Overview

overview

10

Static

static

3

c860bf644b...7a.exe

windows7_x64

7

c860bf644b...7a.exe

windows10-2004_x64

10

Resubmissions

24-02-2022 10:10

220224-l7djracga3 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a

  • Size

    7MB

  • Sample

    220224-l7djracga3

  • MD5

    33f612338b6b5e6b4fe8cbb17208795c

  • SHA1

    66535700bbce7f90d2add7c504bc0e0523d4d71d

  • SHA256

    c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a

  • SHA512

    7dfce042f5287858cf1d2942f6672084d01ad5677c7b47a1e9c2bcd4e0a2ea375ccd3a33676dc64dbe28edfe4fd19d25de5232c8fd23c0c7b24708c85b647fb2

Score
10/10
pyinstallerransomwarespywarestealer

Malware Config

Extracted

Path

C:\re_ad_me.txt

Ransom Note
All of your files are currently encrypted by ZEON strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://zeonrefpbompx6rwdqa5hxgtp2cxgfmoymlli3azoanisze33pp3x3yd.onion/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh ---END ID---
URLs

http://zeonrefpbompx6rwdqa5hxgtp2cxgfmoymlli3azoanisze33pp3x3yd.onion/

Targets

    • Target

      c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a

    • Size

      7MB

    • MD5

      33f612338b6b5e6b4fe8cbb17208795c

    • SHA1

      66535700bbce7f90d2add7c504bc0e0523d4d71d

    • SHA256

      c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a

    • SHA512

      7dfce042f5287858cf1d2942f6672084d01ad5677c7b47a1e9c2bcd4e0a2ea375ccd3a33676dc64dbe28edfe4fd19d25de5232c8fd23c0c7b24708c85b647fb2

    Score
    10/10
    ransomwarespywarestealer

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix

Collection

Data from Local System

1
T1005

Command and Control

Credential Access

Credentials in Files

1
T1081

Defense Evasion

Modify Registry

1
T1112

Discovery

Execution

Exfiltration

Impact

Defacement

1
T1491

Initial Access

Lateral Movement

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Tasks