d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa

Resubmissions

10/06/2023, 20:48

230610-zlyjpage81 8

10/06/2023, 20:47

230610-zk964age8z 6

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2023, 20:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

zero.exe
Size

398KB
MD5

bd0a3c308a6d3372817a474b7c653097
SHA1

5ed36132872be3d5d94627b89f15a7369f68fba1
SHA256

d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa
SHA512

86c53974da682c9e55a181cacc3ba19a9bfd8df488c536c175695f28f79bb586722f4d6b061aaceb9d0db91996dd0a7e288f413c7d2562fbc5b6a305f747368f
SSDEEP

6144:tYcn3ge+gqzsSALff2TRLz1lTl8TFPUW+8sSZJMidVmXmVcXHU:ttQe+PzsfX2Tpz1daaWnVIgcE

Score

8^/10

persistence ransomware spyware stealer

Malware Config

Signatures

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\CheckpointComplete.tif.encrypt	zero.exe
File opened for modification	C:\Users\Admin\Pictures\GrantExit.tif.encrypt	zero.exe
File opened for modification	C:\Users\Admin\Pictures\PushResize.png.encrypt	zero.exe
File opened for modification	C:\Users\Admin\Pictures\SplitPop.png.encrypt	zero.exe
File opened for modification	C:\Users\Admin\Pictures\TraceSelect.raw.encrypt	zero.exe
File opened for modification	C:\Users\Admin\Pictures\UnblockUnregister.tiff.encrypt	zero.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FileRescue = "C:\\ZeroLocker\\ZeroRescue.exe"	zero.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	zero.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	zero.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	zero.exe
File created	C:\Windows\assembly\Desktop.ini	zero.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	zero.exe

C:\Users\Admin\AppData\Local\Temp\zero.exe
"C:\Users\Admin\AppData\Local\Temp\zero.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs.encrypt

Filesize
64KB

MD5
9a00d2e350f930d916049154b9b0c39a

SHA1
5d5ef318180eea994120acee4af54a6c10e5ad67

SHA256
1029aa71adf1860cf7224271c9c95e2aa8068e4d3518eb6b3a44b107159c9f26

SHA512
928c1eb78562308d2ea02169b9e8c1e16a1edc45eb35fbf354da7edbd73e3e2535b4788f124384e53b3f75e36c56d49292d07dfd8d83e3b8f0102f2e14ffa222

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.encrypt

Filesize
140KB

MD5
ffae6475ef7fd3177fef7dbd4caed2b5

SHA1
18fc5e13151cfbca67a019c68cb61d8c5a56bce6

SHA256
12f0f109f5847566c0d2468b332dbd0f59082c58d493b3d9f857ad5421a519a8

SHA512
0d6db7323b7fa98e6d37a72439b9dbf88afb8ab5cc6e8ef75ca2e0eb0abd16351a8335cbcbb639287f3b13065338b08d02e941c296ef216035b38d70a225b634

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\CURRENT.encrypt

Filesize
32B

MD5
1892b67fb2e2075806a554ff4ee3cdc8

SHA1
d530d2a08c62227d48714d82341a476ce4e4ea7a

SHA256
1667efa73fa74b18e8d7307d63166caa39799ba1e112b4e02df74137b8794d08

SHA512
38588a3fbf62e93578f29e9f8aa0c9b98971b652598de23cfe7d55da63bcecc58155feb1c84710eaf4c22416d9767c7db28b3a243068e9c7a8bc72b2d203ab86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000001.encrypt

Filesize
48B

MD5
8fc835eb508813d7708cf3d192eabfd8

SHA1
b9a699ae6831eb7093c626518003c946d57de96d

SHA256
4392097e4c4eaa30055724fae41d462b7b13617886469cfc27bab43b60249689

SHA512
bc546bd9b13dfb698a78a6c5f56be8e25b2ac34af489a45c8f8340c0e3f1a8ca6db57d075bc3519e48c5c59e5d6f5f01bacdf6c7056bb04f4e7b0491537e0518

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_2.encrypt

Filesize
8KB

MD5
bfed0e7ad7285e32cc92304421afaed3

SHA1
8469abdae351d83ba173ea8ca3349d32b8ac1c35

SHA256
6d171f5bc5c0169ae6a413eedbdac15e0ecefe5b354ff8a84f84ea1671be068d

SHA512
9a4149896c5c85916f87e27128571d5e3f63771ef592f6f8ba44d10a8d0f4a7d68844a9a26976d9dd9cb09253e00238732b39826f074c4a23bd9563e35c03c3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0.encrypt

Filesize
8KB

MD5
254151584c6890b2b051f6fc25513f3a

SHA1
61777c81d15a8d5246a235ad9fc315fbdd834c4b

SHA256
03414b7561eb5fc208fa26342ea3ca8e60870ef66c8a86a47f27311ff7adb3c1

SHA512
39ec107cfe4075d580ec636139572377a678d049970ebafe654de4a036feff87576cb083383ae9ac1010d16fcfbe8fe1fa08bc7c67a7a078fef54c93010558a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1.encrypt

Filesize
264KB

MD5
2af1f660d960a109e2aaba34a19213c3

SHA1
e4d2ec67429423429c830df895307147e74886ea

SHA256
98ce33dfb7677b25a74e0d20287950a93dfec356d075fd991a6c3c12fb31b625

SHA512
4a68b9ddda00752d9292b712516be774fa3ffc530cfd941d5d2555578a1281e3ea0c53c4988b8b1cd837eda23f0ad1c5cb08d8fc9348d84b59d70472991c0262

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3.encrypt

Filesize
8KB

MD5
d06ce0b89ae4bcdb9eea9c64f58311de

SHA1
bd37afdc4dc433c09aa95fb0b45a401170214ddc

SHA256
8dc7ddaa46b40cfe379cbcfc5e517b57e8002306489a99a12b07421ef13464b3

SHA512
bbf21e40f12637ec37560b2e5e206b02f7a90c84ccbc1799111a920a5ea2c357e1575515d87a8bb45bbf57ba2133ab5876369147581fbc9c5556688e14af0c4b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.encrypt

Filesize
8KB

MD5
8806199d51f3d7388606cdd471a88afe

SHA1
e6d10abbb61c3d3a2d01afac3e0eb6e308aae32a

SHA256
4dceca35f4e74d3e7ea20fc076c57e775e944fb2e012208acd456563fca8d2d0

SHA512
48ab0d477d98df628b472e86ca4728eb63aab89aa14161d0067f9bb62d9b92e630ae19d269cf699f08f80257de650c873dd6f117ca98b4d0a907b2f5aa4023fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctDD8E.tmp.encrypt

Filesize
63KB

MD5
b739f1f024a0b076b55cb9fd624df1ce

SHA1
95758b7da57e2e6319c214f753d3e239e493f332

SHA256
1ce89c379752579b9a506be45384354cb7d33c33ae547381002fc4b38a3b6a42

SHA512
83ad750989bd13936a96790a80c63f7acb36ad742a20eb15ebc4ee3bb6aa4fef8960e15562ba14bcd00ece23eab00b2d88fc707fdc6dab333cf2eb6747731566

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.encrypt

Filesize
48KB

MD5
47724d42b3cbf861ef0301ac95c705b9

SHA1
e5c84c3e67c3d8fc1d56826113d6315fa26f2955

SHA256
12632ed88713478f383b143315b5254abe3bfc78a9fc36a0d2700d5f7aad79a7

SHA512
0fdac5f95222c32ac8a4500e68ff63daec03f8918f52b4426efb2c9efb1d87a3f97e6143404df65d5cec1d1932cab0d81387b3fe45a4075d916faf73cee863c8

Download Submit
C:\Users\Admin\NTUSER.DAT.encrypt

Filesize
16B

MD5
870454b4fee9aa9142823d15685cd382

SHA1
c725d14ccfdebf0f78973de11ddedbe11e42e2c2

SHA256
a9b89a534669e0f5d97ea5b7671e2151c923fb994a57836791f4f8d300e7403b

SHA512
c56c5deaaf892e452730d456aa1ee73a2ae55663d8b0d3084499a6c535c3e8442a14f179002fb649095d6046c07bae99b3e4cd4bf364d06f24f199443d8a5efd

Download Submit
memory/1664-141-0x00000000014F0000-0x00000000014F8000-memory.dmp

Filesize
32KB

Download
memory/1664-143-0x00000000016F0000-0x0000000001700000-memory.dmp

Filesize
64KB

Download
memory/1664-149-0x00000000016F0000-0x0000000001700000-memory.dmp

Filesize
64KB

Download
memory/1664-147-0x00000000016F0000-0x0000000001700000-memory.dmp

Filesize
64KB

Download
memory/1664-146-0x00000000016F0000-0x0000000001700000-memory.dmp

Filesize
64KB

Download
memory/1664-145-0x00000000016F0000-0x0000000001700000-memory.dmp

Filesize
64KB

Download
memory/1664-144-0x00000000016F0000-0x0000000001700000-memory.dmp

Filesize
64KB

Download
memory/1664-148-0x00000000016F0000-0x0000000001700000-memory.dmp

Filesize
64KB

Download
memory/1664-142-0x000000001CC00000-0x000000001CC4C000-memory.dmp

Filesize
304KB

Download
memory/1664-133-0x0000000000BB0000-0x0000000000C18000-memory.dmp

Filesize
416KB

Download
memory/1664-140-0x000000001C9A0000-0x000000001CA3C000-memory.dmp

Filesize
624KB

Download
memory/1664-139-0x000000001C400000-0x000000001C8CE000-memory.dmp

Filesize
4.8MB

Download
memory/1664-138-0x000000001BE80000-0x000000001BF26000-memory.dmp

Filesize
664KB

Download
memory/1664-135-0x000000001BBD0000-0x000000001BC12000-memory.dmp

Filesize
264KB

Download
memory/1664-134-0x00000000016F0000-0x0000000001700000-memory.dmp

Filesize
64KB

Download