Overview

overview

3

Static

static

1

theZoo-master.zip

windows10-2004-x64

1

theZoo-mas...t__.py

windows10-2004-x64

3

theZoo-mas...up.dll

windows10-2004-x64

1

theZoo-mas...ors.py

windows10-2004-x64

3

theZoo-mas...ler.py

windows10-2004-x64

3

theZoo-mas...ler.py

windows10-2004-x64

3

theZoo-mas...als.py

windows10-2004-x64

3

theZoo-mas...hes.py

windows10-2004-x64

3

theZoo-mas...ngs.py

windows10-2004-x64

3

theZoo-mas...ble.py

windows10-2004-x64

3

theZoo-mas...ler.py

windows10-2004-x64

3

theZoo-mas...ler.py

windows10-2004-x64

3

theZoo-mas...ine.py

windows10-2004-x64

3

theZoo-mas...AT.md5

windows10-2004-x64

3

theZoo-mas...T.pass

windows10-2004-x64

3

theZoo-mas...shasum

windows10-2004-x64

3

theZoo-mas...AT.zip

windows10-2004-x64

1

theZoo-mas...er.zip

windows10-2004-x64

1

theZoo-mas...ty.zip

windows10-2004-x64

1

theZoo-mas...ile.py

windows10-2004-x64

3

theZoo-mas...ts.txt

windows10-2004-x64

1

theZoo-mas...Zoo.py

windows10-2004-x64

3

Resubmissions

17/04/2023, 18:58 UTC

230417-xmtwsahd5w 1

17/04/2023, 14:47 UTC

230417-r5yd2aef58 3

Analysis

  • max time kernel
    69s
  • max time network
    210s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2023, 14:47 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    theZoo-master/imports/terminal_handler.py

  • Size

    6KB

  • MD5

    8607a2b55eeb72569f6b040ce9eab020

  • SHA1

    035e869ba246d9000b7074d0c5c9f602d3110c9e

  • SHA256

    ede24040ef72dbcfcb322bf492891b3dc40036996252cc770a53074bd15ba154

  • SHA512

    4add13620a54781c6b35f30a117c49ed0f87466b24d568d7097d4581335ad82f40813911f5f5d156a4b12daab6bfbf6382fe77eca88891ab025a5eb1cefdc298

  • SSDEEP

    96:0nJX0rVshjW+31xNwwS8pymrEpfMNtBSBT6HUNBzC9uKOtAF9EcCEZirrWb:0nThjW+9wwBpYUBQ8olkse9Sro

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\theZoo-master\imports\terminal_handler.py
    1⤵
    • Modifies registry class
    PID:4432
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2732

Network

  • flag-us
    DNS
    55.37.195.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.37.195.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.209.218.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.209.218.23.in-addr.arpa
    IN PTR
    Response
    198.209.218.23.in-addr.arpa
    IN PTR
    a23-218-209-198deploystaticakamaitechnologiescom
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    44.8.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    44.8.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    123.108.74.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    123.108.74.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • 209.197.3.8:80
    322 B
     7
  • 93.184.220.29:80
    322 B
     7
  • 20.189.173.5:443
    322 B
     7
  • 209.197.3.8:80
    322 B
     7
  • 209.197.3.8:80
    322 B
     7
  • 8.8.8.8:53
    55.37.195.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    55.37.195.20.in-addr.arpa

  • 8.8.8.8:53
    198.209.218.23.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    198.209.218.23.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    73.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    73.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    44.8.109.52.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    44.8.109.52.in-addr.arpa

  • 8.8.8.8:53
    123.108.74.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    123.108.74.40.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.