Overview

overview

10

Static

static

10

Videos/64/64.exe

windows11-21h2-x64

3

Videos/64/86.exe

windows11-21h2-x64

3

Videos/64/...E.html

windows11-21h2-x64

3

Videos/64/dump.bat

windows11-21h2-x64

9

Videos/64/mimidrv.sys

windows11-21h2-x64

10

Videos/64/...tz.dll

windows11-21h2-x64

3

Videos/64/mimilib.dll

windows11-21h2-x64

3

Videos/64/...ol.dll

windows11-21h2-x64

3

Videos/Adv...69.exe

windows11-21h2-x64

4

Videos/Cap...E.html

windows11-21h2-x64

3

Videos/PsExec.exe

windows11-21h2-x64

3

Videos/PsExec64.exe

windows11-21h2-x64

3

Videos/READ_NOTE.html

windows11-21h2-x64

3

Videos/crypt154.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sample.zip

  • Size

    21.2MB

  • Sample

    250217-nee8zszj15

  • MD5

    dd2ae63fda290349d4872d076c3999fa

  • SHA1

    d071bf47cb2eb4a8ade4c356c2da448fb5bf2ff8

  • SHA256

    b6ae167bc7a98a16120698f2f11452449118662dd3f1cc88e6ef7286465b45ca

  • SHA512

    7b01261129b1944d90ac79be21f104095c408995cf80b190287d37805d198ff8729db8011c73b0a4387614f68d4872ab5715f170b5a06ccd73603419674056e3

  • SSDEEP

    393216:6MUztzHK7whMRoPVnksbllihtvB4Jdgho+TtdGSa0n+jfnYAdylxQ0C1/Okd+:6Mm9K7waRckqlIhtv+JKhaG+jTdEe1v+

Score
10/10
medusalockermimikatzcredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

Malware Config

Extracted

Family

medusalocker

Ransom Note
Your personal ID: 2YfZTHQAYUl7kqDJYxaXaCaffwquavSjUP24kjLnTnrpeJuLdxD4T6h4Q9iZj+8XvI1Yjjz+/Wif2pnjz8LXyL3ZICXdy1EJbcn12KlzsLeLtxzOrVUtywGvseN6Td/GxgeXoJUdhB3ZPKuyIgUlPzrHX29VvwBr61OfVZq2IMv+aqhx55n1UQLyzQ2tg9eXSYytu8l+k7k6O5lm8xkSqCUGdhwVrh81v3w1oHQ9A0ajsdq1lAkTLaBXh8HzU6GFK3G05cflF2tlsb0movkB412dw0ZznhfcBNHSlF2NAQuRPa4Ga+XYkaYfzIKm3zyxFX724KkmjPsSyma+L9WWGw==� /!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\ All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. Contact us for price and get decryption software. email: [email protected] [email protected] * To contact us, create a new free email account on the site: protonmail.com IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. * Tor-chat to always be in touch: qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion

Extracted

Path

\Device\HarddiskVolume1\READ_NOTE.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">mgQbvPbsvhip0v+ymQN4Q+iHOpiN+PQ6qV8h6uMviECr/KzPighnoURdLJlhtQ0vO13xtNCcDz4zyO+3baDLmcA9JA4cyWtBKA/YsugtYsu4kvLmcgJJAuPQNYuVAr0UHxjY/QXiHV6fYDYXcGjUJMoRJeRkZcRBhBSynQX35kMS7TwuBsU8j2jJsT2/TAs68AOrufFol7iZ2yNrRMjc363XN4nDdvRfI7sn3HfHkdVfQyduVVC4QxhUlPub3eJHr3v6oRSYEifo/jpkGmL98dSgViBVtaXDWC1EPKRQyXtGNJgBV8l44/zL3mCMzQUHUlj5ZwbzWQz7kGSurtMRfQ==�</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Targets

    • Target

      Videos/64/64.exe

    • Size

      1.4MB

    • MD5

      957f2d9e3370212548a57020233e6ba7

    • SHA1

      ea5cd55a44b8be532af602002f498717fc192818

    • SHA256

      6688fb3039ad6df606d76a897ef1072cdc78b928335c6bfa691d99498caf5c4b

    • SHA512

      98baed5d1632311db5b65e5dcd70966e85f25478649e57b7fb6310be0eb3fe54f0bf2e70aa1b8d242479aac0f5d411388635d4b9cf8c3049917fdff7b00c9b63

    • SSDEEP

      24576:quogxWGhzk6Cufid1FeXUW07ZG6mpxUr7set:PWd1FekW0olpG

    Score
    3/10
    discovery
    behavioral1

    • Target

      Videos/64/86.exe

    • Size

      1.0MB

    • MD5

      6c9ad4e67032301a61a9897377d9cff8

    • SHA1

      655979d56e874fbe7561bb1b6e512316c25cbb19

    • SHA256

      e81a8f8ad804c4d83869d7806a303ff04f31cce376c5df8aada2e9db2c1eeb98

    • SHA512

      1cd75a4c324365735a97001b55e89b936daed5d003ba7059f885eeca4a26eaaa82041450d77483a36d4be30186730c4e4ca4b8af24122fe403c4dde738d3ff96

    • SSDEEP

      24576:EuS0VSrYkTp5VFyI0UZK6zU9T8zPnbJFDhOky0c:EuS0O59cX2YcPb7DhCN

    Score
    3/10
    discovery
    behavioral2

    • Target

      Videos/64/READ_NOTE.html

    • Size

      3KB

    • MD5

      d2294fc6905efe047a0663b7ffcf79d4

    • SHA1

      9bf17f976f73ec0ce4f05dbfdb5d4ebc9fc1f2d0

    • SHA256

      c459e80d8500c3db9810f63f835e5cc1e4f08cb2deda4832846edf1eac31e1dd

    • SHA512

      983e14d90fe1f5c4993724e1d8ae57132ccda5efc62f0d14146e36c8982d0315753c6aa573f97c6f7d29136051e65eb85bbe9a02846b431a06b5e71ec1ac8a28

    Score
    3/10
    discovery
    behavioral3

    • Target

      Videos/64/dump.bat

    • Size

      418B

    • MD5

      daf87494678a5244eccfbf2b27d92096

    • SHA1

      3e75976b49a7a7fc80cf44902b5a04ca066d559d

    • SHA256

      539e58304db8207a278582902be41a9cbd7d79027fa3c053d8ab5bcc2bdbe081

    • SHA512

      c09144ee0db6714a2a71b2030e9b3f722eca0ffe0f1c967056011eb2f33f617f32affe454f416504396f15c7e0ec552db3bfedb5fbff82447f94be023df9aa82

    Score
    9/10
    credential_accessdiscovery

    • OS Credential Dumping: LSASS Memory

      Malicious access to Credentials History.

      credential_access
    behavioral4

    • Target

      Videos/64/mimidrv.sys

    • Size

      36KB

    • MD5

      c94de9019767a79573b25c870936d9a8

    • SHA1

      c66a1c6fbeacaf2db288bff8c064dfe775fd1508

    • SHA256

      bee3d0ac0967389571ea8e3a8c0502306b3dbf009e8155f00a2829417ac079fc

    • SHA512

      e8b712a0b0b65520ec17e5576fe1c7c61a2a2a13502f9626625ef4b988b84178f68c0ca2337e2d766e42c19a681a7df41de3faef950ab0698139b89463ec2031

    • SSDEEP

      768:APVvAF3Sz0Kp4TC/ndBW8ipSfnA+vl1qlCGB8zlu0xVHZC5isB:0VvPz0K3AmDlQlHB8zl9xJwisB

    Score
    10/10
    mimikatzdiscovery

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

      mimikatz

    • Mimikatz family

      mimikatz

    • mimikatz is an open source tool to dump credentials on Windows

    behavioral5

    • Target

      Videos/64/mimikatz.dll

    • Size

      891KB

    • MD5

      21ea77788aa2649614c9ec739f1dd1b8

    • SHA1

      2da8d08d67ad3945ebf7a589acdd76dcc4a3510b

    • SHA256

      8846c8be509a4b274d6d1465e9cc14d44cfb0a51f917d3a00ce00fa0b35a4284

    • SHA512

      0d34428c9814495c823c896dde9981ce5b354209a5da37b5d951546247264dd21861c957ebc035e7801146ceffda234f8cf3a12abfc289a19b78bbc1eaeccac5

    • SSDEEP

      12288:1lPuj0/jY2LuBUIAUigqrdT+r9HBARe5iBC4uMmK8DfD8gU:1lPi0/jFLt5gqrwHce5i0lZDfDbU

    Score
    3/10
    discovery
    behavioral6

    • Target

      Videos/64/mimilib.dll

    • Size

      36KB

    • MD5

      67651e9d2da634adedbe216948d5f752

    • SHA1

      0731bd320633a6d1ca7835e2bba2c5ee5429b293

    • SHA256

      aef6ce3014add838cf676b57957d630cd2bb15b0c9193cf349bcffecddbc3623

    • SHA512

      88c7de54fd036a3052a49e52a8bb868e1cd67856b8ef1d0f2ad1151f663addf1d9435fb98f83a24cc16ffd832500061b64399c9fe82edcb83404f59daf7bfd47

    • SSDEEP

      768:CsdDjdgqUQv+EAZJimW8ahsNekFkTn5btsnsFfZ9kYeUveejil0g:vU+LuaaQkFkTn5b+sFhW7ejil

    Score
    3/10
    discovery
    behavioral7

    • Target

      Videos/64/mimispool.dll

    • Size

      10KB

    • MD5

      c6cc0def7d584f431d69126c1cc33a20

    • SHA1

      ea2646a646662909cd2bf5443e6b0030fb3cc6eb

    • SHA256

      66928c3316a12091995198710e0c537430dacefac1dbe78f12a331e1520142bd

    • SHA512

      17199e1be5d40744ae92d5d1b143645fcd0e413b92696fdaeb673785549bf20f4952a19887fe5c14cddbdfa435320a79044510d0de4e2c52fa26a1d2bfd83826

    • SSDEEP

      192:DGMoIQaZcsBTSWoH6DlI0zPQ4Ib/me0C0uolZC7:VJxgWFlVC50C0uols

    Score
    3/10
    discovery
    behavioral8

    • Target

      Videos/Advanced_Port_Scanner_2.5.3869.exe

    • Size

      19.4MB

    • MD5

      6a58b52b184715583cda792b56a0a1ed

    • SHA1

      3477a173e2c1005a81d042802ab0f22cc12a4d55

    • SHA256

      d0c1662ce239e4d288048c0e3324ec52962f6ddda77da0cb7af9c1d9c2f1e2eb

    • SHA512

      49ee746a98bce076cd20a36d57d08ed0dc39d48a0a2866173d4c0dbb1633e2ec8e069f4dbba578e707c8dd1de1fcc908cf412e4a9fff9ecc78ac92357e75c313

    • SSDEEP

      393216:mfKraJBPMvil9ib1pLIfwwbwFanUfziHLKAwj5GIXgsao7sF5Vw11mH:AKravPiisRpkfww8FUUfz9wIqooPm1S

    Score
    4/10
    discovery
    behavioral9

    • Target

      Videos/Captures/READ_NOTE.html

    • Size

      3KB

    • MD5

      d2294fc6905efe047a0663b7ffcf79d4

    • SHA1

      9bf17f976f73ec0ce4f05dbfdb5d4ebc9fc1f2d0

    • SHA256

      c459e80d8500c3db9810f63f835e5cc1e4f08cb2deda4832846edf1eac31e1dd

    • SHA512

      983e14d90fe1f5c4993724e1d8ae57132ccda5efc62f0d14146e36c8982d0315753c6aa573f97c6f7d29136051e65eb85bbe9a02846b431a06b5e71ec1ac8a28

    Score
    3/10
    discovery
    behavioral10

    • Target

      Videos/PsExec.exe

    • Size

      331KB

    • MD5

      27304b246c7d5b4e149124d5f93c5b01

    • SHA1

      e50d9e3bd91908e13a26b3e23edeaf577fb3a095

    • SHA256

      3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

    • SHA512

      bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

    • SSDEEP

      3072:Yao79VuJ6titIi/H7ZUFgllxiBD+P5xWr3geNtdS+DlGttzhA9HY4ZUFxPkwlmlP:YaSq4TBWISSTgu7DlGtEC1xn/O5r4S

    Score
    3/10
    discovery
    behavioral11

    • Target

      Videos/PsExec64.exe

    • Size

      366KB

    • MD5

      9321c107d1f7e336cda550a2bf049108

    • SHA1

      fb0a150601470195c47b4e8d87fcb3f50292beb2

    • SHA256

      ad6b98c01ee849874e4b4502c3d7853196f6044240d3271e4ab3fc6e3c08e9a4

    • SHA512

      5ac1dac5061dd14c1d79d2910c4df6ed059059c7d3f987ebe9790626c327d5fa9c7cdbb4150c004d14750223f33b4fc27fa16b3681371d406c2b715ba757be0e

    • SSDEEP

      6144:o9123sLoT4aK8/A+kVG1FHEpgJEvf6sSMWTk7bjgxdO5mVx:on2ZHk/C6vfdHKO5s

    Score
    3/10
    discovery
    behavioral12

    • Target

      Videos/READ_NOTE.html

    • Size

      3KB

    • MD5

      d2294fc6905efe047a0663b7ffcf79d4

    • SHA1

      9bf17f976f73ec0ce4f05dbfdb5d4ebc9fc1f2d0

    • SHA256

      c459e80d8500c3db9810f63f835e5cc1e4f08cb2deda4832846edf1eac31e1dd

    • SHA512

      983e14d90fe1f5c4993724e1d8ae57132ccda5efc62f0d14146e36c8982d0315753c6aa573f97c6f7d29136051e65eb85bbe9a02846b431a06b5e71ec1ac8a28

    Score
    3/10
    discovery
    behavioral13

    • Target

      Videos/crypt154.exe

    • Size

      728KB

    • MD5

      ee91aeacff16d4ef5fe74b7252291665

    • SHA1

      88adb2573e183e44babf88005298cab9a9901d2d

    • SHA256

      ea585b7e84b67e8170b76f87115c0fc8423fe6d7184db32ba32b5bfc155e2b34

    • SHA512

      d12cf47211a38fe595d855fe336f30946a0a76a4a559e0430e212f68601cd28cab63ffd4acd04c76f4f83950ad2261efb49dff6a2b03fd2aaa4617bc49b1b8a4

    • SSDEEP

      12288:R/7tmBxTq87Rro7jx0/O2EbiJtzhCg3sph0lhSMXliuqJTJRg9J:RztmTqwRrSjx0/OpiDhdSh0lhSMXltqe

    Score
    10/10
    defense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (939) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes system backups

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Direct Volume Access

1
T1006

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

2
T1112

Credential Access

OS Credential Dumping

1
T1003

LSASS Memory

1
T1003.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

4
T1490

Tasks