41ecd979cc674d2a1189fde9da4899b13240154e9acb0e54cdd81e08624c2977

General

Target

SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exe
Size

7.5MB
MD5

39274680f075dd14ef063eb67d8d7255
SHA1

ae68156366cfaca06a0fce73ec694fbc0aa4dccd
SHA256

41ecd979cc674d2a1189fde9da4899b13240154e9acb0e54cdd81e08624c2977
SHA512

85b96a7be391c8271cf7997cea798f7b95567ae79842c29efb272f4ef957fae76a1dbddf5d77a0c6bfd8eb9efe10e1916e8d23759ea9ab98039b94cf9fd94c63
SSDEEP

196608:eqwPbZzrIoA+gjWxug5xzPtIxY8unUAwnlzUP:yzycI4tIi1nUADP

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exe

Executes dropped EXE 1 IoCs

pid	Process
1460	NC Auth Tool V5.8.exe

Loads dropped DLL 12 IoCs

pid	Process
1460	NC Auth Tool V5.8.exe
1460	NC Auth Tool V5.8.exe
1460	NC Auth Tool V5.8.exe
1460	NC Auth Tool V5.8.exe
1460	NC Auth Tool V5.8.exe
1460	NC Auth Tool V5.8.exe
1460	NC Auth Tool V5.8.exe
1460	NC Auth Tool V5.8.exe
1460	NC Auth Tool V5.8.exe
1460	NC Auth Tool V5.8.exe
1460	NC Auth Tool V5.8.exe
1460	NC Auth Tool V5.8.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ipinfo.io
15	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NC Auth Tool V5.8.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\DeviceInterfaceGuids	NC Auth Tool V5.8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Device Parameters	NC Auth Tool V5.8.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	NC Auth Tool V5.8.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\DeviceInterfaceGuids	NC Auth Tool V5.8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\Device Parameters	NC Auth Tool V5.8.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	NC Auth Tool V5.8.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	NC Auth Tool V5.8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	NC Auth Tool V5.8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	NC Auth Tool V5.8.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1460	NC Auth Tool V5.8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1460	NC Auth Tool V5.8.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 1460	216	SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exe	86
PID 216 wrote to memory of 1460	216	SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exe	86
PID 216 wrote to memory of 1460	216	SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exe	86

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:216
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\NC Auth Tool V5.8.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\NC Auth Tool V5.8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdbDotNet.dll

Filesize
19KB

MD5
e1e8685c6ae7b57cd1b8c735685d74a0

SHA1
d2b3eb92a98b861429b2686abbe804ac4b55b2fe

SHA256
646f35f2fada20ac9c9d380950d80cbce122367baf7e415818eb1836ac34547d

SHA512
3e0163cd5c2a318a4f8382a434d3a756ff065d6893c776371ab5ea481357100a104c5fb5ebe28ef2e613107d7fbe2f84172ffec9bbd1d8beb5b0954ca811d312

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Guna.UI2.dll

Filesize
2.1MB

MD5
c97f23b52087cfa97985f784ea83498f

SHA1
d364618bec9cd6f8f5d4c24d3cc0f4c1a8e06b89

SHA256
e658e8a5616245dbe655e194b59f1bb704aaeafbd0925d6eebbe70555a638cdd

SHA512
ecfa83596f99afde9758d1142ff8b510a090cba6f42ba6fda8ca5e0520b658943ad85829a07bf17411e26e58432b74f05356f7eaeb3949a8834faa5de1a4f512

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\LibUsbDotNet.LibUsbDotNet.dll

Filesize
153KB

MD5
d496ce3436511c6a4d826ab418cf8b6d

SHA1
e26b538a3ae8b0a231011d5c9b7fc26291b346ef

SHA256
b6de87ff6fdde6d0a245ef37fe81fac49523c35115c61bc002e4935d99875508

SHA512
8acee96ec266249d7cf2eb13cdc18e0f56f66f6e9f12766e04db1eddad1af6f5a273f56cafa9e9a76bd5b5e813d21148af38541d17728e52aefcdb7cf4792114

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MetroFramework.Fonts.dll

Filesize
656KB

MD5
65ef4b23060128743cef937a43b82aa3

SHA1
cc72536b84384ec8479b9734b947dce885ef5d31

SHA256
c843869aaca5135c2d47296985f35c71ca8af4431288d04d481c4e46cc93ee26

SHA512
d06690f9aac0c6500aed387f692b3305dfc0708b08fc2f27eaa44b108908ccd8267b07f8fb8608eef5c803039caeabf8f88a18b7e5b1d850f32bbb72bcd3b0b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MetroFramework.dll

Filesize
345KB

MD5
34ea7f7d66563f724318e322ff08f4db

SHA1
d0aa8038a92eb43def2fffbbf4114b02636117c5

SHA256
c2c12d31b4844e29de31594fc9632a372a553631de0a0a04c8af91668e37cf49

SHA512
dceb1f9435b9479f6aea9b0644ba8c46338a7f458c313822a9d9b3266d79af395b9b2797ed3217c7048db8b22955ec6fe8b0b1778077fa1de587123ad9e6b148

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NC Auth Tool V5.8.exe

Filesize
1.3MB

MD5
8e30aa56adcbd4053bdbde80a8960a8a

SHA1
8e88d37a06873517254330b72e444eff3085ff4f

SHA256
2719973d27fcff2ab02765d270817bae2314f22d86abe36b54c27644cabbf12f

SHA512
9146be969d3faa84dd183e100d4c3b0d4403c6fd2d2d903222d339c1c46a9d68b639f1aa726141125cd07bf4c1d433d6f47cd58040fc74f5862b7c499eae1539

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
memory/1460-65-0x0000000008A80000-0x0000000008B32000-memory.dmp

Filesize
712KB

Download
memory/1460-69-0x000000000A190000-0x000000000A1AE000-memory.dmp

Filesize
120KB

Download
memory/1460-54-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/1460-55-0x0000000005C70000-0x0000000005C7A000-memory.dmp

Filesize
40KB

Download
memory/1460-56-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/1460-49-0x0000000005160000-0x00000000051BC000-memory.dmp

Filesize
368KB

Download
memory/1460-60-0x00000000086E0000-0x000000000878A000-memory.dmp

Filesize
680KB

Download
memory/1460-61-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/1460-45-0x00000000050C0000-0x0000000005152000-memory.dmp

Filesize
584KB

Download
memory/1460-44-0x00000000055D0000-0x0000000005B74000-memory.dmp

Filesize
5.6MB

Download
memory/1460-66-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/1460-67-0x0000000009F40000-0x0000000009FB6000-memory.dmp

Filesize
472KB

Download
memory/1460-68-0x000000000A140000-0x000000000A162000-memory.dmp

Filesize
136KB

Download
memory/1460-53-0x0000000005DA0000-0x0000000005FB2000-memory.dmp

Filesize
2.1MB

Download
memory/1460-70-0x000000000A1E0000-0x000000000A534000-memory.dmp

Filesize
3.3MB

Download
memory/1460-72-0x000000000A630000-0x000000000A696000-memory.dmp

Filesize
408KB

Download
memory/1460-43-0x00000000005A0000-0x00000000006EA000-memory.dmp

Filesize
1.3MB

Download
memory/1460-75-0x000000000A5D0000-0x000000000A5DC000-memory.dmp

Filesize
48KB

Download
memory/1460-42-0x00000000747EE000-0x00000000747EF000-memory.dmp

Filesize
4KB

Download
memory/1460-79-0x000000000A6C0000-0x000000000A6EC000-memory.dmp

Filesize
176KB

Download
memory/1460-80-0x00000000747EE000-0x00000000747EF000-memory.dmp

Filesize
4KB

Download
memory/1460-81-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/1460-82-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/1460-83-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/1460-84-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads