Analysis
-
max time kernel
81s -
max time network
85s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 12:20
Behavioral task
behavioral1
Sample
medusa.exe
Resource
win7-20241010-en
windows7-x64
22 signatures
300 seconds
Behavioral task
behavioral2
Sample
medusa.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
16 signatures
300 seconds
General
-
Target
medusa.exe
-
Size
669KB
-
MD5
646698572afbbf24f50ec5681feb2db7
-
SHA1
70530bc23bad38e6aee66cbb2c2f58a96a18fb79
-
SHA256
26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0
-
SHA512
89bad552a3c0d8b28550957872561d03bf239d2708d616f21cbf22e58ae749542b07eee00fedac6fdb83c5969f50ea0f56fc103264a164671a94e156f73f160a
-
SSDEEP
12288:dQA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8D4KD/KeX:Tuf4wTuV2Ux3uIZeUBi2Te6HWdKrKe
Malware Config
Extracted
Path
\Device\HarddiskVolume1\Boot\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
word-break: break-all;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">57F36391B6614A0E9C40D0DBF490D769DE70C78E65C6BFFE81D19826108AF057E996844A58D929E184D150C2A4138E9F90A9A8E0178E4BA7B678408B80BCF43D<br>B842E14B47B93D736D2CC9281B34A0FA82C1BEEA352B424EE1A3A2CEAC64D899FD19EC3C69726EA0AD20F085D34D4C3F8C7E43FFBB3281CBB35773102A30<br>66AE78A66D5B4C1B58765F93B926194B002FF7F7C18B10AC9D09C6AF3CCA8F157532E49E28B70CFBAA267C64101ED58091BD37236E5BF109793BC6B7B4E0<br>DC872B509BCD9FEAAF904FD2159A3529CE6F3725DD64434618C68C0277E79B806D8DAAC8D9ACFFC2AC566ACFB9D0E37D31974EF0B4799C2FC30E991A0E98<br>362BD660BE62ACC52F29A574DB4EBDE3D32F9789D7D2217620C2961B54B5634FCD7A79B6FBF446031B526EB8FC6C6604DD3F1E02EF7234E941DF59A2E510<br>90758F9ACBCCD2993735CD099386F8CF7F34C9FD2A1CDCE1B0D8343950E4665D28DC7FAD459A7EDF0A05D19B74EFFD32825BFF04F334B834DF17966BC63F<br>54226BC68D9E454D686488785512299D1E1558615760917187AD25245BDD6DFE9E0B949E2DD52FE534AA43D2146ADAB20DE2E7CDA4A06D6D93CE68BF59F4<br>158C93EF11DD5AC3FC0AB98A4222A23E3DFEEB3C93D79C9904FC7AB00E4E4A580463034BA1C1723A24B060BD5480F97F29E396C7C48A2917F51E89B39E5E<br>D32C2B18F221F35FDAB9ED354A22</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br>
</a>
4. Start a chat and follow the further instructions. <br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 1 IoCs
resource yara_rule behavioral1/files/0x000a00000001225c-1042.dat family_medusalocker -
Medusalocker family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" medusa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" medusa.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (340) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 952 svhost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" medusa.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini medusa.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: medusa.exe File opened (read-only) \??\N: medusa.exe File opened (read-only) \??\P: medusa.exe File opened (read-only) \??\S: medusa.exe File opened (read-only) \??\U: medusa.exe File opened (read-only) \??\Z: medusa.exe File opened (read-only) \??\V: medusa.exe File opened (read-only) \??\E: medusa.exe File opened (read-only) \??\G: medusa.exe File opened (read-only) \??\H: medusa.exe File opened (read-only) \??\I: medusa.exe File opened (read-only) \??\Q: medusa.exe File opened (read-only) \??\R: medusa.exe File opened (read-only) \??\T: medusa.exe File opened (read-only) \??\X: medusa.exe File opened (read-only) \??\Y: medusa.exe File opened (read-only) \??\F: medusa.exe File opened (read-only) \??\K: medusa.exe File opened (read-only) \??\L: medusa.exe File opened (read-only) \??\M: medusa.exe File opened (read-only) \??\W: medusa.exe File opened (read-only) \??\A: medusa.exe File opened (read-only) \??\B: medusa.exe File opened (read-only) \??\O: medusa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language medusa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe -
Interacts with shadow copies 3 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3020 vssadmin.exe 2940 vssadmin.exe 2832 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DF7B9271-A1B9-11EF-A276-7E6174361434} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe 2200 medusa.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeBackupPrivilege 2920 vssvc.exe Token: SeRestorePrivilege 2920 vssvc.exe Token: SeAuditPrivilege 2920 vssvc.exe Token: SeIncreaseQuotaPrivilege 2488 wmic.exe Token: SeSecurityPrivilege 2488 wmic.exe Token: SeTakeOwnershipPrivilege 2488 wmic.exe Token: SeLoadDriverPrivilege 2488 wmic.exe Token: SeSystemProfilePrivilege 2488 wmic.exe Token: SeSystemtimePrivilege 2488 wmic.exe Token: SeProfSingleProcessPrivilege 2488 wmic.exe Token: SeIncBasePriorityPrivilege 2488 wmic.exe Token: SeCreatePagefilePrivilege 2488 wmic.exe Token: SeBackupPrivilege 2488 wmic.exe Token: SeRestorePrivilege 2488 wmic.exe Token: SeShutdownPrivilege 2488 wmic.exe Token: SeDebugPrivilege 2488 wmic.exe Token: SeSystemEnvironmentPrivilege 2488 wmic.exe Token: SeRemoteShutdownPrivilege 2488 wmic.exe Token: SeUndockPrivilege 2488 wmic.exe Token: SeManageVolumePrivilege 2488 wmic.exe Token: 33 2488 wmic.exe Token: 34 2488 wmic.exe Token: 35 2488 wmic.exe Token: SeIncreaseQuotaPrivilege 2812 wmic.exe Token: SeSecurityPrivilege 2812 wmic.exe Token: SeTakeOwnershipPrivilege 2812 wmic.exe Token: SeLoadDriverPrivilege 2812 wmic.exe Token: SeSystemProfilePrivilege 2812 wmic.exe Token: SeSystemtimePrivilege 2812 wmic.exe Token: SeProfSingleProcessPrivilege 2812 wmic.exe Token: SeIncBasePriorityPrivilege 2812 wmic.exe Token: SeCreatePagefilePrivilege 2812 wmic.exe Token: SeBackupPrivilege 2812 wmic.exe Token: SeRestorePrivilege 2812 wmic.exe Token: SeShutdownPrivilege 2812 wmic.exe Token: SeDebugPrivilege 2812 wmic.exe Token: SeSystemEnvironmentPrivilege 2812 wmic.exe Token: SeRemoteShutdownPrivilege 2812 wmic.exe Token: SeUndockPrivilege 2812 wmic.exe Token: SeManageVolumePrivilege 2812 wmic.exe Token: 33 2812 wmic.exe Token: 34 2812 wmic.exe Token: 35 2812 wmic.exe Token: SeIncreaseQuotaPrivilege 2356 wmic.exe Token: SeSecurityPrivilege 2356 wmic.exe Token: SeTakeOwnershipPrivilege 2356 wmic.exe Token: SeLoadDriverPrivilege 2356 wmic.exe Token: SeSystemProfilePrivilege 2356 wmic.exe Token: SeSystemtimePrivilege 2356 wmic.exe Token: SeProfSingleProcessPrivilege 2356 wmic.exe Token: SeIncBasePriorityPrivilege 2356 wmic.exe Token: SeCreatePagefilePrivilege 2356 wmic.exe Token: SeBackupPrivilege 2356 wmic.exe Token: SeRestorePrivilege 2356 wmic.exe Token: SeShutdownPrivilege 2356 wmic.exe Token: SeDebugPrivilege 2356 wmic.exe Token: SeSystemEnvironmentPrivilege 2356 wmic.exe Token: SeRemoteShutdownPrivilege 2356 wmic.exe Token: SeUndockPrivilege 2356 wmic.exe Token: SeManageVolumePrivilege 2356 wmic.exe Token: 33 2356 wmic.exe Token: 34 2356 wmic.exe Token: 35 2356 wmic.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1320 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1320 iexplore.exe 1320 iexplore.exe 2188 IEXPLORE.EXE 2188 IEXPLORE.EXE 2188 IEXPLORE.EXE 2188 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2200 wrote to memory of 3020 2200 medusa.exe 30 PID 2200 wrote to memory of 3020 2200 medusa.exe 30 PID 2200 wrote to memory of 3020 2200 medusa.exe 30 PID 2200 wrote to memory of 3020 2200 medusa.exe 30 PID 2200 wrote to memory of 2488 2200 medusa.exe 33 PID 2200 wrote to memory of 2488 2200 medusa.exe 33 PID 2200 wrote to memory of 2488 2200 medusa.exe 33 PID 2200 wrote to memory of 2488 2200 medusa.exe 33 PID 2200 wrote to memory of 2940 2200 medusa.exe 35 PID 2200 wrote to memory of 2940 2200 medusa.exe 35 PID 2200 wrote to memory of 2940 2200 medusa.exe 35 PID 2200 wrote to memory of 2940 2200 medusa.exe 35 PID 2200 wrote to memory of 2812 2200 medusa.exe 37 PID 2200 wrote to memory of 2812 2200 medusa.exe 37 PID 2200 wrote to memory of 2812 2200 medusa.exe 37 PID 2200 wrote to memory of 2812 2200 medusa.exe 37 PID 2200 wrote to memory of 2832 2200 medusa.exe 39 PID 2200 wrote to memory of 2832 2200 medusa.exe 39 PID 2200 wrote to memory of 2832 2200 medusa.exe 39 PID 2200 wrote to memory of 2832 2200 medusa.exe 39 PID 2200 wrote to memory of 2356 2200 medusa.exe 41 PID 2200 wrote to memory of 2356 2200 medusa.exe 41 PID 2200 wrote to memory of 2356 2200 medusa.exe 41 PID 2200 wrote to memory of 2356 2200 medusa.exe 41 PID 920 wrote to memory of 952 920 taskeng.exe 46 PID 920 wrote to memory of 952 920 taskeng.exe 46 PID 920 wrote to memory of 952 920 taskeng.exe 46 PID 920 wrote to memory of 952 920 taskeng.exe 46 PID 1320 wrote to memory of 2188 1320 iexplore.exe 48 PID 1320 wrote to memory of 2188 1320 iexplore.exe 48 PID 1320 wrote to memory of 2188 1320 iexplore.exe 48 PID 1320 wrote to memory of 2188 1320 iexplore.exe 48 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" medusa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" medusa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" medusa.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\medusa.exe"C:\Users\Admin\AppData\Local\Temp\medusa.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2200 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:3020
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2940
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2832
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
C:\Windows\system32\taskeng.exetaskeng.exe {D0F2E31D-B470-4B07-851B-D16E942BED75} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
PID:952
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\how_to_back_files.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1320 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2188
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
3B
MD58a80554c91d9fca8acb82f023de02f11
SHA15f36b2ea290645ee34d943220a14b54ee5ea5be5
SHA256ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356
SHA512ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a
-
Filesize
669KB
MD5646698572afbbf24f50ec5681feb2db7
SHA170530bc23bad38e6aee66cbb2c2f58a96a18fb79
SHA25626af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0
SHA51289bad552a3c0d8b28550957872561d03bf239d2708d616f21cbf22e58ae749542b07eee00fedac6fdb83c5969f50ea0f56fc103264a164671a94e156f73f160a
-
Filesize
16KB
MD5bfd55fd3566c5fc04b9ad9f9fdfa0d93
SHA1b383d29f86ea99b7b7b2ec0e8be880f2b90d300d
SHA256ae5bed6247bb276e295c3071b6b7478b38ff6004720891656dfaf9d28221a024
SHA512ae635643f45def10177d4efb6c505e05b8e5b3275148cd20db35729c9c4289115e92669bc8bbfcad0627cc5601d539a9dccbd68bd87b6551948ff38b2d02e1ea
-
Filesize
536B
MD52609078091234ca94aef1f56bde63764
SHA1bdcbad81fc1b9c9234402348968be2ba46de204e
SHA256a78c19c5a96d01742ac1aea6d4d384fce30f199d1d6a159725e10687750d465f
SHA512f2666d38a8da0ee7e7f973d8f72e9384cb5db1d91c2c8432917f696292e5f876a8917cba84725e2ea0e7c0f11e66b7150f5fab7f1dcaf53870e9a810b82ad293
-
Filesize
4KB
MD5e84d326da5837b222265886f2e48bd62
SHA14f510f6c41ffc17bbef0904801d7bc1f502cbb41
SHA2563d2a2a79c03cbbef42d93e5cdcae1843e1fe83fa11594e991d75c9c693b4cb45
SHA512e7d925270d5412e5da162d6ae83cf43128c5aec259134ff25e7dde3d0a26f3e85cacf7d60a016168439b4877c75b2c3cc437d191007e8a58ddcff776dde0adee