Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10Ransomware...KB.exe
windows10-ltsc_2021-x64
7Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
7Ransomware...KB.exe
windows10-ltsc_2021-x64
7Ransomware...KB.exe
windows11-21h2-x64
7Ransomware...KB.exe
windows10-ltsc_2021-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-ltsc_2021-x64
10Ransomware...KB.exe
windows11-21h2-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-ltsc_2021-x64
10Ransomware...KB.exe
windows11-21h2-x64
10Ransomware...KB.exe
windows10-2004-x64
9Ransomware...KB.exe
windows7-x64
9Ransomware...KB.exe
windows10-2004-x64
9Ransomware...KB.exe
windows10-ltsc_2021-x64
9Ransomware...KB.exe
windows11-21h2-x64
9Ransomware...KB.exe
windows11-21h2-x64
9Ransomware...KB.exe
windows7-x64
9Ransomware...KB.exe
windows10-2004-x64
9Ransomware...KB.exe
windows10-ltsc_2021-x64
9Ransomware...KB.exe
windows11-21h2-x64
9Ransomware...KB.ps1
windows11-21h2-x64
10Ransomware...KB.ps1
windows7-x64
10Ransomware...KB.ps1
windows10-2004-x64
10Ransomware...KB.ps1
windows10-ltsc_2021-x64
10Ransomware...KB.ps1
windows11-21h2-x64
10Resubmissions
25/03/2025, 15:11
250325-skmbpsxzaw 1025/03/2025, 15:06
250325-sg1d6a1px2 1025/03/2025, 15:01
250325-sd5jpsxyct 1025/03/2025, 14:56
250325-sbdcfaxxgs 1025/03/2025, 14:50
250325-r7ve6a1nv3 1025/03/2025, 14:46
250325-r5ab7sxwhx 1025/03/2025, 14:40
250325-r2c9paxwe1 1005/02/2025, 10:25
250205-mgcefaslhw 1005/02/2025, 10:17
250205-mbs51atmbk 1005/02/2025, 09:15
250205-k785zs1pfn 10Analysis
-
max time kernel
120s -
max time network
6s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/03/2025, 14:56
Static task
static1
Behavioral task
behavioral1
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral2
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win7-20241010-en
Behavioral task
behavioral3
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral4
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral5
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win11-20250313-en
Behavioral task
behavioral6
Sample
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral7
Sample
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral10
Sample
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
Resource
win11-20250313-en
Behavioral task
behavioral11
Sample
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
Resource
win7-20250207-en
Behavioral task
behavioral13
Sample
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral14
Sample
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral15
Sample
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
Resource
win11-20250313-en
Behavioral task
behavioral16
Sample
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral20
Sample
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
Resource
win11-20250313-en
Behavioral task
behavioral21
Sample
RansomwareSamples/Nemty_03_02_2021_124KB.exe
Resource
win11-20250314-en
Behavioral task
behavioral22
Sample
RansomwareSamples/Nemty_03_02_2021_124KB.exe
Resource
win7-20241023-en
Behavioral task
behavioral23
Sample
RansomwareSamples/Nemty_03_02_2021_124KB.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral24
Sample
RansomwareSamples/Nemty_03_02_2021_124KB.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral25
Sample
RansomwareSamples/Nemty_03_02_2021_124KB.exe
Resource
win11-20250313-en
Behavioral task
behavioral26
Sample
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Resource
win11-20250313-en
Behavioral task
behavioral27
Sample
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral30
Sample
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Resource
win11-20250313-en
General
-
Target
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
-
Size
661KB
-
MD5
19ddac9782acd73f66c5fe040e86ddee
-
SHA1
24ceba1e2951cde8e41939da21c6ba3030fc531d
-
SHA256
dde3c98b6a370fb8d1785f3134a76cb465cd663db20dffe011da57a4de37aa95
-
SHA512
e7be7472241fdd26db48dbd0311afe821905f6d59dfb56e3dc035944b7346b0767a8af76d110c5f60c0ba0183ca3791e56d9b3c8b9ba887afa111aafc949c1d4
-
SSDEEP
12288:vN3K5e8nbwFigzk6VVMqX8aQNRMcauV9B/rtiPnA40Q8:hCXbwFigzkQVdXvlcayDh49
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW_TO_RECOVER_DATA.html
href="mailto:[email protected]">[email protected]</a><br>
href="mailto:[email protected]">[email protected]</a>
http-equiv="X-UA-Compatible"
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 1 IoCs
resource yara_rule behavioral7/files/0x0008000000012102-905.dat family_medusalocker -
Medusalocker family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MedusaLocker_24_04_2020_661KB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MedusaLocker_24_04_2020_661KB.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (301) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 3024 svchostt.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MedusaLocker_24_04_2020_661KB.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: MedusaLocker_24_04_2020_661KB.exe File opened (read-only) \??\O: MedusaLocker_24_04_2020_661KB.exe File opened (read-only) \??\W: MedusaLocker_24_04_2020_661KB.exe File opened (read-only) \??\I: MedusaLocker_24_04_2020_661KB.exe File opened (read-only) \??\P: MedusaLocker_24_04_2020_661KB.exe File opened (read-only) \??\T: MedusaLocker_24_04_2020_661KB.exe File opened (read-only) \??\U: MedusaLocker_24_04_2020_661KB.exe File opened (read-only) \??\V: MedusaLocker_24_04_2020_661KB.exe File opened (read-only) \??\Y: MedusaLocker_24_04_2020_661KB.exe File opened (read-only) \??\Z: MedusaLocker_24_04_2020_661KB.exe File opened (read-only) \??\A: MedusaLocker_24_04_2020_661KB.exe File opened (read-only) \??\K: MedusaLocker_24_04_2020_661KB.exe File opened (read-only) \??\S: MedusaLocker_24_04_2020_661KB.exe File opened (read-only) \??\X: MedusaLocker_24_04_2020_661KB.exe File opened (read-only) \??\F: MedusaLocker_24_04_2020_661KB.exe File opened (read-only) \??\B: MedusaLocker_24_04_2020_661KB.exe File opened (read-only) \??\G: MedusaLocker_24_04_2020_661KB.exe File opened (read-only) \??\H: MedusaLocker_24_04_2020_661KB.exe File opened (read-only) \??\M: MedusaLocker_24_04_2020_661KB.exe File opened (read-only) \??\Q: MedusaLocker_24_04_2020_661KB.exe File opened (read-only) \??\R: MedusaLocker_24_04_2020_661KB.exe File opened (read-only) \??\E: MedusaLocker_24_04_2020_661KB.exe File opened (read-only) \??\J: MedusaLocker_24_04_2020_661KB.exe File opened (read-only) \??\L: MedusaLocker_24_04_2020_661KB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MedusaLocker_24_04_2020_661KB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2868 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe 2708 MedusaLocker_24_04_2020_661KB.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeBackupPrivilege 1032 vssvc.exe Token: SeRestorePrivilege 1032 vssvc.exe Token: SeAuditPrivilege 1032 vssvc.exe Token: SeIncreaseQuotaPrivilege 2856 wmic.exe Token: SeSecurityPrivilege 2856 wmic.exe Token: SeTakeOwnershipPrivilege 2856 wmic.exe Token: SeLoadDriverPrivilege 2856 wmic.exe Token: SeSystemProfilePrivilege 2856 wmic.exe Token: SeSystemtimePrivilege 2856 wmic.exe Token: SeProfSingleProcessPrivilege 2856 wmic.exe Token: SeIncBasePriorityPrivilege 2856 wmic.exe Token: SeCreatePagefilePrivilege 2856 wmic.exe Token: SeBackupPrivilege 2856 wmic.exe Token: SeRestorePrivilege 2856 wmic.exe Token: SeShutdownPrivilege 2856 wmic.exe Token: SeDebugPrivilege 2856 wmic.exe Token: SeSystemEnvironmentPrivilege 2856 wmic.exe Token: SeRemoteShutdownPrivilege 2856 wmic.exe Token: SeUndockPrivilege 2856 wmic.exe Token: SeManageVolumePrivilege 2856 wmic.exe Token: 33 2856 wmic.exe Token: 34 2856 wmic.exe Token: 35 2856 wmic.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2868 2708 MedusaLocker_24_04_2020_661KB.exe 31 PID 2708 wrote to memory of 2868 2708 MedusaLocker_24_04_2020_661KB.exe 31 PID 2708 wrote to memory of 2868 2708 MedusaLocker_24_04_2020_661KB.exe 31 PID 2708 wrote to memory of 2868 2708 MedusaLocker_24_04_2020_661KB.exe 31 PID 2708 wrote to memory of 2856 2708 MedusaLocker_24_04_2020_661KB.exe 34 PID 2708 wrote to memory of 2856 2708 MedusaLocker_24_04_2020_661KB.exe 34 PID 2708 wrote to memory of 2856 2708 MedusaLocker_24_04_2020_661KB.exe 34 PID 2708 wrote to memory of 2856 2708 MedusaLocker_24_04_2020_661KB.exe 34 PID 1160 wrote to memory of 3024 1160 taskeng.exe 38 PID 1160 wrote to memory of 3024 1160 taskeng.exe 38 PID 1160 wrote to memory of 3024 1160 taskeng.exe 38 PID 1160 wrote to memory of 3024 1160 taskeng.exe 38 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MedusaLocker_24_04_2020_661KB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MedusaLocker_24_04_2020_661KB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" MedusaLocker_24_04_2020_661KB.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MedusaLocker_24_04_2020_661KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MedusaLocker_24_04_2020_661KB.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2708 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2868
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
C:\Windows\system32\taskeng.exetaskeng.exe {473A904D-E0EB-4E7E-A042-98F450A1CAC5} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Users\Admin\AppData\Roaming\svchostt.exeC:\Users\Admin\AppData\Roaming\svchostt.exe2⤵
- Executes dropped EXE
PID:3024
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD59cea3324a3495e295c5d77e541d7dc4e
SHA1609b9137c0fcfef7ea49cca91a99615c7c0a0a7b
SHA25691c001b53e8b4beb3bfc878783f770d025a5c36c9e0ee48af4a5b23279470299
SHA512c2f7ded6bc3a4461a36e189dd4add1a9248fe135444b796ab0d6965c4fd16b63df8fbec1f85c0b3c31d2143f8b4c7981384eb43a1df13adb5b65963a01b525aa
-
Filesize
661KB
MD519ddac9782acd73f66c5fe040e86ddee
SHA124ceba1e2951cde8e41939da21c6ba3030fc531d
SHA256dde3c98b6a370fb8d1785f3134a76cb465cd663db20dffe011da57a4de37aa95
SHA512e7be7472241fdd26db48dbd0311afe821905f6d59dfb56e3dc035944b7346b0767a8af76d110c5f60c0ba0183ca3791e56d9b3c8b9ba887afa111aafc949c1d4
-
Filesize
16KB
MD5d7c7fc47747768c2651de1cda6c3a9b9
SHA1502ba749f2cea802e55fd0f2e122ec3100e6edce
SHA256e79ec8f8d9149f8986229104df73b188a59a40a6b5ff8ed881f0c2f1c47d0afb
SHA51232b69967417256619e99f2d23ce3cc2045522d51e3f55ead84aed9e02c4148e26a59d599af18a29b2c993483710c1c7c22dff5ad3c9a70d1eb678b5b7b5351b3