zebrocy | eabde0185b4ff5b906aee5d9e6fd96cdbfa49ba747b240d4785ee680eb4d0a3d

Analysis

max time kernel
1604s
max time network
1616s
platform
windows7_x64
resource
win7-20220414-en
submitted
07-05-2022 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update.exe
Size

5.5MB
MD5

0c102c54f0ad17c2cdd9c89c5c3f3cf7
SHA1

844fab5d39fc17eef2f7a1dc3be91ead3150c857
SHA256

eece013ca6b8ce18ad9dfafa95689aa683586aa812d911457e97b0cff6db5113
SHA512

62a9d1338bce7a83e4e4258920b7a35d3263e7a2e356824d12c0b3b9ebd124d7e0a58bc7fb516a3733c668d7d25b39c2814ed7e0c810b4fac30ac08e53f5a675

Score

10^/10

zebrocy backdoor ransomware spyware stealer trojan vmprotect

Malware Config

Signatures

Zebrocy
Zebrocy is a backdoor created by Sofacy threat group and has multiple variants developed in different languages.
trojan backdoor zebrocy

Zebrocy Go Variant 2 IoCs

resource	yara_rule
behavioral1/memory/960-55-0x0000000000400000-0x0000000000FEF000-memory.dmp	Zebrocy
behavioral1/memory/960-57-0x0000000000400000-0x0000000000FEF000-memory.dmp	Zebrocy

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\UnblockSplit.png => C:\Users\Admin\Pictures\UnblockSplit.pngXRJFN	update.exe
File renamed	C:\Users\Admin\Pictures\ResolveOpen.raw => C:\Users\Admin\Pictures\ResolveOpen.rawCXQPa	update.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/960-55-0x0000000000400000-0x0000000000FEF000-memory.dmp	vmprotect
behavioral1/memory/960-57-0x0000000000400000-0x0000000000FEF000-memory.dmp	vmprotect

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	update.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	update.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	update.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PICCAP98.POC	update.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.png	update.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)redStateIcon.png	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02120_.WMF	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Earthy.css	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XML2WORD.XSL	update.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\picturePuzzle.css	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwritash.dat	update.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar	update.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_floating.png	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\STSUCRES.DLL	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01172_.WMF	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02067_.WMF	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROG98.POC	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.HTM	update.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png	update.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_ja.jar	update.exe
File opened for modification	C:\Program Files\Java\jre7\lib\alt-rt.jar	update.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\SLATE.INF	update.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\WATERMAR.INF	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287020.WMF	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OFFOWCI.DLL	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN108.XML	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveMergeLetter.dotx	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi	update.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_dot.png	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VeriSign_Class_3_Code_Signing_2001-4_CA.cer	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImageMask.bmp	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOCF.DLL	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV.HXS	update.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08868_.WMF	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01638_.WMF	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15171_.GIF	update.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png	update.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_ja_4.4.0.v20140623020002.jar	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN096.XML	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\THOCRAPI.DLL	update.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\MANIFEST.MF	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200521.WMF	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg	update.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\settings.css	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Clarity.thmx	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101866.BMP	update.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_left.png	update.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_h.png	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00234_.WMF	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099173.WMF	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABON.JPG	update.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square.png	update.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\1.png	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099148.JPG	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPAPERS.INI	update.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Novosibirsk	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748G.GIF	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313965.JPG	update.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern.png	update.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_ja_4.4.0.v20140623020002.jar	update.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\CIEXYZ.pf	update.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Aqtobe	update.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.APL	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SplashScreen.bmp	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLCPRTID.XML	update.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
960	update.exe
960	update.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	320	vssvc.exe
Token: SeRestorePrivilege	320	vssvc.exe
Token: SeAuditPrivilege	320	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/960-54-0x00000000769D1000-0x00000000769D3000-memory.dmp

Filesize
8KB

Download
memory/960-55-0x0000000000400000-0x0000000000FEF000-memory.dmp

Filesize
11.9MB

Download
memory/960-57-0x0000000000400000-0x0000000000FEF000-memory.dmp

Filesize
11.9MB

Download