Analysis
-
max time kernel
154s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
08-12-2021 15:29
Static task
static1
Behavioral task
behavioral1
Sample
ZL2.ex_.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ZL2.ex_.exe
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
ZL2.ex_.exe
-
Size
669KB
-
MD5
ed7d859df562c7679dfcb14ee359ff2a
-
SHA1
cde2bfc546f6fc85bcdf5d35bfbd2d17d5c7c91c
-
SHA256
c2a78b419e7d33de9e7418306f30623970a02d4d41c562e99581d0dc3e0bdb08
-
SHA512
730c6940dc83f071cb65ebc3dacde8ddde5147e722cdb027d3feb8fe42bf7b6b0f699ff8b744b7f0dc0ca0fd6762b42acee4b2d67220b637cee0c82ae893bf80
Malware Config
Extracted
Path
\??\Z:\Boot\HOW_TO_RECOVER_DATA.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">5A19FEC5123B8886B3E2F1BF9402DCF8AAB286B78EE91E9D26DDC49A7CF37B0BFDC3AA05626C30A9F2251870DB7433F1A9161ED686464CD8D43528B6B17BF91A<br>9F20CC65FD3E19C5BA4305B0C4BCF11F63BB83D54F55C6D93E881832B39FA6C837793DFAE1336CB667DB87B452A876A7A2A7E7CF70A317F492FBA0EDB0BD<br>63948CDB4CA5677C186266AF71A40A9B0271855A9E807B54639FE197DB9BFAFEAB3FF94E434BC2BF6DB382312F2C6BD57677FC51070FEF19F15D0CCB6B3A<br>1C4EC79F9B313ECE0053E0659D6DAF48E0F00152E017AE5981BC464D996CB0B65A95BB039238E9AEEDA1148757348B9B3CBF7FAAD62091F615CC668A7416<br>F2C7D44C4528349F8D183D7FD6C0FA7E0612D41EFFD9C5885714CC90BADD2F789ADFD0DF1796C3A4C16C2224EBC77C7EAB85F66FD6AA31A8188D126FBE32<br>A8BDBC12D278D5228CF8D74DB91EB0F9D858B6DC0E3888CEE712075CB00563CADA309CCEEB9D381B38E68A50BC67E957150678BC8D1B472A8063B4A73067<br>8DCACD3FC2B160A27D3EB328E2C0DFBC0A7E0DFFAA840AA3CE8045D452C428FA6236F48CEC2F9500B14B546F9355A594762CDE8926AEC8E7EDB301F25089<br>1AC07CFED0E61BE9E8828CCE6BBB00A6EA969C66565E896970B58F4E11E7B55C5D41FE26D93EEABE1CA7AD708E54C8EB8184A8F2B185391154BDEDA3C43D<br>1762829616FD99F4F25E78BE7332</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>.onion<br>
</a>
4. Start a chat and follow the further instructions. <br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href=" [email protected]">[email protected]</a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Signatures
-
LockFile
LockFile is a new ransomware that emerged in July 2021 with ProxyShell vulnerabilties.
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker Payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000012230-62.dat family_medusalocker behavioral1/files/0x0008000000012230-64.dat family_medusalocker -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 1072 svhost.exe -
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\NewEnable.png => C:\Users\Admin\Pictures\NewEnable.png.lockfile ZL2.ex_.exe File renamed C:\Users\Admin\Pictures\PingBlock.png => C:\Users\Admin\Pictures\PingBlock.png.lockfile ZL2.ex_.exe File renamed C:\Users\Admin\Pictures\RenameClear.tif => C:\Users\Admin\Pictures\RenameClear.tif.lockfile ZL2.ex_.exe File opened for modification C:\Users\Admin\Pictures\ResetDismount.tiff ZL2.ex_.exe File renamed C:\Users\Admin\Pictures\ResetDismount.tiff => C:\Users\Admin\Pictures\ResetDismount.tiff.lockfile ZL2.ex_.exe File opened for modification C:\Users\Admin\Pictures\UseLimit.tiff ZL2.ex_.exe File renamed C:\Users\Admin\Pictures\ExitOut.raw => C:\Users\Admin\Pictures\ExitOut.raw.lockfile ZL2.ex_.exe File renamed C:\Users\Admin\Pictures\InstallTrace.tif => C:\Users\Admin\Pictures\InstallTrace.tif.lockfile ZL2.ex_.exe File renamed C:\Users\Admin\Pictures\SwitchBlock.tif => C:\Users\Admin\Pictures\SwitchBlock.tif.lockfile ZL2.ex_.exe File renamed C:\Users\Admin\Pictures\UseLimit.tiff => C:\Users\Admin\Pictures\UseLimit.tiff.lockfile ZL2.ex_.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ZL2.ex_.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2329389628-4064185017-3901522362-1000\desktop.ini ZL2.ex_.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: ZL2.ex_.exe File opened (read-only) \??\Y: ZL2.ex_.exe File opened (read-only) \??\B: ZL2.ex_.exe File opened (read-only) \??\J: ZL2.ex_.exe File opened (read-only) \??\M: ZL2.ex_.exe File opened (read-only) \??\O: ZL2.ex_.exe File opened (read-only) \??\P: ZL2.ex_.exe File opened (read-only) \??\R: ZL2.ex_.exe File opened (read-only) \??\H: ZL2.ex_.exe File opened (read-only) \??\S: ZL2.ex_.exe File opened (read-only) \??\X: ZL2.ex_.exe File opened (read-only) \??\Z: ZL2.ex_.exe File opened (read-only) \??\L: ZL2.ex_.exe File opened (read-only) \??\T: ZL2.ex_.exe File opened (read-only) \??\A: ZL2.ex_.exe File opened (read-only) \??\E: ZL2.ex_.exe File opened (read-only) \??\F: ZL2.ex_.exe File opened (read-only) \??\G: ZL2.ex_.exe File opened (read-only) \??\I: ZL2.ex_.exe File opened (read-only) \??\K: ZL2.ex_.exe File opened (read-only) \??\N: ZL2.ex_.exe File opened (read-only) \??\Q: ZL2.ex_.exe File opened (read-only) \??\V: ZL2.ex_.exe File opened (read-only) \??\W: ZL2.ex_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1736 vssadmin.exe 968 vssadmin.exe 1184 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe 1660 ZL2.ex_.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeBackupPrivilege 1628 vssvc.exe Token: SeRestorePrivilege 1628 vssvc.exe Token: SeAuditPrivilege 1628 vssvc.exe Token: SeIncreaseQuotaPrivilege 1988 wmic.exe Token: SeSecurityPrivilege 1988 wmic.exe Token: SeTakeOwnershipPrivilege 1988 wmic.exe Token: SeLoadDriverPrivilege 1988 wmic.exe Token: SeSystemProfilePrivilege 1988 wmic.exe Token: SeSystemtimePrivilege 1988 wmic.exe Token: SeProfSingleProcessPrivilege 1988 wmic.exe Token: SeIncBasePriorityPrivilege 1988 wmic.exe Token: SeCreatePagefilePrivilege 1988 wmic.exe Token: SeBackupPrivilege 1988 wmic.exe Token: SeRestorePrivilege 1988 wmic.exe Token: SeShutdownPrivilege 1988 wmic.exe Token: SeDebugPrivilege 1988 wmic.exe Token: SeSystemEnvironmentPrivilege 1988 wmic.exe Token: SeRemoteShutdownPrivilege 1988 wmic.exe Token: SeUndockPrivilege 1988 wmic.exe Token: SeManageVolumePrivilege 1988 wmic.exe Token: 33 1988 wmic.exe Token: 34 1988 wmic.exe Token: 35 1988 wmic.exe Token: SeIncreaseQuotaPrivilege 964 wmic.exe Token: SeSecurityPrivilege 964 wmic.exe Token: SeTakeOwnershipPrivilege 964 wmic.exe Token: SeLoadDriverPrivilege 964 wmic.exe Token: SeSystemProfilePrivilege 964 wmic.exe Token: SeSystemtimePrivilege 964 wmic.exe Token: SeProfSingleProcessPrivilege 964 wmic.exe Token: SeIncBasePriorityPrivilege 964 wmic.exe Token: SeCreatePagefilePrivilege 964 wmic.exe Token: SeBackupPrivilege 964 wmic.exe Token: SeRestorePrivilege 964 wmic.exe Token: SeShutdownPrivilege 964 wmic.exe Token: SeDebugPrivilege 964 wmic.exe Token: SeSystemEnvironmentPrivilege 964 wmic.exe Token: SeRemoteShutdownPrivilege 964 wmic.exe Token: SeUndockPrivilege 964 wmic.exe Token: SeManageVolumePrivilege 964 wmic.exe Token: 33 964 wmic.exe Token: 34 964 wmic.exe Token: 35 964 wmic.exe Token: SeIncreaseQuotaPrivilege 1608 wmic.exe Token: SeSecurityPrivilege 1608 wmic.exe Token: SeTakeOwnershipPrivilege 1608 wmic.exe Token: SeLoadDriverPrivilege 1608 wmic.exe Token: SeSystemProfilePrivilege 1608 wmic.exe Token: SeSystemtimePrivilege 1608 wmic.exe Token: SeProfSingleProcessPrivilege 1608 wmic.exe Token: SeIncBasePriorityPrivilege 1608 wmic.exe Token: SeCreatePagefilePrivilege 1608 wmic.exe Token: SeBackupPrivilege 1608 wmic.exe Token: SeRestorePrivilege 1608 wmic.exe Token: SeShutdownPrivilege 1608 wmic.exe Token: SeDebugPrivilege 1608 wmic.exe Token: SeSystemEnvironmentPrivilege 1608 wmic.exe Token: SeRemoteShutdownPrivilege 1608 wmic.exe Token: SeUndockPrivilege 1608 wmic.exe Token: SeManageVolumePrivilege 1608 wmic.exe Token: 33 1608 wmic.exe Token: 34 1608 wmic.exe Token: 35 1608 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1660 wrote to memory of 1736 1660 ZL2.ex_.exe 27 PID 1660 wrote to memory of 1736 1660 ZL2.ex_.exe 27 PID 1660 wrote to memory of 1736 1660 ZL2.ex_.exe 27 PID 1660 wrote to memory of 1736 1660 ZL2.ex_.exe 27 PID 1660 wrote to memory of 1988 1660 ZL2.ex_.exe 30 PID 1660 wrote to memory of 1988 1660 ZL2.ex_.exe 30 PID 1660 wrote to memory of 1988 1660 ZL2.ex_.exe 30 PID 1660 wrote to memory of 1988 1660 ZL2.ex_.exe 30 PID 1660 wrote to memory of 968 1660 ZL2.ex_.exe 32 PID 1660 wrote to memory of 968 1660 ZL2.ex_.exe 32 PID 1660 wrote to memory of 968 1660 ZL2.ex_.exe 32 PID 1660 wrote to memory of 968 1660 ZL2.ex_.exe 32 PID 1660 wrote to memory of 964 1660 ZL2.ex_.exe 34 PID 1660 wrote to memory of 964 1660 ZL2.ex_.exe 34 PID 1660 wrote to memory of 964 1660 ZL2.ex_.exe 34 PID 1660 wrote to memory of 964 1660 ZL2.ex_.exe 34 PID 1660 wrote to memory of 1184 1660 ZL2.ex_.exe 36 PID 1660 wrote to memory of 1184 1660 ZL2.ex_.exe 36 PID 1660 wrote to memory of 1184 1660 ZL2.ex_.exe 36 PID 1660 wrote to memory of 1184 1660 ZL2.ex_.exe 36 PID 1660 wrote to memory of 1608 1660 ZL2.ex_.exe 38 PID 1660 wrote to memory of 1608 1660 ZL2.ex_.exe 38 PID 1660 wrote to memory of 1608 1660 ZL2.ex_.exe 38 PID 1660 wrote to memory of 1608 1660 ZL2.ex_.exe 38 PID 1692 wrote to memory of 1072 1692 taskeng.exe 44 PID 1692 wrote to memory of 1072 1692 taskeng.exe 44 PID 1692 wrote to memory of 1072 1692 taskeng.exe 44 PID 1692 wrote to memory of 1072 1692 taskeng.exe 44 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" ZL2.ex_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ZL2.ex_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ZL2.ex_.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZL2.ex_.exe"C:\Users\Admin\AppData\Local\Temp\ZL2.ex_.exe"1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1660 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1736
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:968
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:964
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1184
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
C:\Windows\system32\taskeng.exetaskeng.exe {8109592C-3746-4453-8035-3D862488627B} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
PID:1072
-