medusalocker | f73508dfaf27c9eaeccf20fde21c0292202ad65bf16c4c0c2285fc4f24f933d6

Analysis

max time kernel
0s
max time network
132s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
28-10-2024 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33.out
Size

1.8MB
MD5

3d0c932d0eab4d6c5ce08b9ce2b7d335
SHA1

b1058433c97fdee8bbad3e393515b4c5dfb4756a
SHA256

f73508dfaf27c9eaeccf20fde21c0292202ad65bf16c4c0c2285fc4f24f933d6
SHA512

48f115dd25805ef59c508c7f193dc56c9a0fb7b2798e6628b1a89573e34a1ad1f094f52b508e6e196f6dbc326587a211dfb04ef64226976f66a5e179ae5c847c
SSDEEP

24576:SBHZBBnZ7xWVcvcD6U7yZJet53ob5XKh2ZQ21:yBndxWVZD6U7yZAtJob5XC2ZQ21

Score

10^/10

medusalocker discovery ransomware

Malware Config

Extracted

Path

/mnt/How_to_back_files.html

Family

medusalocker

Ransom Note

Your personal ID: JKMeXXoVjh5Wpz3UttrTM/TcjEC+Ot0DlVBKpRiCMotVQxbI64AG5DkaY4yJy1aQ/XeV/EfDCEQQGattlR8gSe4w9gQUGaJUyxGhAuQAHfPh/ayHA08sqBXuH8xPM3ElaS873FbPpofPc34IWaHnyN0WW+qWRP25FIgdxlUW1Sdq8IdGcDQJ/r7xWE1vD8XZmyQGNqtcXewQBbCaNEA2KmX2kVi8VK6J+ykQdmbZWEuCvB9wLwQDYpVmwt0wqnsppiYdENple8CHWRJHvCpYR7SCJkKqzdT1KahB6SAiNneiR9dEUH3JwWrz3d3OwlRexI8JzfBsHJSYJ05pXWF3c3Qy5wg5jqXvqkvaVbsVXkEZDgvbcpYBPwyu6FkDuGVi03XkX/sC909D9qy0P/rBh7o3RzvADRpOykgHunGxXNj9nCExJ3+P/3fJ6TtygDsKyunEo1jtgtNENjm6X2+xa4VrDuLwWqxo1UycGUltTOQZml27R+O9HCKGR/6lEq78AhcbwXfmyxvstg2XyK+kHajIWpGIjAvNurKpSTFZb2HmPHOHtG0PvP4TZCOkzhqmO/SD+1kc9SqItLYw6gavU/2BpvzIVPgsgWWuCRrm6AfVnL7kJNITfmR3u8lg9QmyNzpPNe/wdm+yeJedswD1oimWBauQYm7J8gaEzPmqMFlWW+1zqPPk0M2c4gJCzzNIvyK3sDDb3kmU/Tvi4i6qeKXBuHposETlX8L0KjzKwlVjfyoSSRHqVma4toglazTG6US7JN9+Hp8fgVxl+HJ9CLhHSVbKwbePfva0NxoO2e4Bn103HPsgUF4T73ZOK5dn/kbIF4HqjPizZBqNvzcHNaL4Kgz+V7eQ/cQYGFsd37xnAMti+aJDtvOwl0+7mmBlsbGrDZ5zjIcYLA0SOuZG6SwC3JKFvrJhTlNDuhK6fH9OQwOVQHktKWIvTB3dGO7APfVSBp659GAdv+rrxRFiY3r+tg0hdjRBPE/Pjo4fEBE0OxCZe+kE4MTGzMU9M/M9YuN8zUqcJPfhmPeh8mTlZLvFBCY0U1jtgjYJa1U9y5M7qd//5y662Uy5XHE4Lz+IDVFdzMQswF3wFUoTRDY4EYeGFWBmfMH4hukmimmGFjd/uF5GyhiGZs69DMy/Tl80lidOzCSaZEXvRCHNJSSSEF8meBqvyxDrHkAbuLA06tSfNDqW1jW8AvyCe++2tL8fwXc3JNbqdAbMw/hdmjkodytd9YCL2sNNEAzgMZ+i+a4T/2pY8ub4ctW02iH0Z1xMLR/wyBQi1dr/VaHpxQur9AA6aqFmK67qQJ/Vi035XCVNnjxlXPOi/GnrglHCuYixr/O3i8Iw+b57g2M13/lFd0NPIGJxzAcdd1AkbfvG9v+iZk8jBFCTZtkOTlsNAOdPct6KzMPFrpW//vQ7vBb5ifBPz5eEN95cqpIWt/y2FMrbSwe2ggIO23rsjkvRvA20H7Tmi72mqSp77GdhAIhLkdq7+9BVMb4qCZVavUnDSxLcWmL30QVpiOpzla3s3HOxvxAgqtzc+Gi2nX1iHxvJVw6ZT1huAeSM/5qfvErRjbWng8WVodJMuqSGZliTjxqZ9fAiTmyNPqxTjuKjcXYLDxspb+TpdF8UA7v6fDucTd7tQJXEN45uKI0UcQWtOlMDTtsrTczdEeQoIHzHEu0a8KeAYJ458vTOXhD2LxbgElY= /!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\ All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. Contact us for price and get decryption software. email: [email protected] [email protected] * To contact us, create a new free email account on the site: protonmail.com IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. * Tor-chat to always be in touch: qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion

Emails

[email protected]

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker
Medusalocker family
medusalocker

Reads CPU attributes 1 TTPs 1 IoCs

discovery

System Information Discovery

T1082

Processes:

33.out

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	33.out

System Network Configuration Discovery 1 TTPs 1 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

Processes:

pid	Process
2833	sh

/tmp/33.out
/tmp/33.out
1⤵
- Reads CPU attributes
PID:2821
- /bin/sh
  sh -c -- "rem Kill \"SQL\""
  2⤵
  PID:2827
- /bin/sh
  sh -c -- "taskkill -f -im sqlbrowser.exe"
  2⤵
  PID:2828
- /bin/sh
  sh -c -- "taskkill -f -im sql writer.exe"
  2⤵
  PID:2829
- /bin/sh
  sh -c -- "taskkill -f -im sqlserv.exe"
  2⤵
  PID:2830
- /bin/sh
  sh -c -- "taskkill -f -im msmdsrv.exe"
  2⤵
  PID:2831
- /bin/sh
  sh -c -- "taskkill -f -im MsDtsSrvr.exe"
  2⤵
  PID:2832
- /bin/sh
  sh -c -- "taskkill -f -im sqlceip.exe"
  2⤵
  - System Network Configuration Discovery
  PID:2833
- /bin/sh
  sh -c -- "taskkill -f -im fdlauncher.exe"
  2⤵
  PID:2834
- /bin/sh
  sh -c -- "taskkill -f -im Ssms.exe"
  2⤵
  PID:2835
- /bin/sh
  sh -c -- "taskkill -f -im SQLAGENT.EXE"
  2⤵
  PID:2836
- /bin/sh
  sh -c -- "taskkill -f -im fdhost.exe"
  2⤵
  PID:2837
- /bin/sh
  sh -c -- "taskkill -f -im ReportingServicesService.exe"
  2⤵
  PID:2838
- /bin/sh
  sh -c -- "taskkill -f -im msftesql.exe"
  2⤵
  PID:2839
- /bin/sh
  sh -c -- "taskkill -f -im pg_ctl.exe"
  2⤵
  PID:2840
- /bin/sh
  sh -c -- "taskkill -f -impostgres.exe"
  2⤵
  PID:2841
- /bin/sh
  sh -c -- "net stop MSSQLServerADHelper100"
  2⤵
  PID:2842
- /bin/sh
  sh -c -- "net stop MSSQL\$ISARS"
  2⤵
  PID:2843
- /bin/sh
  sh -c -- "net stop MSSQL\$MSFW"
  2⤵
  PID:2844
- /bin/sh
  sh -c -- "net stop SQLAgent\$ISARS"
  2⤵
  PID:2845
- /bin/sh
  sh -c -- "net stop SQLAgent\$MSFW"
  2⤵
  PID:2846
- /bin/sh
  sh -c -- "net stop SQLBrowser"
  2⤵
  PID:2847
- /bin/sh
  sh -c -- "net stop REportServer\$ISARS"
  2⤵
  PID:2848
- /bin/sh
  sh -c -- "net stop SQLWriter"
  2⤵
  PID:2849
- /bin/sh
  sh -c -- "vssadmin.exe Delete Shadows /All /Quiet"
  2⤵
  PID:2850
- /bin/sh
  sh -c -- "wbadmin delete backup -keepVersion:0 -quiet"
  2⤵
  PID:2851
- /bin/sh
  sh -c -- "wbadmin DELETE SYSTEMSTATEBACKUP"
  2⤵
  PID:2852
- /bin/sh
  sh -c -- "wbadmin DELETE SYSTEMSTABACKUP -deleteOldest"
  2⤵
  PID:2853
- /bin/sh
  sh -c -- "wmic.exe SHADOWCOPY /nointeractive"
  2⤵
  PID:2854
- /bin/sh
  sh -c -- "bcdedit.exe /set {default} recoverynabled No"
  2⤵
  PID:2855
- /bin/sh
  sh -c -- "bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
  2⤵
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/mnt/How_to_back_files.html

Filesize
5KB

MD5
65a5745417dacb585c2d9a690c13ac35

SHA1
6a8b7f133d738c1b1b9285af64d6ee72fb272636

SHA256
d90b8ade801aaa4b194827281e34143a82c494557d379ec3bd1c43317e770cdc

SHA512
0818e4f9e651b07a6179cd04c18ec4e844ca57858f13ac6a540e3b7aff691c677c878d85c2f3f4cf1eeac9dbda89419f87289c6362d8cda42acf1813ebd85fef

Download Submit