Attempting to monitor Medusa ransomware sample via syscall hooks causes BSOD

Question

Attempting to monitor Medusa ransomware sample via syscall hooks causes BSOD

seanthegeek opened this issue 7 months ago · 5 comments

Sample: SHA256 (found on VT):e7d2f78fdc1af32cea5ee99f57feff82f016d2a4baac4201a8785735427a9af3
OS: Windows 10 21H2
CAPE commit: d76a17c

Using Cuckoo-style thread monitoring instead works as expected.

Interestingly, the CAPE instance used by VirusTotal produced results and not a BSOD. I'm not sure if that's because they use an older version of CAPE which might not have this problem, or if they default to using thread-based monitoring.

Answer 1 · 2024-09-02T20:31:52.000Z

it works on my cape too, im on latest

Answer 2 · 2024-09-02T21:08:03.000Z

Working fine for me

Answer 3 · 2024-09-02T21:11:53.000Z

Weird. Most be something with my VM. Maybe a slightly different Windows build. Any suggestions on how to isolate the problem?

Answer 4 · 2024-09-02T21:13:32.000Z

well some more info such as the analysis log might be nice

Answer 5 · 2024-09-02T23:05:29.000Z

The analysis log is empty. And now I can't reproduce the error after I was able to get it to BSOD a couple times earlier in the day. Really weird.