medusalocker | b6ae167bc7a98a16120698f2f11452449118662dd3f1cc88e6ef7286465b45ca

Sharing

Copy URL

Twitter E-mail

General

Target

sample.zip
Size

21.2MB
Sample

250217-nls4esylgk
MD5

dd2ae63fda290349d4872d076c3999fa
SHA1

d071bf47cb2eb4a8ade4c356c2da448fb5bf2ff8
SHA256

b6ae167bc7a98a16120698f2f11452449118662dd3f1cc88e6ef7286465b45ca
SHA512

7b01261129b1944d90ac79be21f104095c408995cf80b190287d37805d198ff8729db8011c73b0a4387614f68d4872ab5715f170b5a06ccd73603419674056e3
SSDEEP

393216:6MUztzHK7whMRoPVnksbllihtvB4Jdgho+TtdGSa0n+jfnYAdylxQ0C1/Okd+:6Mm9K7waRckqlIhtv+JKhaG+jTdEe1v+

Score

10^/10

Malware Config

Extracted

Family

medusalocker

Ransom Note

Your personal ID: 2YfZTHQAYUl7kqDJYxaXaCaffwquavSjUP24kjLnTnrpeJuLdxD4T6h4Q9iZj+8XvI1Yjjz+/Wif2pnjz8LXyL3ZICXdy1EJbcn12KlzsLeLtxzOrVUtywGvseN6Td/GxgeXoJUdhB3ZPKuyIgUlPzrHX29VvwBr61OfVZq2IMv+aqhx55n1UQLyzQ2tg9eXSYytu8l+k7k6O5lm8xkSqCUGdhwVrh81v3w1oHQ9A0ajsdq1lAkTLaBXh8HzU6GFK3G05cflF2tlsb0movkB412dw0ZznhfcBNHSlF2NAQuRPa4Ga+XYkaYfzIKm3zyxFX724KkmjPsSyma+L9WWGw==� /!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\ All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. Contact us for price and get decryption software. email: [email protected] [email protected] * To contact us, create a new free email account on the site: protonmail.com IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. * Tor-chat to always be in touch: qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion

Emails

[email protected]

Extracted

Path

F:\$RECYCLE.BIN\READ_NOTE.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">6jm7J6SZ+U7c5JLqMyAg/VJT+bDrILJrOpHNn6ip1E14JFwbbIZ0b+mdJCPdY5dnPonH5zfJs7kXZV00LZc1exwa+Diphkspk3TsZnc8tvOeAbgV3MOeXjOaRGTuwMV0Q6Eu/vGaWsb7BttctXCa5MWV1QhJv8lggNb5pM643iX0ieuo0iYT5D2WRV9lQdcZdb5FNIPuCGVibxJLxeG3JwQJWlu2HLN128EjNKoorqMQdZD4WbU6//Q57R/h0NaRsqqhyKPwUd8+qL1RooIZ8/61ImlH4+UrLj5bTUvo9VvZTjTaKKDOehchG7kvbORBA64rN1xqJPOhs3YzfoQzSA==�</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div>  <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br>  </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Extracted

Path

C:\$Recycle.Bin\READ_NOTE.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">VGqXnw92/n+gwzXc6TSfWJkO/eTGlFLp4aMjMDTZpIeurAJ1wbDy6M4SfZgn5XThgG4lUBVJHqXUJCL7Td9qkMVb1RQdY2TaQY3naw1LerWPesq8gRZpzSdq8BS07KN/mzsYFCh3mesmgbpmrysX8Hxj9XJ4tLeJfQQa7j5yX+AG8w0gghTnjf8tP5ZPPEk6am+OCkReywL5BfIO858IIsNTqFZP5waUmp4g+t21GEhSLjf8obrNY1HrqJMneAhbjch5mLu4HTIE7Iuo+9qHEyWZkjDuTWDVbu5oYoCEjFbWrc8U8ZYLEHyoYgG3IhhcscunEW/W6LRC0xnGDIiFgQ==�</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div>  <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br>  </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Targets

- Target
  
  Videos/64/64.exe
- Size
  
  1.4MB
- MD5
  
  957f2d9e3370212548a57020233e6ba7
- SHA1
  
  ea5cd55a44b8be532af602002f498717fc192818
- SHA256
  
  6688fb3039ad6df606d76a897ef1072cdc78b928335c6bfa691d99498caf5c4b
- SHA512
  
  98baed5d1632311db5b65e5dcd70966e85f25478649e57b7fb6310be0eb3fe54f0bf2e70aa1b8d242479aac0f5d411388635d4b9cf8c3049917fdff7b00c9b63
- SSDEEP
  
  24576:quogxWGhzk6Cufid1FeXUW07ZG6mpxUr7set:PWd1FekW0olpG
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral1 behavioral2
- Target
  
  Videos/64/86.exe
- Size
  
  1.0MB
- MD5
  
  6c9ad4e67032301a61a9897377d9cff8
- SHA1
  
  655979d56e874fbe7561bb1b6e512316c25cbb19
- SHA256
  
  e81a8f8ad804c4d83869d7806a303ff04f31cce376c5df8aada2e9db2c1eeb98
- SHA512
  
  1cd75a4c324365735a97001b55e89b936daed5d003ba7059f885eeca4a26eaaa82041450d77483a36d4be30186730c4e4ca4b8af24122fe403c4dde738d3ff96
- SSDEEP
  
  24576:EuS0VSrYkTp5VFyI0UZK6zU9T8zPnbJFDhOky0c:EuS0O59cX2YcPb7DhCN
Score

6^/10

discovery
- Downloads MZ/PE file
behavioral3 behavioral4
- Target
  
  Videos/64/READ_NOTE.html
- Size
  
  3KB
- MD5
  
  d2294fc6905efe047a0663b7ffcf79d4
- SHA1
  
  9bf17f976f73ec0ce4f05dbfdb5d4ebc9fc1f2d0
- SHA256
  
  c459e80d8500c3db9810f63f835e5cc1e4f08cb2deda4832846edf1eac31e1dd
- SHA512
  
  983e14d90fe1f5c4993724e1d8ae57132ccda5efc62f0d14146e36c8982d0315753c6aa573f97c6f7d29136051e65eb85bbe9a02846b431a06b5e71ec1ac8a28
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral5 behavioral6
- Target
  
  Videos/64/dump.bat
- Size
  
  418B
- MD5
  
  daf87494678a5244eccfbf2b27d92096
- SHA1
  
  3e75976b49a7a7fc80cf44902b5a04ca066d559d
- SHA256
  
  539e58304db8207a278582902be41a9cbd7d79027fa3c053d8ab5bcc2bdbe081
- SHA512
  
  c09144ee0db6714a2a71b2030e9b3f722eca0ffe0f1c967056011eb2f33f617f32affe454f416504396f15c7e0ec552db3bfedb5fbff82447f94be023df9aa82
Score

9^/10

credential_access discovery
- OS Credential Dumping: LSASS Memory
  Malicious access to Credentials History.
  credential_access
- Downloads MZ/PE file
behavioral7 behavioral8
- Target
  
  Videos/64/mimidrv.sys
- Size
  
  36KB
- MD5
  
  c94de9019767a79573b25c870936d9a8
- SHA1
  
  c66a1c6fbeacaf2db288bff8c064dfe775fd1508
- SHA256
  
  bee3d0ac0967389571ea8e3a8c0502306b3dbf009e8155f00a2829417ac079fc
- SHA512
  
  e8b712a0b0b65520ec17e5576fe1c7c61a2a2a13502f9626625ef4b988b84178f68c0ca2337e2d766e42c19a681a7df41de3faef950ab0698139b89463ec2031
- SSDEEP
  
  768:APVvAF3Sz0Kp4TC/ndBW8ipSfnA+vl1qlCGB8zlu0xVHZC5isB:0VvPz0K3AmDlQlHB8zl9xJwisB
Score

10^/10

mimikatz discovery
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- Mimikatz family
  mimikatz
- mimikatz is an open source tool to dump credentials on Windows
- Downloads MZ/PE file
behavioral10 behavioral9
- Target
  
  Videos/64/mimikatz.dll
- Size
  
  891KB
- MD5
  
  21ea77788aa2649614c9ec739f1dd1b8
- SHA1
  
  2da8d08d67ad3945ebf7a589acdd76dcc4a3510b
- SHA256
  
  8846c8be509a4b274d6d1465e9cc14d44cfb0a51f917d3a00ce00fa0b35a4284
- SHA512
  
  0d34428c9814495c823c896dde9981ce5b354209a5da37b5d951546247264dd21861c957ebc035e7801146ceffda234f8cf3a12abfc289a19b78bbc1eaeccac5
- SSDEEP
  
  12288:1lPuj0/jY2LuBUIAUigqrdT+r9HBARe5iBC4uMmK8DfD8gU:1lPi0/jFLt5gqrwHce5i0lZDfDbU
Score

6^/10

discovery
- Downloads MZ/PE file
behavioral11 behavioral12
- Target
  
  Videos/64/mimilib.dll
- Size
  
  36KB
- MD5
  
  67651e9d2da634adedbe216948d5f752
- SHA1
  
  0731bd320633a6d1ca7835e2bba2c5ee5429b293
- SHA256
  
  aef6ce3014add838cf676b57957d630cd2bb15b0c9193cf349bcffecddbc3623
- SHA512
  
  88c7de54fd036a3052a49e52a8bb868e1cd67856b8ef1d0f2ad1151f663addf1d9435fb98f83a24cc16ffd832500061b64399c9fe82edcb83404f59daf7bfd47
- SSDEEP
  
  768:CsdDjdgqUQv+EAZJimW8ahsNekFkTn5btsnsFfZ9kYeUveejil0g:vU+LuaaQkFkTn5b+sFhW7ejil
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral13 behavioral14
- Target
  
  Videos/64/mimispool.dll
- Size
  
  10KB
- MD5
  
  c6cc0def7d584f431d69126c1cc33a20
- SHA1
  
  ea2646a646662909cd2bf5443e6b0030fb3cc6eb
- SHA256
  
  66928c3316a12091995198710e0c537430dacefac1dbe78f12a331e1520142bd
- SHA512
  
  17199e1be5d40744ae92d5d1b143645fcd0e413b92696fdaeb673785549bf20f4952a19887fe5c14cddbdfa435320a79044510d0de4e2c52fa26a1d2bfd83826
- SSDEEP
  
  192:DGMoIQaZcsBTSWoH6DlI0zPQ4Ib/me0C0uolZC7:VJxgWFlVC50C0uols
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral15 behavioral16
- Target
  
  Videos/Advanced_Port_Scanner_2.5.3869.exe
- Size
  
  19.4MB
- MD5
  
  6a58b52b184715583cda792b56a0a1ed
- SHA1
  
  3477a173e2c1005a81d042802ab0f22cc12a4d55
- SHA256
  
  d0c1662ce239e4d288048c0e3324ec52962f6ddda77da0cb7af9c1d9c2f1e2eb
- SHA512
  
  49ee746a98bce076cd20a36d57d08ed0dc39d48a0a2866173d4c0dbb1633e2ec8e069f4dbba578e707c8dd1de1fcc908cf412e4a9fff9ecc78ac92357e75c313
- SSDEEP
  
  393216:mfKraJBPMvil9ib1pLIfwwbwFanUfziHLKAwj5GIXgsao7sF5Vw11mH:AKravPiisRpkfww8FUUfz9wIqooPm1S
Score

6^/10

discovery
- Downloads MZ/PE file
behavioral17 behavioral18
- Target
  
  Videos/Captures/READ_NOTE.html
- Size
  
  3KB
- MD5
  
  d2294fc6905efe047a0663b7ffcf79d4
- SHA1
  
  9bf17f976f73ec0ce4f05dbfdb5d4ebc9fc1f2d0
- SHA256
  
  c459e80d8500c3db9810f63f835e5cc1e4f08cb2deda4832846edf1eac31e1dd
- SHA512
  
  983e14d90fe1f5c4993724e1d8ae57132ccda5efc62f0d14146e36c8982d0315753c6aa573f97c6f7d29136051e65eb85bbe9a02846b431a06b5e71ec1ac8a28
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral19 behavioral20
- Target
  
  Videos/PsExec.exe
- Size
  
  331KB
- MD5
  
  27304b246c7d5b4e149124d5f93c5b01
- SHA1
  
  e50d9e3bd91908e13a26b3e23edeaf577fb3a095
- SHA256
  
  3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
- SHA512
  
  bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
- SSDEEP
  
  3072:Yao79VuJ6titIi/H7ZUFgllxiBD+P5xWr3geNtdS+DlGttzhA9HY4ZUFxPkwlmlP:YaSq4TBWISSTgu7DlGtEC1xn/O5r4S
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral21 behavioral22
- Target
  
  Videos/PsExec64.exe
- Size
  
  366KB
- MD5
  
  9321c107d1f7e336cda550a2bf049108
- SHA1
  
  fb0a150601470195c47b4e8d87fcb3f50292beb2
- SHA256
  
  ad6b98c01ee849874e4b4502c3d7853196f6044240d3271e4ab3fc6e3c08e9a4
- SHA512
  
  5ac1dac5061dd14c1d79d2910c4df6ed059059c7d3f987ebe9790626c327d5fa9c7cdbb4150c004d14750223f33b4fc27fa16b3681371d406c2b715ba757be0e
- SSDEEP
  
  6144:o9123sLoT4aK8/A+kVG1FHEpgJEvf6sSMWTk7bjgxdO5mVx:on2ZHk/C6vfdHKO5s
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral23 behavioral24
- Target
  
  Videos/READ_NOTE.html
- Size
  
  3KB
- MD5
  
  d2294fc6905efe047a0663b7ffcf79d4
- SHA1
  
  9bf17f976f73ec0ce4f05dbfdb5d4ebc9fc1f2d0
- SHA256
  
  c459e80d8500c3db9810f63f835e5cc1e4f08cb2deda4832846edf1eac31e1dd
- SHA512
  
  983e14d90fe1f5c4993724e1d8ae57132ccda5efc62f0d14146e36c8982d0315753c6aa573f97c6f7d29136051e65eb85bbe9a02846b431a06b5e71ec1ac8a28
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral25 behavioral26
- Target
  
  Videos/crypt154.exe
- Size
  
  728KB
- MD5
  
  ee91aeacff16d4ef5fe74b7252291665
- SHA1
  
  88adb2573e183e44babf88005298cab9a9901d2d
- SHA256
  
  ea585b7e84b67e8170b76f87115c0fc8423fe6d7184db32ba32b5bfc155e2b34
- SHA512
  
  d12cf47211a38fe595d855fe336f30946a0a76a4a559e0430e212f68601cd28cab63ffd4acd04c76f4f83950ad2261efb49dff6a2b03fd2aaa4617bc49b1b8a4
- SSDEEP
  
  12288:R/7tmBxTq87Rro7jx0/O2EbiJtzhCg3sph0lhSMXliuqJTJRg9J:RztmTqwRrSjx0/OpiDhdSh0lhSMXltqe
Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (5688) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Deletes system backups
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Downloads MZ/PE file
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Sets desktop wallpaper using registry
  ransomware
behavioral27 behavioral28