| File name: | 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe |
| Full analysis: | https://app.any.run/tasks/6b8ee2e2-ea4b-45b5-9bf4-d7ce72eef250 |
| Verdict: | Malicious activity |
| Threats: | Medusa is a ransomware malware family targeting businesses and institutions. Medusa encrypts crucial data, rendering it inaccessible, and attempts to pressure users to pay to regain control of their information. The group behind this malicious software hosts a TOR website where it shares the list of the organizations whose infrastructure has been compromised. This malware utilizes various tactics, including exploiting vulnerabilities and employs a unique file extension (".MEDUSA") to mark encrypted files. |
| Analysis date: | April 29, 2025, 15:49:10 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (console) Intel 80386, for MS Windows, 5 sections |
| MD5: | F05B57CDC3420ACC359EFE9E4941C428 |
| SHA1: | C06377E90B73BB25D30D385D7E75AE500C7BDC16 |
| SHA256: | 94F420E16A4EB5154076895CD8C5F677DB4273D37D44B81E1D04B26E851B69FE |
| SSDEEP: | 24576:3y1OsTYXoVmOG7tGEnW6D7oQOQZ/pKTM:3y1OsTYXoVmOG7tGEnW6PoQlZ/pKTM |
MALICIOUS
Starts NET.EXE for service management
- net.exe (PID: 7596)
- net.exe (PID: 7420)
- 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe (PID: 7324)
- net.exe (PID: 7860)
- net.exe (PID: 7508)
- net.exe (PID: 7684)
- net.exe (PID: 7948)
- net.exe (PID: 8040)
- net.exe (PID: 7772)
- net.exe (PID: 7444)
- net.exe (PID: 7524)
- net.exe (PID: 7616)
- net.exe (PID: 7704)
- net.exe (PID: 7792)
- net.exe (PID: 7780)
- net.exe (PID: 6132)
- net.exe (PID: 4164)
- net.exe (PID: 5064)
- net.exe (PID: 2692)
- net.exe (PID: 1228)
- net.exe (PID: 7264)
- net.exe (PID: 5428)
- net.exe (PID: 728)
- net.exe (PID: 7788)
- net.exe (PID: 1132)
- net.exe (PID: 7660)
- net.exe (PID: 7760)
- net.exe (PID: 8152)
- net.exe (PID: 7896)
- net.exe (PID: 5576)
- net.exe (PID: 1164)
- net.exe (PID: 5972)
- net.exe (PID: 4200)
- net.exe (PID: 7292)
- net.exe (PID: 7612)
- net.exe (PID: 6192)
- net.exe (PID: 6388)
- net.exe (PID: 5216)
- net.exe (PID: 4112)
- net.exe (PID: 660)
- net.exe (PID: 7348)
- net.exe (PID: 7540)
- net.exe (PID: 7932)
- net.exe (PID: 6988)
- net.exe (PID: 7464)
- net.exe (PID: 8024)
- net.exe (PID: 3304)
- net.exe (PID: 6744)
- net.exe (PID: 8144)
- net.exe (PID: 7884)
- net.exe (PID: 7756)
- net.exe (PID: 7836)
- net.exe (PID: 7940)
- net.exe (PID: 8060)
- net.exe (PID: 720)
- net.exe (PID: 4408)
- net.exe (PID: 2432)
- net.exe (PID: 7244)
- net.exe (PID: 7692)
- net.exe (PID: 8068)
- net.exe (PID: 896)
- net.exe (PID: 6268)
- net.exe (PID: 4224)
- net.exe (PID: 5720)
- net.exe (PID: 7712)
- net.exe (PID: 7316)
- net.exe (PID: 8148)
- net.exe (PID: 7260)
- net.exe (PID: 3300)
- net.exe (PID: 7448)
- net.exe (PID: 7560)
- net.exe (PID: 8000)
- net.exe (PID: 6872)
- net.exe (PID: 7672)
- net.exe (PID: 5048)
- net.exe (PID: 864)
- net.exe (PID: 7276)
- net.exe (PID: 7320)
- net.exe (PID: 7784)
- net.exe (PID: 8176)
- net.exe (PID: 3020)
- net.exe (PID: 7676)
- net.exe (PID: 8072)
- net.exe (PID: 5588)
- net.exe (PID: 7648)
- net.exe (PID: 1764)
- net.exe (PID: 5164)
- net.exe (PID: 7432)
- net.exe (PID: 7820)
- net.exe (PID: 2852)
- net.exe (PID: 7520)
- net.exe (PID: 7984)
- net.exe (PID: 7944)
- net.exe (PID: 5640)
- net.exe (PID: 7504)
- net.exe (PID: 7920)
- net.exe (PID: 2268)
- net.exe (PID: 3008)
- net.exe (PID: 8172)
- net.exe (PID: 1660)
- net.exe (PID: 6512)
- net.exe (PID: 5964)
- net.exe (PID: 7192)
- net.exe (PID: 1328)
- net.exe (PID: 2984)
- net.exe (PID: 6752)
- net.exe (PID: 4300)
- net.exe (PID: 9000)
- net.exe (PID: 9088)
- net.exe (PID: 9172)
- net.exe (PID: 7748)
- net.exe (PID: 8048)
- net.exe (PID: 6592)
- net.exe (PID: 5228)
- net.exe (PID: 2240)
- net.exe (PID: 1040)
- net.exe (PID: 8212)
- net.exe (PID: 8304)
- net.exe (PID: 8392)
- net.exe (PID: 8480)
- net.exe (PID: 8556)
- net.exe (PID: 8736)
- net.exe (PID: 8644)
- net.exe (PID: 8824)
- net.exe (PID: 8908)
- net.exe (PID: 8416)
- net.exe (PID: 8684)
- net.exe (PID: 8604)
- net.exe (PID: 8288)
- net.exe (PID: 8776)
- net.exe (PID: 9012)
- net.exe (PID: 9152)
- net.exe (PID: 8196)
- net.exe (PID: 9164)
- net.exe (PID: 8460)
- net.exe (PID: 8592)
- net.exe (PID: 8784)
- net.exe (PID: 8872)
- net.exe (PID: 8956)
- net.exe (PID: 9080)
- net.exe (PID: 8224)
- net.exe (PID: 8536)
- net.exe (PID: 8932)
- net.exe (PID: 8352)
- net.exe (PID: 8544)
- net.exe (PID: 8680)
- net.exe (PID: 8248)
- net.exe (PID: 8940)
- net.exe (PID: 8200)
- net.exe (PID: 9064)
- net.exe (PID: 8452)
- net.exe (PID: 8524)
- net.exe (PID: 8552)
- net.exe (PID: 8780)
- net.exe (PID: 8772)
- net.exe (PID: 9116)
- net.exe (PID: 8424)
- net.exe (PID: 8284)
- net.exe (PID: 8512)
- net.exe (PID: 8688)
- net.exe (PID: 8584)
- net.exe (PID: 8548)
XORed URL has been found (YARA)
- 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe (PID: 7324)
Antivirus name has been found in the command line (generic signature)
- taskkill.exe (PID: 744)
Uses TASKKILL.EXE to kill antiviruses
- 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe (PID: 7324)
MEDUSA note has been found
- 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe (PID: 7324)
SUSPICIOUS
Creates file in the systems drive root
- 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe (PID: 7324)
Uses TASKKILL.EXE to kill process
- 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe (PID: 7324)
Uses TASKKILL.EXE to kill Office Apps
- 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe (PID: 7324)
Uses TASKKILL.EXE to kill Browsers
- 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe (PID: 7324)
INFO
Checks supported languages
- 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe (PID: 7324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
xor-url
(PID) Process(7324) 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe
Decrypted-URLs (5)http://medusakxxtp3uo7vusntvubnytaph4d3amxivbggl3hnhpk2nmus34yd.onion/817cbe1cbf9330a3a712d04e151f6d6d
http://wt26mlupk5sl6fmc675pbnsxnehf6dgkehb4vdp4uokbph3bb3il35id.onion/
http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
https://utox.org/uTox_win64.exe)
https://www.torproject.org/download/):
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:03:18 15:12:27+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.27 |
| CodeSize: | 488960 |
| InitializedDataSize: | 190976 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x37c1a |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
Total processes
695
Monitored processes
574
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 516 | C:\WINDOWS\system32\net1 stop "SQLAgent$SBSMONITORING" /y | C:\Windows\SysWOW64\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 632 | C:\WINDOWS\system32\net1 stop "SQLAgent$VEEAMSQL2008R2" /y | C:\Windows\SysWOW64\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 660 | net stop "MSSQL$SHAREPOINT" /y | C:\Windows\SysWOW64\net.exe | — | 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 664 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 720 | net stop "MSOLAP$SQL_2008" /y | C:\Windows\SysWOW64\net.exe | — | 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 728 | net stop "McAfeeFrameworkMcAfeeFramework" /y | C:\Windows\SysWOW64\net.exe | — | 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 744 | taskkill /F /IM Ntrtscan.exe /T | C:\Windows\SysWOW64\taskkill.exe | — | 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 856 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 856 | C:\WINDOWS\system32\net1 stop "SQLBrowser" /y | C:\Windows\SysWOW64\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 864 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
12 792
Read events
12 792
Write events
0
Delete events
0
Modification events
Executable files
32
Suspicious files
6 969
Text files
1 138
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7324 | 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe | C:\Program Files\Mozilla Firefox\omni.ja | — | |
MD5:— | SHA256:— | |||
| 7324 | 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe | C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man | binary | |
MD5:83EB85F0AAE208A94B7795BEF30BB194 | SHA256:32882693FBF94E97E45D51A87F6264B286E9D5747D5C084E0CD668BC5726189D | |||
| 7324 | 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe | C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgrschedule.xml | binary | |
MD5:BE9CA1B7F5750B00E3A766A20BC34444 | SHA256:EB1BE79AA135A3EBD02FF341A6C1A9ECEA159C8787AB1E66AA0074CD4690DFE9 | |||
| 7324 | 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe | C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man | binary | |
MD5:7BF4874264DBBE7285588472338C80FA | SHA256:31FFF45312A8B5782EEB3D90FE96FCB0B062F228F0E2ADEB0BD651DDA2BB6CA6 | |||
| 7324 | 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe | C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\!!!READ_ME_MEDUSA!!!.txt | text | |
MD5:2BE343FEAE5834860DA93B2F97E3F2F9 | SHA256:35E2680FD2CF081F7E9EA24C3AFB3EC725A004D4CC318B98A9530CCE748B72DE | |||
| 7324 | 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe | C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini | binary | |
MD5:B3D2F56C55F1524F836BF3A6D152E942 | SHA256:3E40D2B991FE2C4EC4134291E85019BC37288D332E7C7605F1BE0D83F60E0DB8 | |||
| 7324 | 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe | C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml | binary | |
MD5:26B18923EABD859E20CF831B1B730B78 | SHA256:955BE2749506BDFF793AE4620B70AAFE48B37A6885513DBB66D2A0D04DBA8EFF | |||
| 7324 | 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe | C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json | binary | |
MD5:6B35369761EA9A5CE8379C59EF69FEC1 | SHA256:842C7CCABBA226D84185436B108A86B6BCEFAD7197567B1AA00338A5D43D983F | |||
| 7324 | 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe | C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash | binary | |
MD5:BD556967A9D3B98FA1EF65EBC1AC53D9 | SHA256:ABDDBB6FF7F111D60B9E8B7F7B25AA9A84C9F518EF2BE2B1091D6827C9505C0E | |||
| 7324 | 94f420e16a4eb5154076895cd8c5f677db4273d37d44b81e1d04b26e851b69fe.exe | C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man | binary | |
MD5:F5482774773BFBBFDEBEF3B8097F5EB2 | SHA256:E2FC9DC8BAA5A24E1A665D4E88A695D8FB869E95AA2794916C25758CE4571CEF | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
43
DNS requests
14
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 304 | 4.175.87.197:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | unknown |
9240 | SIHClient.exe | GET | 200 | 23.216.77.21:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
9240 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
9240 | SIHClient.exe | GET | 200 | 23.216.77.21:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
9240 | SIHClient.exe | GET | 200 | 23.216.77.21:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 20.3.187.198:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | unknown | — | — | unknown |
— | — | GET | 200 | 4.175.87.197:443 | https://slscr.update.microsoft.com/sls/ping | unknown | — | — | unknown |
9240 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
9240 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
9240 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3216 | svchost.exe | 172.211.123.250:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
9240 | SIHClient.exe | 172.202.163.200:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | GB | whitelisted |
9240 | SIHClient.exe | 23.216.77.21:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
9240 | SIHClient.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
9240 | SIHClient.exe | 20.242.39.171:443 | fe3cr.delivery.mp.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6564 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6544 | svchost.exe | 40.126.32.136:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
login.live.com |
| whitelisted |