MalwareAnalysisSeries

This repository contains the analysis reports, technical details or any tools created for helping in malware analysis. Additionally, the repo contains extracted TTPs with code along with the detection rules

Project maintained by shaddy43 Hosted on GitHub Pages — Theme by mattgraham

MedusaLocker: Terminate Process

MedusaLocker Image

Ransomware often terminates certain running processes before encryption to ensure maximum impact and effectiveness. This is done to avoid interference by stopping security software and system monitoring tools, thus preventing detection and interruption during the encryption process. Additionally, by terminating resource-intensive applications, such as databases and email servers, ransomware ensures it has sufficient system resources to operate efficiently. Furthermore, some applications lock files while in use, preventing them from being encrypted. Stopping these applications allows the ransomware to access and encrypt these files. This strategy helps the ransomware maximize its chances of successful encryption and increases the likelihood that the victim will pay the ransom to regain access to their data.

In case of MedusaLocker Ransomware, it also contains a pre-defined list of processes that it looks and kills before launching the encryption operation.

Detection Indicators

The detection indicators are:

List of processes that it kills

Log Sources

I have configured multiple log sources in my detection lab. I am using Azure Sentinel as my SIEM solution. The following logs are injested into SIEM:

Microsoft Defender XDR logs
Windows Security Audit logs
Sysmon Logs with sysmon-moduler configuration

Detection Engineering with Security Audit Logs

In the following query, I am looking for process termination events of the provided list of processes that MedusaLocker targets. But to reduce the false positives, I am looking for anomalous events by checking if more than a specified number of processes from the target list has been killed within 30 seconds of each other by group the events on 30 second Time bins.

SecurityEvent
    //| where TimeGenerated >= ago(24h)
    | where EventID == 4689 and Process has_any ('wxServer.exe', 'wxServerView', 'sqlservr.exe', 'sqlmangr.exe', 'RAgui.exe', 'supervise.exe', 'Culture.exe', 'RTVscan.exe', 'Defwatch.exe', 'sqlbrowser.exe', 'WINWORD.EXE', 'QBW32.exe', 'QBDBMgr.exe', 'qbupdate.exe', 'QBCFMonitorService.exe', 'axlbridge.exe', 'QBIDPService.exe', 'httpd.exe', 'fdlauncher.exe', 'MsDtSrvr.exe', 'tomcat6.exe', 'java.exe', '360se.exe', '360doctor.exe', 'wdswfsafe.exe', 'fdlauncher.exe', 'fdhost.exe', 'GDscan.exe', 'ZhuDongFangYu.exe')
    | summarize TerminatedProcessCount = count() by bin(TimeGenerated, 30s), Computer
    | where TerminatedProcessCount > 1  //could be adjuster as per needed (e.g maybe more than 5 processes)

detection rule1

Detection Engineering with Sysmon

In symon, the detection logic is same as above. Only the table names and fields are different.

WindowsEvent //(sysmon)
    //| where TimeGenerated >= ago(24h)
    | where EventID == 5 and EventData.Image has_any ('wxServer.exe', 'wxServerView', 'sqlservr.exe', 'sqlmangr.exe', 'RAgui.exe', 'supervise.exe', 'Culture.exe', 'RTVscan.exe', 'Defwatch.exe', 'sqlbrowser.exe', 'WINWORD.EXE', 'QBW32.exe', 'QBDBMgr.exe', 'qbupdate.exe', 'QBCFMonitorService.exe', 'axlbridge.exe', 'QBIDPService.exe', 'httpd.exe', 'fdlauncher.exe', 'MsDtSrvr.exe', 'tomcat6.exe', 'java.exe', '360se.exe', '360doctor.exe', 'wdswfsafe.exe', 'fdlauncher.exe', 'fdhost.exe', 'GDscan.exe', 'ZhuDongFangYu.exe')
    | summarize TerminateProcessCount = count() by bin(TimeGenerated, 30s), Computer
    | where TerminateProcessCount > 1 //again could be adjusted accordingly

detection rule2