Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
11-06-2024 08:35
General
-
Target
dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
-
Size
1.8MB
-
MD5
057aad993a3ef50f6b3ca2db37cb928a
-
SHA1
a57592be641738c86c85308ef68148181249bc0b
-
SHA256
dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876
-
SHA512
87c89027d60f80e99c526584fa093620b3f099151170362424ad78f5e4d7184bd9f2d627ec8463ca202127835f435dd4f85bf2b0d9351593c688855f0bbaffbb
-
SSDEEP
49152:BY/3BNLViG5jQWArXncSxhBfV7xLE1t+XgWJz5qtAj6R:BwgG5MWMX7h8+Uw
Score
10/10
Malware Config
Extracted
Family
zebrocy
C2
Windows XP Professional x64 Edition
Extracted
Path
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# SATAN CRYPTOR #.hta
Ransom Note
<html>
<head>
<title>SATAN CRYPTOR</title>
<HTA:APPLICATION
ID=""
APPLICATIONNAME=""
BORDER="DIALOG"
MAXIMIZEBUTTON="NO"
SCROLLFLAT="YES"
CAPTION="YES"
SELECTION="NO"
INNERBORDER="NO"
ICON=""
SCROLL="NO"
SHOWINTASKBAR="YES"
SINGLEINSTANCE="YES"
SYSMENU="YES"
WINDOWSTATE="NORMAL"
/>
</head>
<script language=javascript>
var winWidth = 800;
var winHeight = 600;
window.resizeTo(winWidth, winHeight);
window.moveTo(screen.width/2-winWidth/2, screen.height/2-winHeight/2);
</script>
<body bgcolor=buttonface text=buttontext style="font: 10pt 'Tahoma'">
<div style="font-weight:bold; font:16pt; text-align: center" id="Tittle">Attention!</div>
<br>
<div style="padding:15px" id="SubTittle">
Your documents, photos, databases and other important files have been encrypted cryptographically strong, without the cipher key recovery is impossible!
<br>
<br>
To decrypt your files you need to buy the special software - <strong>SATAN DECRYPTOR</strong> and your <strong>Private Decryption Key</strong>.
<br>
<br>
Using another tools could corrupt your files, in case of using third party software we dont give guarantees that full recovery is possible so use it on your own risk.
<br>
<br>
If you want to restore files, write us to the our e-mail: <strong>[email protected]</strong>
<br>
<br>
Please write your <strong>Personal Identification Code</strong> in body of your message.
<br>
<br>
Also attach to email 3 encrypted files for free decryption test. (each file have to be less than 1 MB size and not have valuable content)
<br>
<br>
It is in your interest to respond as soon as possible to ensure the restoration of your files!
<br>
<br>
Your <strong>Personal Identification Code</strong>:
</div>
<center>
<textarea style="overflow:auto; font:10pt 'Tahoma'" name="TextArea" rows=10 cols=120 readonly>5354000000019B040000EED596CC4C72F80D621594768570354635E9C3BB29E41CABD99FA4E9EA41BC35D583496C155FD55E0B7A71EE5CD0BF8BF2EDFBE07D0C43224278744346262A9D4101C7EFFCA8961F8CAC6DBACF82E37F64430A5489B9949D4745CC0D7D6F5AFAA39FD346528F1061471108B5208A3B65792BEEC479B1873E8A16E2F42EE38A181F9977AFBA5801ABFF3C0675CF0E4FB18D76F9D6729A15E2185E578613A44FD0D75961D69345F4AAC624088CAD5F8227208F24AECE4B539BE2A042B8E1715958AB262939BFB26993FAA465A40DA8003CE84ECA1B13F4CF9BBF53FFD327326BB043CAFF8787E73EC9721618285F40368AC7FF7B67F5AB1DA32C1499B44B7C401E006AEF0F8BCAE39EF974D7D821192F6F04C5D1576BE3B34DD25FAFFDC9C203CDC7BC2448FE0BE0FE313FDDF9099924BF362B722C92BCCA413A0413A62969D3F1392BBDBB099D9D95927C0FCF03C02FB9BE24FEFCA1034FD782CE601EEA016D3CD313216AC9835DEC83516EBB33F1609C4040843C2677CA74BA40D18A011836903E9A02A96F1EC4673584708E90C62DB2652B65F834C852FC6E4E0CFE605D43AA0B5F19CBCB9B39518A5D2FB44A4BA6A02B79AE88BDDE5E13396E437635ECDEA6C653042B6431329DBA5F8E211DD6704AF309D0103555A97B30187371D6BB3BD92D698E41BACB4E4C345489D0124898CACB28AFEA6B3C12F19948FB3F92BD9A30E9D283A1E6522C60B3189261447CEF744C97A544D81181F7837C0B4DD81C7DBA71E14622B9841C1F7E8C26768AB4CF6B1263776BFCB5C3B7F4AF0768E8D01DBBA70B5AFE39FDF2CCB9D59FCF7DA24245CFD111A1C673753C029A3EB3166C9D8D27AAFA51BCD9C57CE6E5FF82FE07BB6F37D30B762BE587564FD6DA8BDBF0BFCDC46E81AB49C924756296DA5953C6117C499B5288FD07A5A0E88AA44192289FAE1446877775F2F4AEE76344B846A8C6FD9D0B5F42E5EED93F024CADC267E35ECCADBB0026B197F9BB2A45C27A1E1A42D909C4AB51CDF60FD73A8877F25A6A22B79E3D56062A6801DB9D3542395B367116ACB98F4AB6A80B0DD4E55F8F5810ADDDC6FAB8CE93C73B456713A921E1C785C8D2EF8F7DED4C53376B3C95D2BE06213F3C8BEA9F9933BEE3005C94F971E94884BB3B1050AE8789D4B65AFA06EC4D6F81EDA4A2CCC5FBF7E56686B6D89B98A0243C2622C4749694115F60AFF17BAE7A4192C513B16203444696FE2F0AA4B999580818BD26F939BEA1D2360379CE931136D698E5142587F9669D04890FD466FB5EFBF49871EF67EC056FA54DB2DB9879020549C3F32A81966327BCAFE70DEC68C75A3C47F885D47B0AA9C0C08EF1943E7CDF07ABCF28B0168D80BC43B57C28EB165DB51909253218F6AECDDE253AD60B18F3CFCC485994C18A5E364E3E5D5B86460E15841DE21F2F4FD9A7E79A51DC57C31D1B4D92B730D0B5D210AA230E971017E4BD747A028C37E141F1DC6C2A17140E8871E1BD98B638BB14613029545CAF6197B2A1DA98122CF51EFEFD26E6DC6F3B1EF00507FF019C545987B4DD602C750D8619F9A3A348BCF9B8D68C8982AAEBFB6699B5A928A95A0B60B2350B0022935D7B8B488DBABE4D1BF67B3F23E440EBD6C85FF0884A16913FCDA1713EBA1CF6DA7295AEE90AED54D67975D376F66146BF29903CAD040000</textarea>
</center>
</body>
Emails
<strong>[email protected]</strong>
Signatures
-
SatanCryptor
Golang ransomware first seen in early 2020.
-
Zebrocy
Zebrocy is a backdoor created by Sofacy threat group and has multiple variants developed in different languages.
-
Zebrocy Go Variant 4 IoCs
-
UPX dump on OEP (original entry point) 4 IoCs
-
Deletes itself 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops desktop.ini file(s) 34 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe"C:\Users\Admin\AppData\Local\Temp\dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ver2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5a6908427c272b19c7f535f705d2180c1
SHA13f213382f660f0b9532a41b9116cc7c4cf6d8179
SHA256ba897a2173471aace9339918d24e9290abe94650143d6a46e7877a4a00a12daa
SHA512aff3b3c1e9cb0eb16e740db74567304c7012dcc890a25e93814feb9feb8393098bbe8c672e472b520dfdc1e76ef034dc191d6b3aa97706f270dc329562a96b24
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB