41ecd979cc674d2a1189fde9da4899b13240154e9acb0e54cdd81e08624c2977

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-10-2024 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exe
Size

7.5MB
MD5

39274680f075dd14ef063eb67d8d7255
SHA1

ae68156366cfaca06a0fce73ec694fbc0aa4dccd
SHA256

41ecd979cc674d2a1189fde9da4899b13240154e9acb0e54cdd81e08624c2977
SHA512

85b96a7be391c8271cf7997cea798f7b95567ae79842c29efb272f4ef957fae76a1dbddf5d77a0c6bfd8eb9efe10e1916e8d23759ea9ab98039b94cf9fd94c63
SSDEEP

196608:eqwPbZzrIoA+gjWxug5xzPtIxY8unUAwnlzUP:yzycI4tIi1nUADP

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2372	NC Auth Tool V5.8.exe

Loads dropped DLL 16 IoCs

pid	Process
2372	NC Auth Tool V5.8.exe
2372	NC Auth Tool V5.8.exe
2372	NC Auth Tool V5.8.exe
2372	NC Auth Tool V5.8.exe
2372	NC Auth Tool V5.8.exe
2372	NC Auth Tool V5.8.exe
2372	NC Auth Tool V5.8.exe
2372	NC Auth Tool V5.8.exe
2372	NC Auth Tool V5.8.exe
2372	NC Auth Tool V5.8.exe
2372	NC Auth Tool V5.8.exe
2372	NC Auth Tool V5.8.exe
2372	NC Auth Tool V5.8.exe
2372	NC Auth Tool V5.8.exe
2372	NC Auth Tool V5.8.exe
2372	NC Auth Tool V5.8.exe

Looks up external IP address via web service 64 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
139	ipinfo.io
23	ipinfo.io
28	ipinfo.io
37	ipinfo.io
70	ipinfo.io
83	ipinfo.io
125	ipinfo.io
7	ipinfo.io
25	ipinfo.io
42	ipinfo.io
52	ipinfo.io
63	ipinfo.io
13	ipinfo.io
14	ipinfo.io
29	ipinfo.io
57	ipinfo.io
58	ipinfo.io
68	ipinfo.io
86	ipinfo.io
98	ipinfo.io
8	ipinfo.io
39	ipinfo.io
46	ipinfo.io
53	ipinfo.io
55	ipinfo.io
110	ipinfo.io
131	ipinfo.io
137	ipinfo.io
12	ipinfo.io
107	ipinfo.io
121	ipinfo.io
45	ipinfo.io
56	ipinfo.io
62	ipinfo.io
79	ipinfo.io
97	ipinfo.io
44	ipinfo.io
51	ipinfo.io
61	ipinfo.io
71	ipinfo.io
40	ipinfo.io
93	ipinfo.io
120	ipinfo.io
75	ipinfo.io
49	ipinfo.io
91	ipinfo.io
115	ipinfo.io
129	ipinfo.io
26	ipinfo.io
108	ipinfo.io
127	ipinfo.io
128	ipinfo.io
140	ipinfo.io
94	ipinfo.io
20	ipinfo.io
17	ipinfo.io
50	ipinfo.io
81	ipinfo.io
106	ipinfo.io
47	ipinfo.io
65	ipinfo.io
76	ipinfo.io
78	ipinfo.io
102	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NC Auth Tool V5.8.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	NC Auth Tool V5.8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	NC Auth Tool V5.8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	NC Auth Tool V5.8.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2372	NC Auth Tool V5.8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	NC Auth Tool V5.8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2372	2592	SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exe	30
PID 2592 wrote to memory of 2372	2592	SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exe	30
PID 2592 wrote to memory of 2372	2592	SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exe	30
PID 2592 wrote to memory of 2372	2592	SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exe	30

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\NC Auth Tool V5.8.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\NC Auth Tool V5.8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdbDotNet.dll

Filesize
19KB

MD5
e1e8685c6ae7b57cd1b8c735685d74a0

SHA1
d2b3eb92a98b861429b2686abbe804ac4b55b2fe

SHA256
646f35f2fada20ac9c9d380950d80cbce122367baf7e415818eb1836ac34547d

SHA512
3e0163cd5c2a318a4f8382a434d3a756ff065d6893c776371ab5ea481357100a104c5fb5ebe28ef2e613107d7fbe2f84172ffec9bbd1d8beb5b0954ca811d312

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Guna.UI2.dll

Filesize
2.1MB

MD5
c97f23b52087cfa97985f784ea83498f

SHA1
d364618bec9cd6f8f5d4c24d3cc0f4c1a8e06b89

SHA256
e658e8a5616245dbe655e194b59f1bb704aaeafbd0925d6eebbe70555a638cdd

SHA512
ecfa83596f99afde9758d1142ff8b510a090cba6f42ba6fda8ca5e0520b658943ad85829a07bf17411e26e58432b74f05356f7eaeb3949a8834faa5de1a4f512

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\LibUsbDotNet.LibUsbDotNet.dll

Filesize
153KB

MD5
d496ce3436511c6a4d826ab418cf8b6d

SHA1
e26b538a3ae8b0a231011d5c9b7fc26291b346ef

SHA256
b6de87ff6fdde6d0a245ef37fe81fac49523c35115c61bc002e4935d99875508

SHA512
8acee96ec266249d7cf2eb13cdc18e0f56f66f6e9f12766e04db1eddad1af6f5a273f56cafa9e9a76bd5b5e813d21148af38541d17728e52aefcdb7cf4792114

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MetroFramework.Fonts.dll

Filesize
656KB

MD5
65ef4b23060128743cef937a43b82aa3

SHA1
cc72536b84384ec8479b9734b947dce885ef5d31

SHA256
c843869aaca5135c2d47296985f35c71ca8af4431288d04d481c4e46cc93ee26

SHA512
d06690f9aac0c6500aed387f692b3305dfc0708b08fc2f27eaa44b108908ccd8267b07f8fb8608eef5c803039caeabf8f88a18b7e5b1d850f32bbb72bcd3b0b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MetroFramework.dll

Filesize
345KB

MD5
34ea7f7d66563f724318e322ff08f4db

SHA1
d0aa8038a92eb43def2fffbbf4114b02636117c5

SHA256
c2c12d31b4844e29de31594fc9632a372a553631de0a0a04c8af91668e37cf49

SHA512
dceb1f9435b9479f6aea9b0644ba8c46338a7f458c313822a9d9b3266d79af395b9b2797ed3217c7048db8b22955ec6fe8b0b1778077fa1de587123ad9e6b148

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NC Auth Tool V5.8.exe

Filesize
1.3MB

MD5
8e30aa56adcbd4053bdbde80a8960a8a

SHA1
8e88d37a06873517254330b72e444eff3085ff4f

SHA256
2719973d27fcff2ab02765d270817bae2314f22d86abe36b54c27644cabbf12f

SHA512
9146be969d3faa84dd183e100d4c3b0d4403c6fd2d2d903222d339c1c46a9d68b639f1aa726141125cd07bf4c1d433d6f47cd58040fc74f5862b7c499eae1539

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
memory/2372-59-0x00000000067F0000-0x000000000689A000-memory.dmp

Filesize
680KB

Download
memory/2372-43-0x00000000012F0000-0x000000000143A000-memory.dmp

Filesize
1.3MB

Download
memory/2372-54-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2372-53-0x0000000005080000-0x0000000005292000-memory.dmp

Filesize
2.1MB

Download
memory/2372-47-0x0000000000440000-0x000000000049C000-memory.dmp

Filesize
368KB

Download
memory/2372-66-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2372-63-0x00000000068A0000-0x0000000006952000-memory.dmp

Filesize
712KB

Download
memory/2372-55-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2372-70-0x0000000004A60000-0x0000000004A6C000-memory.dmp

Filesize
48KB

Download
memory/2372-42-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/2372-74-0x0000000004CB0000-0x0000000004CDC000-memory.dmp

Filesize
176KB

Download
memory/2372-75-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/2372-76-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2372-77-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2372-78-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download