Overview

overview

10

Static

static

10

B.exe

windows7-x64

10

B.exe

windows10-2004-x64

10

Build.exe

windows7-x64

10

Build.exe

windows10-2004-x64

10

READ.exe

windows7-x64

10

READ.exe

windows10-2004-x64

10

rb.exe

windows7-x64

10

rb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2024, 13:15 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Build.exe

  • Size

    669KB

  • MD5

    b446b1c86f3d27bb39783f9d3a112a40

  • SHA1

    d9f66f8db27686f4f3b2c7d17557c84077ac801f

  • SHA256

    1f5eefc1feb47e11e53f82055ca0921fc1b1299dffa7972c6faeff1904fdad1d

  • SHA512

    c2b7682c265060c1c62be0b4dceba7fed6882b9fdc9cbbd1d379608a482bf215d81a2a3c03cc2df709bc936ee7d06ff1250dde92808bd0e0d1f1ee3410c35d9a

  • SSDEEP

    12288:dQA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8DiKD/KeX:Tuf4wTuV2Ux3uIZeUBi2Te6HWPKrKe

Score
10/10
medusalockerdiscoveryevasionransomwarespywarestealertrojan

Malware Config

Extracted

Path

\Device\HarddiskVolume1\HOW_TO_RECOVER_DATA.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">EB5B63A631414E4DF82EF2CC6DA38200C4FAED6AF20ECA31D46356722F6802C1999FC31D6688D612BACDAF76EAA0508CCC9A825587044BD24D32E0D316AC61E2<br>473F12DF05C18750A607AE741567ED446AF036A3B28C72F9816C61EBB96E09BA06491E16BD5A110585BF568E6722825536521893E977F58A2BCFF224C057<br>5AECF1A370776087771AC65B1FA684021C92BB40B657276D8E864AEF3A2D956A0992B80FF07DB1EF3D63619F770538E8B4EF476AC399DD09840D06220E4F<br>E11B9EECCC19B8E3296BD16A039303158D08C95EFE82D80BCD30F0332E27B904F1CA11131212306529CD9751808E836C211836828859CA7E0512096B73A7<br>DC8C56AB2AA10541E4F36800654281FA57F8115DDFDB0584BC49FE66C2EEC357E00D224878082D9ABD4A2429F15EC87EB145F7746901F44906287C05B53C<br>0098738BD62A625DEEFB7656AEF5EEDDF46AF80A1D41793254EF41C165F03B95612408E149C47DF4A68605EE03DC3F5FD8486E0B19FACDE41466E904F080<br>11285A02A62551504FF57B329134E23A670EDD36A5926DBAA63B2F0274431BA7ED36F1376A632C3C3BC8B136E51A831BD91E448E602A8B206EE054C670BA<br>ACC023968C20AE88845B13AA6C2C2E7FF211FBE58DF5DDC6A98F885383F27058C78983152AD78FC1473C9D0CE1A3AE36AFCE049F91C292901F047E896243<br>A02BFD948C569F58D6EEB7865C50</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion </a><br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="ithelp05@decorous.cyou ">ithelp05@decorous.cyou </a> <br><a href="ithelp05@wholeness.business">ithelp05@wholeness.business</a> <br> <b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>
Emails

href="ithelp05@decorous.cyou

">ithelp05@decorous.cyou

href="ithelp05@wholeness.business">ithelp05@wholeness.business</a>

Signatures

  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

    ransomwaremedusalocker
  • MedusaLocker payload 1 IoCs
  • Medusalocker family
    medusalocker
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Renames multiple (221) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Build.exe
    "C:\Users\Admin\AppData\Local\Temp\Build.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1100
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:5076
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2732
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2424
  • C:\Users\Admin\AppData\Roaming\svhost.exe
    C:\Users\Admin\AppData\Roaming\svhost.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:2376

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    140.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    140.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    140.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    140.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\svhost.exe
    Filesize

    669KB

    MD5

    b446b1c86f3d27bb39783f9d3a112a40

    SHA1

    d9f66f8db27686f4f3b2c7d17557c84077ac801f

    SHA256

    1f5eefc1feb47e11e53f82055ca0921fc1b1299dffa7972c6faeff1904fdad1d

    SHA512

    c2b7682c265060c1c62be0b4dceba7fed6882b9fdc9cbbd1d379608a482bf215d81a2a3c03cc2df709bc936ee7d06ff1250dde92808bd0e0d1f1ee3410c35d9a

    Download Submit

  • C:\Users\Default\ntuser.dat.LOG2
    Filesize

    536B

    MD5

    b8204074879e4705e9e82831a54e6409

    SHA1

    a2bc0a11b009be818d127c45165adcc81058c221

    SHA256

    9979bcd26933dd4f781c262b36f6d3df7f68f917258998913d38a660201699cf

    SHA512

    15ee09261ef9cfbb6f60312f0293650c68758a609bad3368ecf3e30ed72ec534e1987863b055afa42098a736f081b5c3a208eacf5f5ccfc3a8835eab39ece8f4

    Download Submit

  • \Device\HarddiskVolume1\HOW_TO_RECOVER_DATA.html
    Filesize

    5KB

    MD5

    24d54a24267f08afdb6e68c85a7b8b2d

    SHA1

    7054b8203e821a1256271a6ce2c1705cf83ca28c

    SHA256

    4b98b8978026346524a5c96ea0d7e85da2aa861243a0664860bf0afbe8e671f4

    SHA512

    f31415827d9ca4f066f3cf51aff6ea1b3a1d43b0fc0d5fc26260f5d50f9d22d78cd47efb109887bbfb8e33db586295b58b8e8fff4590c1687db43398d5235fc1

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.