Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2024 23:09
Behavioral task
behavioral1
Sample
20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe
Resource
win10v2004-20240802-en
General
-
Target
20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe
-
Size
669KB
-
MD5
ed858a19f5881d5b4c1d291fc3c50bde
-
SHA1
2becf1d3b743ecf638568065aeb631653f69d003
-
SHA256
f6e687b576ad52361379864e8065da6fb698df4ec6e0a1f664670229717eb230
-
SHA512
7c6c83e63ff207b4957b58f076304724007b0b886388f07142264f516dfcda1d12f73ec8e71bba0cce6ed6d2a31d055c61f5df4bb95442bef88e9c16f1c57906
-
SSDEEP
12288:dQA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8DOKD/KeX:Tuf4wTuV2Ux3uIZeUBi2Te6HWnKrKe
Malware Config
Extracted
\Device\HarddiskVolume1\HOW_TO_BACK_FILES.html
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 1 IoCs
resource yara_rule behavioral2/files/0x0009000000023492-656.dat family_medusalocker -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe -
Renames multiple (211) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 5044 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\T: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\U: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\J: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\L: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\N: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\O: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\Y: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\A: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\I: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\K: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\P: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\R: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\V: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\X: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\B: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\G: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\M: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\W: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\Z: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\F: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\E: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\H: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe File opened (read-only) \??\S: 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 468 wmic.exe Token: SeSecurityPrivilege 468 wmic.exe Token: SeTakeOwnershipPrivilege 468 wmic.exe Token: SeLoadDriverPrivilege 468 wmic.exe Token: SeSystemProfilePrivilege 468 wmic.exe Token: SeSystemtimePrivilege 468 wmic.exe Token: SeProfSingleProcessPrivilege 468 wmic.exe Token: SeIncBasePriorityPrivilege 468 wmic.exe Token: SeCreatePagefilePrivilege 468 wmic.exe Token: SeBackupPrivilege 468 wmic.exe Token: SeRestorePrivilege 468 wmic.exe Token: SeShutdownPrivilege 468 wmic.exe Token: SeDebugPrivilege 468 wmic.exe Token: SeSystemEnvironmentPrivilege 468 wmic.exe Token: SeRemoteShutdownPrivilege 468 wmic.exe Token: SeUndockPrivilege 468 wmic.exe Token: SeManageVolumePrivilege 468 wmic.exe Token: 33 468 wmic.exe Token: 34 468 wmic.exe Token: 35 468 wmic.exe Token: 36 468 wmic.exe Token: SeIncreaseQuotaPrivilege 4884 wmic.exe Token: SeSecurityPrivilege 4884 wmic.exe Token: SeTakeOwnershipPrivilege 4884 wmic.exe Token: SeLoadDriverPrivilege 4884 wmic.exe Token: SeSystemProfilePrivilege 4884 wmic.exe Token: SeSystemtimePrivilege 4884 wmic.exe Token: SeProfSingleProcessPrivilege 4884 wmic.exe Token: SeIncBasePriorityPrivilege 4884 wmic.exe Token: SeCreatePagefilePrivilege 4884 wmic.exe Token: SeBackupPrivilege 4884 wmic.exe Token: SeRestorePrivilege 4884 wmic.exe Token: SeShutdownPrivilege 4884 wmic.exe Token: SeDebugPrivilege 4884 wmic.exe Token: SeSystemEnvironmentPrivilege 4884 wmic.exe Token: SeRemoteShutdownPrivilege 4884 wmic.exe Token: SeUndockPrivilege 4884 wmic.exe Token: SeManageVolumePrivilege 4884 wmic.exe Token: 33 4884 wmic.exe Token: 34 4884 wmic.exe Token: 35 4884 wmic.exe Token: 36 4884 wmic.exe Token: SeIncreaseQuotaPrivilege 4860 wmic.exe Token: SeSecurityPrivilege 4860 wmic.exe Token: SeTakeOwnershipPrivilege 4860 wmic.exe Token: SeLoadDriverPrivilege 4860 wmic.exe Token: SeSystemProfilePrivilege 4860 wmic.exe Token: SeSystemtimePrivilege 4860 wmic.exe Token: SeProfSingleProcessPrivilege 4860 wmic.exe Token: SeIncBasePriorityPrivilege 4860 wmic.exe Token: SeCreatePagefilePrivilege 4860 wmic.exe Token: SeBackupPrivilege 4860 wmic.exe Token: SeRestorePrivilege 4860 wmic.exe Token: SeShutdownPrivilege 4860 wmic.exe Token: SeDebugPrivilege 4860 wmic.exe Token: SeSystemEnvironmentPrivilege 4860 wmic.exe Token: SeRemoteShutdownPrivilege 4860 wmic.exe Token: SeUndockPrivilege 4860 wmic.exe Token: SeManageVolumePrivilege 4860 wmic.exe Token: 33 4860 wmic.exe Token: 34 4860 wmic.exe Token: 35 4860 wmic.exe Token: 36 4860 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 820 wrote to memory of 468 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 83 PID 820 wrote to memory of 468 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 83 PID 820 wrote to memory of 468 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 83 PID 820 wrote to memory of 4884 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 86 PID 820 wrote to memory of 4884 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 86 PID 820 wrote to memory of 4884 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 86 PID 820 wrote to memory of 4860 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 88 PID 820 wrote to memory of 4860 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 88 PID 820 wrote to memory of 4860 820 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe 88 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe"C:\Users\Admin\AppData\Local\Temp\20240920ed858a19f5881d5b4c1d291fc3c50bdecobaltstrikemedusalocker.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:820 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:468
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4884
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5044
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
669KB
MD5ed858a19f5881d5b4c1d291fc3c50bde
SHA12becf1d3b743ecf638568065aeb631653f69d003
SHA256f6e687b576ad52361379864e8065da6fb698df4ec6e0a1f664670229717eb230
SHA5127c6c83e63ff207b4957b58f076304724007b0b886388f07142264f516dfcda1d12f73ec8e71bba0cce6ed6d2a31d055c61f5df4bb95442bef88e9c16f1c57906
-
Filesize
536B
MD5cab5343467783d997e7114af0bec5363
SHA1ce6e6c0379a51353619c2a658d0757b8c223a955
SHA256d7e70bda83976a8af72b187df7f7c9b0d35b627088261e27ed5486a809fa41f2
SHA51251a4e8661b09ea9c51e164c30be7d567efacd123b43342b321a68167019d422a66d178fccd633fdc4d06b4216518c570c1da066e3c8f8156d0873cf4a2f51b83
-
Filesize
4KB
MD518c4599115899817f9c516d4f97fafde
SHA159234f33a248733df62149a39b009428c078d35f
SHA256ecc35baae0b7f8ad74dbbb1c6780932cc78e1dd24ba0ab2e9ea3fc062df87a4d
SHA512bf05439767337210f3cd81d74386b72e06a122b9eb8634ee2936e3dc0185eae503995a8a0a0a03c28f77f018aca736928ac8edced5c2bfcbf4618bd9b23794a8