MalwareAnalysisSeries

This repository contains the analysis reports, technical details or any tools created for helping in malware analysis. Additionally, the repo contains extracted TTPs with code along with the detection rules

---

Project maintained by shaddy43 Hosted on GitHub Pages — Theme by mattgraham

MedusaLocker: Service Stop

Ransomware typically kills services running in a system to maximize its impact and increase the likelihood of a ransom payment. By terminating services related to antivirus and security software, ransomware can avoid detection and prevent its removal, allowing it to encrypt files without interference. Disabling database services and backup solutions ensures that organizations cannot easily restore their data from backups, thereby amplifying the pressure to pay the ransom. Additionally, stopping critical business services disrupts operations, causing significant downtime and financial loss. This combination of tactics—disabling security measures, hindering recovery efforts, and causing operational disruption—creates a dire situation for the victim, making them more likely to comply with the attackers’ demands to regain control of their systems and data.

In case of MedusaLocker Ransomware, it also contains a pre-defined list of services that it stops and deletes before launching the encryption operation.

Detection Indicators

The detection indicators are:

• List of services that it kills (stop & delete)

Log Sources

I have configured multiple log sources in my detection lab. I am using Azure Sentinel as my SIEM solution. The following logs are injested into SIEM:

• Microsoft Defender XDR logs
• Windows Security Audit logs
• Sysmon Logs with sysmon-moduler configuration

Detection Engineering with Defender XDR

I noticed a behavior with XDR logs, whenever a service is deleted, its registry key is removed from the system. I based my detection on this behvaior.

DeviceRegistryEvents
| where ActionType contains "RegistryKeyDeleted"
| where PreviousRegistryKey has_any ("wrapper", "DefWatch", "defragsvc", "ccEvtMgr", "ccSetMgr", "SavRoam", "sqlservr", "sqlagent", "sqladhlp", "Culserver", "RTVscan", "RTVscan", "sqlbrowser", "SQLADHLP", "QBIDPService", "Intuit.QuickBooks.FCS", "QBCFMonitorService", "sqlwriter", "msmdsrv", "tomcat6", "zhudongfangyu", "SQLADHLP", "vmware-usbarbitator64", "vmware-converter", "dbsrv12")
| project TimeGenerated, ActionType, DeviceName, InitiatingProcessFileName, PreviousRegistryKey

Detection Engineering with Sysmon

Logic is same with sysmon logs.

WindowsEvent //(Sysmon)
| where EventID == 12
| where EventData.TargetObject has_any ("wrapper", "DefWatch", "defragsvc", "ccEvtMgr", "ccSetMgr", "SavRoam", "sqlservr", "sqlagent", "sqladhlp", "Culserver", "RTVscan", "RTVscan", "sqlbrowser", "SQLADHLP", "QBIDPService", "Intuit.QuickBooks.FCS", "QBCFMonitorService", "sqlwriter", "msmdsrv", "tomcat6", "zhudongfangyu", "SQLADHLP", "vmware-usbarbitator64", "vmware-converter", "dbsrv12")
| project TimeGenerated, EventID, Computer, EventType = EventData.EventType, Image = EventData.Image, TargetObject = EventData.TargetObject, Channel

Detection Engineering with SIGMA

title: Services Terminated
id: 3371a675-1362-473a-ad38-a93bbe5cd6f1
status: experimental
description: Detects the termination or deletion of various services listed in MedusaLocker ransomware binary. Terminating these services avoids the interference with encryption processes and this behavior is mostly used by Ransomware.
references:
    - https://www.seqrite.com/blog/medusalocker-ransomware-an-in-depth-technical-analysis-and-prevention-strategies/#:~:text=List%20of%20hardcoded%20services%3A
author: Shayan Ahmed Khan (shaddy43)
date: 2024/08/05
modified: 2024/08/05
tags:
    - attack.impact
    - attack.t1489
    - detection.threat_hunting
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 12
        TargetObject|contains: #EventData.TargetObject
            - "wrapper"
            - "DefWatch"
            - "defragsvc"
            - "ccEvtMgr"
            - "ccSetMgr"
            - "SavRoam"
            - "sqlservr"
            - "sqlagent"
            - "sqladhlp"
            - "Culserver"
            - "RTVscan"
            - "sqlbrowser"
            - "SQLADHLP"
            - "QBIDPService"
            - "Intuit.QuickBooks.FCS"
            - "QBCFMonitorService"
            - "sqlwriter"
            - "msmdsrv"
            - "tomcat6"
            - "zhudongfangyu"
            - "vmware-usbarbitator64"
            - "vmware-converter"
            - "dbsrv12"
    condition: selection
falsepositives:
    - Expected FP with the services being terminated by legitimate administrator
level: medium