Analysis
-
max time kernel
144s -
max time network
138s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
08-12-2021 15:29
Static task
static1
Behavioral task
behavioral1
Sample
ZL2.ex_.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ZL2.ex_.exe
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
ZL2.ex_.exe
-
Size
669KB
-
MD5
ed7d859df562c7679dfcb14ee359ff2a
-
SHA1
cde2bfc546f6fc85bcdf5d35bfbd2d17d5c7c91c
-
SHA256
c2a78b419e7d33de9e7418306f30623970a02d4d41c562e99581d0dc3e0bdb08
-
SHA512
730c6940dc83f071cb65ebc3dacde8ddde5147e722cdb027d3feb8fe42bf7b6b0f699ff8b744b7f0dc0ca0fd6762b42acee4b2d67220b637cee0c82ae893bf80
Malware Config
Extracted
Path
C:\odt\HOW_TO_RECOVER_DATA.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">3625D970D7AF46B013E13E206A66D90A582504BA34C4119772F5CC974CADE1A3CFFDF1D9F9C6DA5F570BF165E755590020EDD9ED75D27BCE10844D49E0C12E8A<br>2F1360242E641C24B4F07E0EDB4D916C6B1D328C61405D188197202C68FF955037E1EBFFE60D1B8A5A49944A033537518C13557F6AD381F88CC2DB38E080<br>F9246792758D5E354FD1E840ED526F614C93457DAC53C0A524D76BF91E67F9E797308E4D67F43AA610CD4DA7DE17507CC9F21DE79AC7A3DE1C0FC6432E16<br>29C399CA96381D9F10558AC831F9922E72D0FEBDF9EFC6CC0603D1CC2244FB7207C0CBF896CFF2C88E0335EE35B98290CE101A0C046BC9120578240A074B<br>6C8F67D61898FE8F3143BECFCCD54F6598EC4DAF74808FAE87D59EC3E47121C8E37C8D2C8CAF0B96DC65F95CA19D5A8D214B4BCE47BF8B7A5FA50D429C09<br>BA657E3B6EE8BEBD59DE10137B80CEFC7F71F2AA0FB828362E8A604A43B5037B87A8797EE7CD3565C5444E3BBA4B9F0451F813BB504DA340AC2610E2579A<br>6F60E34976F808ABC65CA1E188D776C9E82199B583CC0C73E8B18B67B459F3B07071EAEA3972CFF693FE8C68ACAC7969C917B8F62ECAE4CFBE76206C3DBF<br>D45F6DDAF5DB3A2BF99D1D9B0DB502181AA563321657F949D783AF94F3CF8866D4D860937086C9F22E9CF664466FE1F874712360106C89D15EAD868556E2<br>49AF851FB5BF4F675E7FF155539A</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>.onion<br>
</a>
4. Start a chat and follow the further instructions. <br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href=" [email protected]">[email protected]</a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Signatures
-
LockFile
LockFile is a new ransomware that emerged in July 2021 with ProxyShell vulnerabilties.
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\RedoGet.png => C:\Users\Admin\Pictures\RedoGet.png.lockfile ZL2.ex_.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ZL2.ex_.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2361464256-2201551969-2316606395-1000\desktop.ini ZL2.ex_.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: ZL2.ex_.exe File opened (read-only) \??\K: ZL2.ex_.exe File opened (read-only) \??\L: ZL2.ex_.exe File opened (read-only) \??\O: ZL2.ex_.exe File opened (read-only) \??\T: ZL2.ex_.exe File opened (read-only) \??\Z: ZL2.ex_.exe File opened (read-only) \??\A: ZL2.ex_.exe File opened (read-only) \??\G: ZL2.ex_.exe File opened (read-only) \??\H: ZL2.ex_.exe File opened (read-only) \??\M: ZL2.ex_.exe File opened (read-only) \??\P: ZL2.ex_.exe File opened (read-only) \??\W: ZL2.ex_.exe File opened (read-only) \??\B: ZL2.ex_.exe File opened (read-only) \??\I: ZL2.ex_.exe File opened (read-only) \??\J: ZL2.ex_.exe File opened (read-only) \??\Q: ZL2.ex_.exe File opened (read-only) \??\U: ZL2.ex_.exe File opened (read-only) \??\V: ZL2.ex_.exe File opened (read-only) \??\Y: ZL2.ex_.exe File opened (read-only) \??\E: ZL2.ex_.exe File opened (read-only) \??\R: ZL2.ex_.exe File opened (read-only) \??\S: ZL2.ex_.exe File opened (read-only) \??\X: ZL2.ex_.exe File opened (read-only) \??\N: ZL2.ex_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4176 vssadmin.exe 4344 vssadmin.exe 4148 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe 3460 ZL2.ex_.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 1908 vssvc.exe Token: SeRestorePrivilege 1908 vssvc.exe Token: SeAuditPrivilege 1908 vssvc.exe Token: SeIncreaseQuotaPrivilege 4464 wmic.exe Token: SeSecurityPrivilege 4464 wmic.exe Token: SeTakeOwnershipPrivilege 4464 wmic.exe Token: SeLoadDriverPrivilege 4464 wmic.exe Token: SeSystemProfilePrivilege 4464 wmic.exe Token: SeSystemtimePrivilege 4464 wmic.exe Token: SeProfSingleProcessPrivilege 4464 wmic.exe Token: SeIncBasePriorityPrivilege 4464 wmic.exe Token: SeCreatePagefilePrivilege 4464 wmic.exe Token: SeBackupPrivilege 4464 wmic.exe Token: SeRestorePrivilege 4464 wmic.exe Token: SeShutdownPrivilege 4464 wmic.exe Token: SeDebugPrivilege 4464 wmic.exe Token: SeSystemEnvironmentPrivilege 4464 wmic.exe Token: SeRemoteShutdownPrivilege 4464 wmic.exe Token: SeUndockPrivilege 4464 wmic.exe Token: SeManageVolumePrivilege 4464 wmic.exe Token: 33 4464 wmic.exe Token: 34 4464 wmic.exe Token: 35 4464 wmic.exe Token: 36 4464 wmic.exe Token: SeIncreaseQuotaPrivilege 3816 wmic.exe Token: SeSecurityPrivilege 3816 wmic.exe Token: SeTakeOwnershipPrivilege 3816 wmic.exe Token: SeLoadDriverPrivilege 3816 wmic.exe Token: SeSystemProfilePrivilege 3816 wmic.exe Token: SeSystemtimePrivilege 3816 wmic.exe Token: SeProfSingleProcessPrivilege 3816 wmic.exe Token: SeIncBasePriorityPrivilege 3816 wmic.exe Token: SeCreatePagefilePrivilege 3816 wmic.exe Token: SeBackupPrivilege 3816 wmic.exe Token: SeRestorePrivilege 3816 wmic.exe Token: SeShutdownPrivilege 3816 wmic.exe Token: SeDebugPrivilege 3816 wmic.exe Token: SeSystemEnvironmentPrivilege 3816 wmic.exe Token: SeRemoteShutdownPrivilege 3816 wmic.exe Token: SeUndockPrivilege 3816 wmic.exe Token: SeManageVolumePrivilege 3816 wmic.exe Token: 33 3816 wmic.exe Token: 34 3816 wmic.exe Token: 35 3816 wmic.exe Token: 36 3816 wmic.exe Token: SeIncreaseQuotaPrivilege 516 wmic.exe Token: SeSecurityPrivilege 516 wmic.exe Token: SeTakeOwnershipPrivilege 516 wmic.exe Token: SeLoadDriverPrivilege 516 wmic.exe Token: SeSystemProfilePrivilege 516 wmic.exe Token: SeSystemtimePrivilege 516 wmic.exe Token: SeProfSingleProcessPrivilege 516 wmic.exe Token: SeIncBasePriorityPrivilege 516 wmic.exe Token: SeCreatePagefilePrivilege 516 wmic.exe Token: SeBackupPrivilege 516 wmic.exe Token: SeRestorePrivilege 516 wmic.exe Token: SeShutdownPrivilege 516 wmic.exe Token: SeDebugPrivilege 516 wmic.exe Token: SeSystemEnvironmentPrivilege 516 wmic.exe Token: SeRemoteShutdownPrivilege 516 wmic.exe Token: SeUndockPrivilege 516 wmic.exe Token: SeManageVolumePrivilege 516 wmic.exe Token: 33 516 wmic.exe Token: 34 516 wmic.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3460 wrote to memory of 4176 3460 ZL2.ex_.exe 68 PID 3460 wrote to memory of 4176 3460 ZL2.ex_.exe 68 PID 3460 wrote to memory of 4176 3460 ZL2.ex_.exe 68 PID 3460 wrote to memory of 4464 3460 ZL2.ex_.exe 73 PID 3460 wrote to memory of 4464 3460 ZL2.ex_.exe 73 PID 3460 wrote to memory of 4464 3460 ZL2.ex_.exe 73 PID 3460 wrote to memory of 4344 3460 ZL2.ex_.exe 75 PID 3460 wrote to memory of 4344 3460 ZL2.ex_.exe 75 PID 3460 wrote to memory of 4344 3460 ZL2.ex_.exe 75 PID 3460 wrote to memory of 3816 3460 ZL2.ex_.exe 77 PID 3460 wrote to memory of 3816 3460 ZL2.ex_.exe 77 PID 3460 wrote to memory of 3816 3460 ZL2.ex_.exe 77 PID 3460 wrote to memory of 4148 3460 ZL2.ex_.exe 79 PID 3460 wrote to memory of 4148 3460 ZL2.ex_.exe 79 PID 3460 wrote to memory of 4148 3460 ZL2.ex_.exe 79 PID 3460 wrote to memory of 516 3460 ZL2.ex_.exe 81 PID 3460 wrote to memory of 516 3460 ZL2.ex_.exe 81 PID 3460 wrote to memory of 516 3460 ZL2.ex_.exe 81 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ZL2.ex_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ZL2.ex_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" ZL2.ex_.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZL2.ex_.exe"C:\Users\Admin\AppData\Local\Temp\ZL2.ex_.exe"1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3460 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:4176
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:4344
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3816
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:4148
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:516
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908