Overview

overview

10

Static

static

10

00b9b6cf27...f7.exe

windows7-x64

3

05500734fe...81.exe

windows7-x64

0b75e2fadf...c5.exe

windows7-x64

8

0d5fa75218...64.exe

windows7-x64

10

1760c5727e...9c.exe

windows7-x64

10

1fe99fb7c5...81.exe

windows7-x64

10

2336173567...98.exe

windows7-x64

10

2522b83852...03.exe

windows7-x64

10

2af6bc16f2...b2.exe

windows7-x64

10

3d9f9c162e...64.exe

windows7-x64

8

3db846a796...e5.exe

windows7-x64

10

493813116f...dc.exe

windows7-x64

10

4d61a61265...08.exe

windows7-x64

10

510827ce68...c5.exe

windows7-x64

10

5642f8bd3b...2a.exe

windows7-x64

10

6c37d14d5a...4c.exe

windows7-x64

10

6c3c9af653...c3.exe

windows7-x64

10

77186e57b2...20.exe

windows7-x64

10

7bca70a81c...61.exe

windows7-x64

10

8e934dcd46...88.exe

windows7-x64

10

9a75c8e353...60.exe

windows7-x64

10

9e067453f0...f3.exe

windows7-x64

10

Mydoom Ran...06.exe

windows7-x64

10

Mydoom Ran...5c.exe

windows7-x64

10

Mydoom Ran...fc.exe

windows7-x64

10

Mydoom Ran...59.exe

windows7-x64

10

Mydoom Ran...64.exe

windows7-x64

10

Mydoom Ran...76.exe

windows7-x64

10

a9a89ed0d1...0f.exe

windows7-x64

10

b4ab8f5c8b...95.exe

windows7-x64

10

c034313090...ef.exe

windows7-x64

8

c45a330cf8...24.exe

windows7-x64

10

Resubmissions

21/08/2024, 19:30 UTC

240821-x76q3sweqg 10

21/08/2024, 17:42 UTC

240821-v92h2avgpj 10

12/06/2024, 16:01 UTC

240612-tgps4a1bqh 10

Analysis

  • max time kernel
    1563s
  • max time network
    1564s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2024, 17:42 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Mydoom Ransomwares/dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe

  • Size

    1.8MB

  • MD5

    057aad993a3ef50f6b3ca2db37cb928a

  • SHA1

    a57592be641738c86c85308ef68148181249bc0b

  • SHA256

    dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876

  • SHA512

    87c89027d60f80e99c526584fa093620b3f099151170362424ad78f5e4d7184bd9f2d627ec8463ca202127835f435dd4f85bf2b0d9351593c688855f0bbaffbb

  • SSDEEP

    49152:BY/3BNLViG5jQWArXncSxhBfV7xLE1t+XgWJz5qtAj6R:BwgG5MWMX7h8+Uw

Score
10/10
satancryptorzebrocybackdoorcredential_accessdefense_evasiondiscoveryransomwarespywarestealertrojanupx

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# SATAN CRYPTOR #.hta

Ransom Note
<html> <head> <title>SATAN CRYPTOR</title> <HTA:APPLICATION ID="" APPLICATIONNAME="" BORDER="DIALOG" MAXIMIZEBUTTON="NO" SCROLLFLAT="YES" CAPTION="YES" SELECTION="NO" INNERBORDER="NO" ICON="" SCROLL="NO" SHOWINTASKBAR="YES" SINGLEINSTANCE="YES" SYSMENU="YES" WINDOWSTATE="NORMAL" /> </head> <script language=javascript> var winWidth = 800; var winHeight = 600; window.resizeTo(winWidth, winHeight); window.moveTo(screen.width/2-winWidth/2, screen.height/2-winHeight/2); </script> <body bgcolor=buttonface text=buttontext style="font: 10pt 'Tahoma'"> <div style="font-weight:bold; font:16pt; text-align: center" id="Tittle">Attention!</div> <br> <div style="padding:15px" id="SubTittle"> Your documents, photos, databases and other important files have been encrypted cryptographically strong, without the cipher key recovery is impossible! <br> <br> To decrypt your files you need to buy the special software - <strong>SATAN DECRYPTOR</strong> and your <strong>Private Decryption Key</strong>. <br> <br> Using another tools could corrupt your files, in case of using third party software we dont give guarantees that full recovery is possible so use it on your own risk. <br> <br> If you want to restore files, write us to the our e-mail: <strong>MREncptor@protonmail.com</strong> <br> <br> Please write your <strong>Personal Identification Code</strong> in body of your message. <br> <br> Also attach to email 3 encrypted files for free decryption test. (each file have to be less than 1 MB size and not have valuable content) <br> <br> It is in your interest to respond as soon as possible to ensure the restoration of your files! <br> <br> Your <strong>Personal Identification Code</strong>: </div> <center> <textarea style="overflow:auto; font:10pt 'Tahoma'" name="TextArea" rows=10 cols=120 readonly>5354000000019B040000CCBFBCF1E32A22D768C545B805F8ACCDCD7F75D699DB0C54D911954502EE10AD7C360A85B953707986DB2B52A0FC8FCBACC8A932A5D42A2E6DB6008BB390C2604B578FABA69191C2AB31418B6A666AE62D1ED4ACF08B98B8B16ACD5A11971F2F2A9521F229250A5A1056A16A92C8A80F3A4926771D9FA82221EDA2BF1B64300F7F41CE773D6E75433207907F7E294D4CDFF2C15D8B43926C6D30E9D0E70A6CDEF61FAFFE515A205BCFC3E59F183E2B5C57D34F517E0CADDCCD0FD46DEA6B62DCAE66946C960687D33287A21DAAAFD30F966FB3F3E5C374F0464E03924C43D766BDB7511ADF02FE1695C9467A689C5CCD8DE6F624C97FFEC115C2F77788226D56F38490B9BCCED30836B06F1FC846770294534694A3406C17A24FDBE80F954C078DADA2E70429A64F254BD6C209B6F04DCCB51E358B8B1940D209E55D4595C529CFC9D8C378A7DCA1D5B9E055CAA017B1652A7EEB55CD46E7C6EFB594955B71F13BF3B53CC177B190FB74B3572AB85C08B651FCC9B06CA67322FF6AF5A145CA6CA212C50516897F7E418026E61468B3E027BFC8E2C45F01A985E28398EFB6377D95EBC695151BAC9D96C387638B780BC90E389306D6237E9C6055C62F31CA6DA01DE127327D84DC0C7966FAD7678CD12C984D54C5FD0C177E3B00EE17A54C2F93D777B79CF1BCAEDDF2B4E3217A55B086239183108B63D06E601CAD9897000754B1177F95E50FA4050A24CC1F2FF930165CE4A74017D5F7116F925A571409C3898CB8AAE974B5D922E60A5D68665A2A7367C968D51B76A5B038328E2B29258D15495FE87BE83661039F4DD73281EB90F93617D07820379D81E3DC7DDA74350E10FE81CBDEA2CF4138970602D88631A5CE6B2F917FB7A16E8B615ADE844F43214BE5B5BD2587FF19F2B10DD88CA0CFC6ED303CB639E68F6CF706464FE8C1483C64EB737D3407135EA6A92449C5F50E5E770196873E9D579DFD69CFB40EADD470184AF3859063788EFF85B354596F60E422E43C9CCF4581661E0D82AA69D2B0011B6252011B11790BE8CDEA18E6BDDBF172DBE6943E5DD7C944C936DF3B5B728B0F21F016930B987AFFC584BB12E3D9D900DC74E01E71EA92CAA7D1DBF08421B860692AFEF540120364DBE779C7B45EDDB669C635DA3CF2FA1B47B074D9F86DC9052A4F57A9A69128262E4B647F2E2CC916D673E5C48C9532CC2C5915DB43D1DF41F5C069638365EAB6B56B7758845AF9415EAA81249A6FD7B2B3B71FE19BC5E71DE83F9933D141A873AAB2F5C566CDBB277C95B380160CE19629C8320F8C4C4FD2AE76A3F724D76616AD5C4F5BA58DF96C2C91CAA5344EEEE499F55E64594D6F7AA0D8166F7742323B999D39A80E5F15E0657D563654F184033374538904FE42B1B8A5DB2220DC4D5CFC9FE7A6EBF0CC1CF270F5BD946F83E1E0686B6A7EB23FF2D32FFB9896863DCE0B8A364DA4D1D36535A2736AE0F1F216C09A8B0072B6D9FE488AC94EC991F2DF1AF5379A5FC918F56ADFD3286BA1C117F0B90219DFF05F578778A018DF222791036EF9D98BFCA3D21C46F874D6CB0B2ECD9CD8B6CD0AC73159D562093E172B0E3A83A6916C9004668B107641DEED50AA0451E36E89EB71D07F3772448D7F9706F2B3E6040A344B7A58D99CB9A9E7DED3A341BF55F4CE2BB00D2652AD040000</textarea> </center> </body>
Emails

<strong>MREncptor@protonmail.com</strong>

Extracted

Family

zebrocy

C2

Windows XP Professional x64 Edition

Signatures

  • SatanCryptor

    Golang ransomware first seen in early 2020.

    ransomwaresatancryptor
  • Zebrocy

    Zebrocy is a backdoor created by Sofacy threat group and has multiple variants developed in different languages.

    trojanbackdoorzebrocy
  • Zebrocy Go Variant 6 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops desktop.ini file(s) 34 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Mydoom Ransomwares\dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
    "C:\Users\Admin\AppData\Local\Temp\Mydoom Ransomwares\dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe"
    1⤵
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ver
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1060
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\Mydoom Ransomwares\dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2668

Network

  • flag-us
    DNS
    api.telegram.org
    dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
    Remote address:
    8.8.8.8:53
    Request
    api.telegram.org
    IN A
    Response
    api.telegram.org
    IN A
    149.154.167.220
  • flag-us
    DNS
    extreme-ip-lookup.com
    dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
    Remote address:
    8.8.8.8:53
    Request
    extreme-ip-lookup.com
    IN A
    Response
    extreme-ip-lookup.com
    IN A
    109.236.91.3
    extreme-ip-lookup.com
    IN A
    185.221.219.64
    extreme-ip-lookup.com
    IN A
    37.48.65.182
  • flag-nl
    GET
    http://extreme-ip-lookup.com/json/
    dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
    Remote address:
    109.236.91.3:80
    Request
    GET /json/ HTTP/1.1
    Host: extreme-ip-lookup.com
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 (OK)
    Server: nginx
    Date: Wed, 21 Aug 2024 18:31:49 GMT
    Content-Type: application/json; charset=utf-8;
    Content-Length: 433
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Headers: *
    Cache-Control: max-age=3600
  • 149.154.167.220:443
    api.telegram.org
    tls
    dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
    1.2MB
     27.5kB
     929
    460
  • 109.236.91.3:80
    http://extreme-ip-lookup.com/json/
    http
    dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
    435 B
     1.6kB
     7
    5

    HTTP Request

    GET http://extreme-ip-lookup.com/json/

    HTTP Response

    200
  • 8.8.8.8:53
    api.telegram.org
    dns
    dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
    62 B
     78 B
     1
    1

    DNS Request

    api.telegram.org

    DNS Response

    149.154.167.220

  • 8.8.8.8:53
    extreme-ip-lookup.com
    dns
    dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
    67 B
     115 B
     1
    1

    DNS Request

    extreme-ip-lookup.com

    DNS Response

    109.236.91.3
    185.221.219.64
    37.48.65.182

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# SATAN CRYPTOR #.hta
    Filesize

    4KB

    MD5

    2c7364a30fb6adb6d376fda33d9037fb

    SHA1

    c60b91a08180b15475aade590e000f57d6b7a0b1

    SHA256

    f76c24db909fa80526e3bcb99d837f67079d38c98d92c62ad1b5000026afac48

    SHA512

    81fbb8010a1d09d5e6695ee72aedfb048dd1ed33ad1f660369030f71cb64e929cdf835ade4e7153d8e430cf2d6a8f37d84cf7ce6bf457940992c39a88a7c17c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab9B57.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • memory/2052-0-0x0000000000400000-0x00000000008D5000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-3345-0x0000000000400000-0x00000000008D5000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-3346-0x0000000000400000-0x00000000008D5000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-3347-0x0000000000400000-0x00000000008D5000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-3351-0x0000000000400000-0x00000000008D5000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-3352-0x0000000000400000-0x00000000008D5000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-3354-0x0000000000400000-0x00000000008D5000-memory.dmp

    Filesize

    4.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.