General

  • Target

    c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a

  • Size

    7MB

  • Sample

    220224-l7djracga3

  • MD5

    33f612338b6b5e6b4fe8cbb17208795c

  • SHA1

    66535700bbce7f90d2add7c504bc0e0523d4d71d

  • SHA256

    c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a

  • SHA512

    7dfce042f5287858cf1d2942f6672084d01ad5677c7b47a1e9c2bcd4e0a2ea375ccd3a33676dc64dbe28edfe4fd19d25de5232c8fd23c0c7b24708c85b647fb2

Malware Config

Extracted

Path

C:\re_ad_me.txt

Ransom Note All of your files are currently encrypted by ZEON strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://zeonrefpbompx6rwdqa5hxgtp2cxgfmoymlli3azoanisze33pp3x3yd.onion/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh ---END ID---
URLs

http://zeonrefpbompx6rwdqa5hxgtp2cxgfmoymlli3azoanisze33pp3x3yd.onion/

Targets

    • Target

      c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a

    • Size

      7MB

    • MD5

      33f612338b6b5e6b4fe8cbb17208795c

    • SHA1

      66535700bbce7f90d2add7c504bc0e0523d4d71d

    • SHA256

      c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a

    • SHA512

      7dfce042f5287858cf1d2942f6672084d01ad5677c7b47a1e9c2bcd4e0a2ea375ccd3a33676dc64dbe28edfe4fd19d25de5232c8fd23c0c7b24708c85b647fb2

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

    Discovery

      Execution

        Exfiltration

          Impact

          Initial Access

            Lateral Movement

              Persistence

              Privilege Escalation