{ "id": "09abb72f-f2be-43eb-a44b-fa39694a69df", "created_at": "2026-04-06T01:30:04.898741Z", "updated_at": "2026-04-10T13:11:43.915004Z", "deleted_at": null, "sha1_hash": "550b9ff5a6427087185039e210a6eaba5d0458be", "title": "Try not to stare - medusalocker at a glance", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1829371, "plain_text": "Try not to stare - medusalocker at a glance\r\nBy f0wL\r\nPublished: 2019-11-05 · Archived: 2026-04-06 01:04:00 UTC\r\nTue 05 November 2019 in Ransomware\r\nMystic but also a new(-ish) threat: Medusa ransomware. Let's take a quick peek, but don't look too close or you\r\nmay need to fetch backups soon.\r\nA general disclaimer as always: downloading and running the samples linked below will lead to the encryption\r\nof your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/\r\nsources might be illegal depending on where you live.\r\nmedusa.exe @ AnyRun --\u003e sha256 3a5b015655f3aad4b4fd647aa34fda4ce784d75a20d12a73f8dc0e0d866e7e01\r\ndix_16.exe @ HybridAnalysis --\u003e sha256\r\n49da42d00cc3ad6379ead2e07fd5f09bd358b144a6e78aad4bb1a8298e2bb568\r\nhttps://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html\r\nPage 1 of 19\n\nTaking a look at the stringdump that stringsifter produced one of the first things that stood out was this base64\r\nencoded image:\r\nAfter decoding it we get an image of a medieval pest doctor. Fun fact: They wore these masks because they\r\nthought it would protect them from the black death. One day someone will probably start selling these for\r\nendpoint protection.\r\nAnother interesting extracted string is this PDB-Path:\r\nC:\\Users\\Gh0St\\Desktop\\MedusaLockerInfo\\MedusaLockerProject\\MedusaLocker\\Release\\MedusaLocker.pdb\r\nRunning it through Detect it easy returns that MedusaLocker was built with Visual C++ and a (in malware-terms)\r\nrelatively new Linker Version.\r\nhttps://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html\r\nPage 2 of 19\n\nEntropy-wise it doesn't look like this sample is packed and the sections found don't look out of the ordinary either.\r\nhttps://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html\r\nPage 3 of 19\n\nAfter digging around in Ghidra for a bit I found FUN_00405bc0 which seems to be the main program routine of\r\nMedusaLocker. The strings shown here match the output in the debug console present in the second sample\r\ndiscussed below.\r\nhttps://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html\r\nPage 4 of 19\n\nYet another mysterious CLSID that I can't make sense of at the moment: {8761ABBD-7F85-42EE-B272-\r\nA76179687C63}. Search results referencing it are around since October 21st and might make tracking Medusa a\r\nbit easier.\r\nNext up the Locker will \"initialize the crypto module\" which uses CryptGenKey provided by WinCrypt to derive a\r\nkeypair. I'll have a closer look at the encryption routine later.\r\nIt will skip files with the following suffixes:\r\nhttps://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html\r\nPage 5 of 19\n\nexe, dll, sys, ini, lnk, rdp, encrypted\r\nAs it is very popular with Ransomware to disable the Automatic Startup Repair and delete System Restore Points\r\nplus shadow copies Medusa will do so as well. After that it will also relanch LanmanWorkstation to ensure that\r\nmapped network drives are available.\r\nAfter the \"Adding to Autoload\" debug message it will rename itself to svchost.exe and add it's Registry Key to the\r\nSystem startup.\r\nhttps://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html\r\nPage 6 of 19\n\nMedusaLocker will try to terminate the following processes by their name. The List contains Security Software as\r\nwell as Services commonly used in productive environments such as SQL or Webservers.\r\nwrapper, DefWatch, ccEvtMgr, ccSetMgr, SavRoam, sqlservr, sqlagent, sqladhlp, Culserver, RTVscan, sql\r\nQBIDPService, Intuit.QuickBooks.FCS, QBCFMonitorService, sqlwriter, msmdsrv, tomcat6, zhudongfangyu,\r\nvmware-usbarbitator64, vmware-converter, dbsrv12, dbeng8wxServer.exe, wxServerView, sqlservr.exe, sql\r\nRAgui.exe, supervise.exe, Culture.exe, RTVscan.exe, Defwatch.exe, sqlbrowser.exe, winword.exe, QBW32\r\nqbupdate.exe, QBCFMonitorService.exe, axlbridge.exe, QBIDPService.exe, httpd.exe, fdlauncher.exe, MsD\r\ntomcat6.exe, java.exe, 360se.exe, 360doctor.exe, wdswfsafe.exe, fdlauncher.exe, fdhost.exe, GDscan.ex\r\nIt also copies itself to %APPDATA% after renaming to executable to \"svchostt.exe\".\r\nTo check if an instance of MedusaLocker previously ran on the system it will create a Registry Key at\r\nHKEY_CURRENT_USER\\Software\\Medusa\r\nhttps://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html\r\nPage 7 of 19\n\nFurthermore it tries to read the State of EnableLinkedConnections via\r\nRegOpenKeyExW(HKEY_LOCAL_MACHINE,\r\nL\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" ... and enables the key if necessary\r\nsince Medusa tries to encrypt Shared Network Drives and removeable Media as well.\r\nAfter terminating the encryption loop the Ransomware will wait for 60 seconds and start a new scan to check for\r\nnew unencrypted files.\r\nRunning MedusaLocker in a VM yields us this UAC Prompt with a mysterious CLSID ({3E5FC7F9-9A51-4367-\r\n9063-A120244FBEC7}). A quick google search brings us to Wikileaks Page for the CIA Vault7 leaks and the ID\r\nseems to be corresponding to cmstplua.dll. Turns out this is an UAC bypass known and implemented since August\r\n2017 (mentioned here).\r\nhttps://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html\r\nPage 8 of 19\n\nThe Ransomnote (which is dropped in every directory that contains files to encrypt) is delivered as a HTML file.\r\nIn this early sample they seem to have messed up their text alignment. This was fixed in a later version (see\r\nbelow) and will make it easier to identify new samples as they may appear.\r\nLooking at the section list compared to the\r\nhttps://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html\r\nPage 9 of 19\n\nThis sample seems to have an enabled debug console which allows us to trace the steps of the infection.\r\nBelow you can see the new ransomnote. The Protonmail E-Mail address was exchanged for a cock.li one and the\r\nVictim ID blob was fitted to the textbox.\r\nhttps://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html\r\nPage 10 of 19\n\nBleepingComputer Forum User ttrifonov who was hit by the ransomware as well found suspicious files on his\r\nDesktop after the Infection took place. Fortunately for us Medusa skipped the executables.\r\nhttps://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html\r\nPage 11 of 19\n\nThis would be a huge discovery infection vector-wise as this looks like the attacker gained access to the machine\r\nvia RDP. (Yet another proof [if we would need any] that RDP exposed to the internet isn't a good idea)\r\nLooks like the attacker left a few files related to Mimikatz as well...\r\nAs I mentioned earlier the keypair is generated via CryptGenKey. I'm still trying to map out all the actions on the\r\nkey material.\r\nhttps://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html\r\nPage 12 of 19\n\nThe encryption itself is done via the CryptEncrypt function. It seems to use AES for the files and then encrypts the\r\nkey with a RSA-2048 public key that is stored via a keyblob in the executable.\r\nhttps://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html\r\nPage 13 of 19\n\nAfter the encryption routine is done the generated hKey is deleted via CryptDestroyKey.\r\nhttps://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html\r\nPage 14 of 19\n\nUpdate 23.11.2019:\r\nNow I want to take a closer look at the files left by the attacker on the Victim's Desktop as it was reported multiple\r\ntimes on the BleepingComputer Forum. Besides the Mimikatz files in the kamikadze directory there is a semi-legit\r\ntool called \"Advanced Port Scanner\" (AnyRun, which is basically just a garbage Zenmap alternative for\r\nWindows people) and another one called \"NetworkShare.exe\" (AnyRun, seems to scan for reachable network\r\nshares and tries to mount them).\r\nIt also looks like there's a dedicated version of MedusaLocker for Windows XP called dix_16_xp.exe. As you can\r\nsee below the Debug Messages start with [LockerXP] instead of [Locker].\r\nhttps://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html\r\nPage 15 of 19\n\nThe Decryptor 🧐\r\nThe Decryptor is delivered per Machine with a 4 letter filename indicating to which victim ID it belongs.\r\nhttps://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html\r\nPage 16 of 19\n\nIOCs\r\nMedusa (SHA256)\r\nmedusa.exe --\u003e SHA256: 3a5b015655f3aad4b4fd647aa34fda4ce784d75a20d12a73f8dc0e0d866e7e01\r\n SSDEEP: 12288:f+IZ+bobAyYFJPrsU4VwryxjpBx8ajiOhA8tsV1YRbRb7:2++EMyYFJPoUecOh8aWdD1UB7\r\ndix_16.exe --\u003e SHA256: 49da42d00cc3ad6379ead2e07fd5f09bd358b144a6e78aad4bb1a8298e2bb568\r\n SSDEEP: 24576:nJC1YAOp0eRaNaQgxPubcoiukAby3LV1jqjx9/WBRQ/8PxS//lTQKJfF27:nw1OfMGxRoiuW\r\ndix_16_xp.exe --\u003e SHA256: 6c7eda3f5e9bbc685b0eefde2a51f0ccb06ad33805e617876a5124410cac9945\r\n SSDEEP: 24576:Sx7USQ2bEdBF4XUCAdbpH7KYlvnIVGDDUWuXrO0VY/QjFdIkyoRn:MISXu5C47KMIaDWV\r\nE-Mail Addresses\r\nCtorsenoria@tutanota[.]com\r\nFolieloi@protonmail[.]com\r\nmrromber@cock[.]li\r\nmrromber@tutanota[.]com\r\nsambolero@tutanoa[.]com\r\nrightcheck@cock[.]li\r\nfartcool@protonmail[.]ch\r\nbestcool@keemail[.]me\r\ntanoss@protonmail[.]com\r\nsypress@protonmail[.]com\r\nAssociated Files\r\nhttps://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html\r\nPage 17 of 19\n\nsvchostt.exe\r\nHOW_TO_OPEN_FILES.html\r\nAdvanced Port Scanner 2.4.2750.exe\r\nd_upd1008.exe\r\nNetworkShare_pre2.exe\r\nPsExec64.exe (legitimate)\r\nPsExec.exe (legitimate)\r\nb.bat\r\nNetworkShare.exe\r\nkamikadze/32.exe\r\nkamikadze/64.exe\r\nkamikadze/64_log.txt\r\nkamikadze/dump.bat\r\nkamikadze/mimidrv (2).sys\r\nkamikadze/mimilib (2).dll\r\nkamikadze/86_log.txt\r\nkamikadze/mimidrv.sys\r\nkamikadze/mimilib.dll\r\nRegistry Keys\r\nHKCU\\SOFTWARE\\Medusa\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ --\u003e EnableLinkedConnections = 1\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System --\u003e ConsentPromptBehavio\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System --\u003e EnableLUA = 1\r\nRansomnote\r\nAll your data are encrypted!\r\nWhat happened?\r\nYour files are encrypted, and currently unavailable.\r\nYou can check it: all files on you computer has new expansion.\r\nBy the way, everything is possible to recover (restore), but you need to buy a unique decryptor.\r\nOtherwise, you never cant return your data.\r\nFor purchasing a decryptor contact us by email:\r\nmrromber@cock.li\r\nIf you will get no answer within 24 hours contact us by our alternate emails:\r\nmrromber@tutanota.com\r\nWhat guarantees?\r\nIts just a business. If we do not do our work and liabilities - nobody will not cooperate with us.\r\nTo verify the possibility of the recovery of your files we can decrypted 1 file for free.\r\nAttach 1 file to the letter (no more than 10Mb). Indicate your personal ID on the letter:\r\n54E87CD3C1529DD06EB22FF80C49B5374ABB8E5B30D06E13BBE2E81411234A20DF1ADA53FDA68BD6294C96DAC3049B4BDC502\r\nhttps://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html\r\nPage 18 of 19\n\nFE764BF468AF1A029B41162759D6164EB0652E95D3FAE3939773B505073E6090079C9C9243EE8B96AEB41A43B787B47DD01D7\r\n425E042C6CBDE89BB5F2E7F9CC6601BD9430E87B42A56BEEFF207F20F9E4E5E48FA3274AE0DE8D65EEC0F2BA2CC4AECB22A9E\r\n6FD2B21FF152A6A11BD86D063A965C1571078A439C97D52215738104F7B6EF7415CC4A2C03260BCB9A84E71E0883268747743\r\n39CFF3002697B8AD04E01A6B6DC0A460F4273778429962A7AEECEE3BA16A577A6B1D6B67A7FAEFA5C9CB8BBCEFEDC3FF6B04E\r\nBE5D37B69B42BBEE2EA0D00C7439858D2D9BD4A57B47F3E05EBF913F5FAB195AF0575DD345E84347A82010CDC4C0507C98687\r\nC61ED4091E4155585A687EAB73CBEA8ADA7B93B5EB67877CDD0E35C9116B8DCADD2038C4EEAC42302F3B787E54F8AD24012E4\r\nA89B3C32252BD438399FAE630A1E099E9D130E7EA7E042841B468FF00FCF86B9C07C054827EE76956211CE70FEB686EC19971\r\n34C96D1D35DD713CA33774C4D5D0\r\nAttention!\r\n- Attempts of change files by yourself will result in a loose of data.\r\n- Our e-mail can be blocked over time. Write now, loss of contact with us will result in a loose of d\r\n- Use any third party software for restoring your data or antivirus solutions will result in a loose\r\n- Decryptors of other users are unique and will not fit your files and use of those will result in a\r\n- If you will not cooperate with our service - for us, its does not matter. But you will lose your ti\r\nMedusa Icon made by Freepik from www.flaticon.com\r\nSource: https://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html\r\nhttps://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html" ], "report_names": [ "try-not-to-stare-medusalocker-at-a-glance.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1", "created_at": "2024-05-01T02:03:08.146025Z", "updated_at": "2026-04-10T02:00:03.67072Z", "deleted_at": null, "main_name": "PLATINUM TERMINAL", "aliases": [ "APT-C-39 ", "Longhorn ", "The Lamberts ", "Vault7 " ], "source_name": "Secureworks:PLATINUM TERMINAL", "tools": [ "AfterMidnight", "Assassin", "Marble Framework" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775439004, "ts_updated_at": 1775826703, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/550b9ff5a6427087185039e210a6eaba5d0458be.pdf", "text": "https://archive.orkl.eu/550b9ff5a6427087185039e210a6eaba5d0458be.txt", "img": "https://archive.orkl.eu/550b9ff5a6427087185039e210a6eaba5d0458be.jpg" } }