Medusa ransomware unlocked - complete in depth ransomware analysis and digital forensics скачать в хорошем качестве

Medusa ransomware unlocked - complete in depth ransomware analysis and digital forensics

Medusa Ransomware complete - Digital Forensics and Incident Response - In depth technical ransomware analysis -------------------------------------------------- Linkedin profile --   / deepanshukhanna   Github Link for Medusa -- https://github.com/deep1792/medusa-ra... for more interesting topics grab your copy from amazon - https://www.amazon.in/Digital-Forensi... -------------------------------------------- MITRE -- TTPs TA0043 - Reconnaissance TA0002 - Malicious Executions TA0005 - Defense Evasion TA0006 - Credential Access T1055 -- Process Injections TA0004 - Privilege Escalation TA0003 -- Persistence TA0011 - Command and Control -------------------------------------------- Technical Analysis File Operations "ReadFile", "WriteFile" "GetFileAttributesW", "SetFileAttributesW" "MoveFileW" "FindFirstFileExW", "FindNextFileW", "FindClose" "SetEndOfFile", "SetFilePointerEx" Networking & Communication "socket", "connect" "bind" "Ping" Process & Thread Control "CreateProcessA", "CreateThread" "TerminateProcess", "ExitProcess" "GetCurrentProcess", "GetCurrentThread" "WaitForSingleObjectEx", "EnterCriticalSection"capabilities. Memory Manipulation "HeapAlloc", "HeapFree", "HeapReAlloc" "VirtualAlloc", "VirtualProtect", "VirtualFree" "GetProcessHeap" Cryptographic Functions "CryptEncrypt", "CryptHashData", "CryptImportKey" "CryptCreateHash", "BCryptDestroyKey" Anti-Analysis & Evasion Techniques "IsDebuggerPresent" "Sleep", "GetTickCount64", "QueryPerformanceCounter" "UnhandledExceptionFilter", "SetUnhandledExceptionFilter" "GetLogicalProcessorInformation" "GetModuleHandleA", "GetProcAddress" System Persistence "SetThreadPriority" ------------------------------------- IOCs --- 736de79e0a2d08156bae608b2a3e63336829d59d38d61907642149a566ebd270 Named Mutex - Program Database - G:\Medusa\Release\gaze.pdb Child processes spawning vssadmin.exe (volume shadow copy deletion). ------------------------------------------------------- Windows native DLLs calls KERNEL32.dll USER32.dll bcrypt.dll CRYPT32.dll ---------------------------------------------------------- Yara Rules rule Medusa_Malware { meta: description = "Detects Medusa malware based on known patterns" author = "Cybersecurity Analyst" date = "2025-03-17" version = "1.0" hash = "ed42aa500e5b16c79abaa061d456992c" strings: $a1 = "vssadmin Delete Shadows /all /quiet" nocase $a2 = "IsDebuggerPresent" $a3 = "CreateProcessA" $a4 = "CryptEncrypt" $a5 = "socket" $a6 = "connect" $a7 = "VirtualAlloc" $a8 = "GetProcAddress" $a9 = "UnhandledExceptionFilter" $pdb = "gaze.pdb" condition: (uint16(0) == 0x5A4D) and // Checks for PE file format (5 of ($a*) or $pdb) } -------------------------------------------------- SIEM detection index=windows | where (process_name="cmd.exe" AND process_command_line="vssadmin Delete Shadows /all /quiet") OR (process_name IN ("medusa.exe", "gaze.exe")) OR (process_command_line LIKE "%IsDebuggerPresent%") OR (process_command_line LIKE "%CryptEncrypt%") | table _time, host, process_name, process_id, process_command_line ----------------------------------------------------------- VirusTotal Link -- https://www.virustotal.com/gui/file/7... ---------------------------------------------------------------------- #MedusaRansomware #malwareanalysis #cybersecurity #IOCs #threathunting #reverseengineering #RansomwareAnalysis #WindowsAPI #infosec #MedusaRansomware #malwareanalysis #IOCs #reverseengineering #cybersecuritycommunity