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 2064	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 2064	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 1456	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 1456	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 1812	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 1812	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 1228	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 1228	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	vssadmin.exe
PID 5068 wrote to memory of 1468	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	bcdedit.exe
PID 5068 wrote to memory of 1468	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	bcdedit.exe
PID 5068 wrote to memory of 2936	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	bcdedit.exe
PID 5068 wrote to memory of 2936	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	bcdedit.exe
PID 5068 wrote to memory of 4820	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	wbadmin.exe
PID 5068 wrote to memory of 4820	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	wbadmin.exe
PID 5068 wrote to memory of 2972	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	wbadmin.exe
PID 5068 wrote to memory of 2972	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	wbadmin.exe
PID 5068 wrote to memory of 3660	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	wmic.exe
PID 5068 wrote to memory of 3660	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	wmic.exe
PID 5068 wrote to memory of 1108	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	cmd.exe
PID 5068 wrote to memory of 1108	5068	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe	cmd.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-19_6ed1340ddb072eb54f9f9a060e99d78b_medusalocker.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5068
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:1764
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:3788
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4344
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4796
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5052
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2868
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5032
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2888
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4476
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2064
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1456
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1812
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1228
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1468
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2936
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:4820
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:2972
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3660
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE >> NUL
  2⤵
  PID:1108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\!!!HOW_TO_DECRYPT!!!.mht

Filesize
4KB

MD5
6c9802af3f6e0a61622450190b83ba01

SHA1
012085091cbee1f23b2d71be98a39229027ec891

SHA256
3147bf9c07b164a1b9ae1c3987a9d678110be3990a81083c3180b755745e87a6

SHA512
775fd470d751cb0c5177dd9bfff6f7b638a79bcdb7bf73170029c59337ea4388b3ed79241487b961b5235b74c68902733f6a75875840946ec687fc18bcf8966c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2367C848C1C8A11F6F3502EDA2855348.1btc

Filesize
824B

MD5
9fc08074c5b7026f113764e3b790e2a7

SHA1
f1103c90702788099ea6f38aefa8b878691fa3cb

SHA256
672862ec9e5cc86b1635190520e6bb5f89443eecd45530845f761f616ab6c63f

SHA512
6ebfc40ff74d598c1a45bf01684650f7764ae972c5f6f20e6d424667ea428efd6b9deffe4bbde62f23f037c65dc1902f90812f10a3d539777e69a6691c721de7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.1btc

Filesize
814B

MD5
301bd32cde891bfa2c8fb07137bd83f1

SHA1
6cbaaf4834afe56eeec31ec93f75b364c55b1a08

SHA256
3bcb5ab46e6eb3fa5d88c0e2a95ef8cee26c7f5970fa1a1479719b6eb606cfff

SHA512
735a12568adb49510e2e5f76fdbe8fd44a77c693e796170179c198b73c9ad268b85ecc4f3e3ffbe302ed12f7adae60c970a305bffa7712267b5ce74e83454f7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.1btc

Filesize
840B

MD5
d48a22e08b7b570cb26e5f179dbe1cfd

SHA1
163161c10f561e875144863186b15f02f021796d

SHA256
52e5e539b8cc7edf80cf79043297925baec23b9bdf920aae79cc4f16325ceaa1

SHA512
fceeec26005b857f88029ee84629c7c1a64d5dfb4fc469c2760936c42d7eccb044a22f00b521f401fcd19927176712fc96f13ef0ab325ceb08e39ee6188324ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F.1btc

Filesize
700B

MD5
113aa90716636f6ed0950fa20cc73dce

SHA1
3e020d71ba10f7e416e9ef63cddd1fb19bb6a8c0

SHA256
fae75050d4108e7699ee2cdd73cbdb4a25ffe734bdd8b655cb97daa9ff7ad964

SHA512
6eb0f0a3ee37e7803c0e78567984d79c09b49d722dde157f98a5b1053f6811b1323eeef98d3b14c5844ede7118a8560c5c07b7c2aaa3216a2bbf7590fb7bcfad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7.1btc

Filesize
770B

MD5
a349366c177683fe5e12a23db3e92df8

SHA1
7604381f646f3ec159de911ba25728683fdd071b

SHA256
fa74a801dd9a4cc40394bac22afb90d5dffc507fceb48827deec43989456b27e

SHA512
f389e2a60713f57ed5ae3bed68d2f97c520a0c6a20cf8535577d2d37c5807a3e420905813b8c699c6df92a096e50cc99793f1f55ff67a014a6cc2feb96127078

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Filesize
290B

MD5
2f7949d01e79336aab0cc38e94f780e3

SHA1
7524ddf36c8581f97159004c7dc226f1d11dbc58

SHA256
482e1ea37b3bf550fa3a0eba5cab30c4ca8d799c84901686bea3e9f595e1cb05

SHA512
2440fd103ac07fc57e5369a627ca37f0d97ad0e116bab14fb23a4423aa3d9215717c112ebd6b6f81dfcd8a6507a01cfc4ab2a5d5a2a253ba3b5d0e24f549d412

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.1btc

Filesize
842B

MD5
13b33d314e6f9f6efab584e68b7f91c9

SHA1
e6bfb19ef7a3f10ea5e1ad2d76d0ed30c5f8c0d3

SHA256
6bda003c4e40a76865fb4bdc12918063434895b75f0019e029c017e8efb9074c

SHA512
f8d4ddaa15b6111b632c80884130fbe3befcf70435258c3882b5bd87bf0d9f40819ac575ea27d8e71aee08bfe13e6ccd40213dd215bfa4a6126c6c65ab6360ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB5E2F83CE9B8330B0590B7CD2E5FF2E.1btc

Filesize
782B

MD5
30e5a1245077d78529f2164e195eb650

SHA1
df3f059ed241c49f7dd248257034cc7b06ff2bf3

SHA256
4d7c719163aa06807c3a02bc44d5315b2458efb340feb7610b967569e1951df9

SHA512
cdcbeb7a97effa2797ebf39d153ca099fb42c5119b5bfb44651ab63ef10954d3d9326cca515f3615988baafb61895b747d8d0a61666bbe9560cd15d970b72e9a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.1btc

Filesize
850B

MD5
4c67aa86f0b2110665111b122a3db2fd

SHA1
d01ba39768bb0c6c9ed60cdc6570393da6106da1

SHA256
3de9cbe10cc9ba83c569ca9a162c6182289034527e319c4da9643d6dd814323f

SHA512
30e6582e9c173b0fa2eed5e08996e75aae287b6833f6ab31c036f13c4de9369e0ff5cdf5eedcf7fa3fc77e1e0ea6e29a129f0f7519052046ea02c3e782a65466

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.1btc

Filesize
802B

MD5
3f44c99c3a1499395f472abd6732ce9d

SHA1
697bd564c2d35e630e099e852302e25a18fb2828

SHA256
a5002d9dc910ab1c0e7a3a5beaeb400d04e0fd12f32f6b998b2ecf72eebc5768

SHA512
309eb61390932f8c29347e1a8987780bdcb49cdcbfd694b7edca6abb82f4caa0f5a5e6a7291cf08c1f8b43cb3be86a797f1f338b8305feffaf9d97960efc4ab5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.1btc

Filesize
842B

MD5
4fd9833628a1d6fe435513e43343c6bd

SHA1
c6c39d1902bc4b2ad77732e20349a50a91f9feaf

SHA256
0b3220049d83d7b23c4186400fa10630f26cf923be5ca8163e1b251c860ed24c

SHA512
1893aa22d4bcca97666ffdb29545efc06110432ed9503caab8623cc4c20d567e249fe37abf3a2865c6ba8358a370699f3bb917dca2705e85a69fa873e370a125

Download Submit
memory/1628-819-0x0000019356240000-0x0000019356250000-memory.dmp

Filesize
64KB

Download
memory/1628-825-0x00000193562A0000-0x00000193562B0000-memory.dmp

Filesize
64KB

Download