Overview

overview

10

Static

static

10

HEUR-Troja...fdf.7z

windows10-2004-x64

10

Analysis

  • max time kernel
    83s
  • max time network
    65s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/04/2025, 17:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HEUR-Trojan-Ransom.Win32.Generic-41c059f4dfaa143cc75df07f38f50d7d6ac0c6416d3e21aac2e530683c037fdf.7z

  • Size

    1.5MB

  • MD5

    3290585e13e51afac3b0e2e17fc18212

  • SHA1

    146f76cbdbf088fba0ca2bbe1efece22cebfa254

  • SHA256

    712b77a8e132fdef3974b4ce3cf5da81ed98fc4ef3754c407c696922d662df02

  • SHA512

    5612dc1ef3be15387a3217aeaa4291eb361b659e47d96c51259bae2c63efffd17523c3235ac859b31fdc452012679878105b14883c14542d74543ac44a13da10

  • SSDEEP

    24576:hfGKRIF3Cr01NK5+2i5L5kr+NcgpMSlG6ZKzoQMgvxk2RG8+u:lNQ9t5L5y+mclG6ZixBr+u

Score
10/10
satancryptorzebrocybackdoorcredential_accessdefense_evasiondiscoveryransomwarespywarestealertrojan

Malware Config

Extracted

Family

zebrocy

C2

Windows XP Professional x64 Edition

Extracted

Path

C:\ProgramData\Adobe\# M0rphine Help #.hta

Ransom Note
<html> <head> <title>M0rphine</title> <HTA:APPLICATION ID="" APPLICATIONNAME="" BORDER="DIALOG" MAXIMIZEBUTTON="NO" SCROLLFLAT="YES" CAPTION="YES" SELECTION="NO" INNERBORDER="NO" ICON="" SCROLL="NO" SHOWINTASKBAR="YES" SINGLEINSTANCE="YES" SYSMENU="YES" WINDOWSTATE="NORMAL" /> </head> <script language=javascript> var winWidth = 800; var winHeight = 600; window.resizeTo(winWidth, winHeight); window.moveTo(screen.width/2-winWidth/2, screen.height/2-winHeight/2); </script> <body bgcolor=buttonface text=buttontext style="font: 10pt 'Tahoma'"> <div style="font-weight:bold; font:16pt; text-align: center" id="Tittle">Attention!</div> <br> <div style="padding:15px" id="SubTittle"> Your documents, photos, databases and other important files have been encrypted cryptographically strong, without the cipher key recovery is impossible! <br> <br> To decrypt your files you need to buy the special software - <strong>M0rphine Decryptor</strong> and your <strong>Private Decryption Key</strong>. <br> <br> Using another tools could corrupt your files, in case of using third party software we dont give guarantees that full recovery is possible so use it on your own risk. <br> <br> If you want to restore files, write us to the our e-mail: <strong>[email protected]</strong> <br> <br> Please write your <strong>Personal Identification Code</strong> in body of your message. <br> <br> Also attach to email 3 encrypted files for free decryption test. (each file have to be less than 1 MB size and not have valuable content) <br> <br> It is in your interest to respond as soon as possible to ensure the restoration of your files! <br> <br> Your <strong>Personal Identification Code</strong>: </div> <center> <textarea style="overflow:auto; font:10pt 'Tahoma'" name="TextArea" rows=10 cols=120 readonly>5354000000019F040000E8946C9F8DB7879D943D305BD566A1BC3A2AB2354E2845D6F013E22157A2CB8C1179234BF0B82A4CB30AB1C9449C8A0A1B01BD56CDA0FC26DA18E63A1704ED28F7727BED74D3D1D5D0B4C9BDA83C75C780AA15B67A97315ECD06E933BE9A71E34D80F510A73415E2BFDA0CE615BDDAAD312EB0A4D94CE178CEBA8559712040C0FB331545775A67B40CC4E0D8421173F3B3E0329F275E24A95807C527F85420D9F34A01BC5184F651B66F4FE4638500127EE4B43D864B4B094A7109EADCA3C7956BC427C3E3844DDB5C8C51F0C8A78A6517E2EBB9EA42495FC5C05AAE63059F323BF7B06FB864625FDDEBE2C7993044482463D0D849DA6E8E3C8F49BEAB6F690ED376DD7A47CA2BE103C13B27F9BA61F10C3950C137B0F7E33A6CC67683DF19AFBC1A1AF7AE6027B17AB33ADEFCAAD817E0C13DDE5756A2A4230D94CF8A94121B0269B9AF2AD0194BAA0A478200AA96E776E103469CB68AB153BB333A7DF71E45D86A41DCEF70E29D777407F9381277790817D84ECA7B0EDC1B5B6EDF03F8A2BFEC323C69358D7057299D177C6DECFA43984AD70F7C9857520C16045480FF84BFCCFB8EC7575A7CD1CAD4AC458D215C0AD4D8F735D0986873B99B64F55E88EB565A764743B5FF85B96FD0B71209BC4878EF19F337F034CD28A0655B00E567035384D80329FE7B788651BBC4673D822264C828A280D92D55C41C2B27361D476538AF672BD107D95D0847C3819868F3081983F0E96D31F6F1C0584F075D25F78162C87616070A6CC3F8E22290DE7B63ECC823BBCFBAD6BE66FD6C2835D51CA2836184259B2A19D85A7E2554084E595991D61DA529DFC3A7416928362B2EA509DA0C30A7EB2712760A3DCE125BC450C62332C110CFC19C61AD2A0AB54B66DAAF39C72F9B87E82D232E37A25B3ABC0A33A9D0BC05871919E5523582DFDF0FB0C182060880EEE498ECF8A1AB0D1F6A006F0B3D76B6CF4A5ECD5E9EEB70D6B73BE8CC0D296E8E3B437CC3E6A777C40E3AA4F20D7287B2AD985012A78992AE8ADC7C47C3EC71C1FE79B1EC6060A2276110F35C81F3C4B41DFAFCE99701440342AD5E67FBCBB4A8B089ACEFC831135B11CAAAEA5FE07BAD2BFEE70567E853FFA81B6BF0AE68CD90D2B1A5459C2B90D6C5153FCD12140A0A9FBC655496C9BEB12B47906AAF6E66785DA1D073B819A1CBF3EBE5D64355118692EE05079EFE495E64A41A2720B9389B628586BD4BCC26D2FC312C0FE98525FBB13805B9ABFB47EA9C802E80B24D608EDDA4FC2B94758A2E528AFBF4B0ECA5A25FDD818FB73AABB14D178167B63D19DEF74CB4EDD562BF00F5CEA3A8C54CA407C1AFEF56416775E1607E53014337F699CB284FEC90B674010D8B183B6B1607CA0A34A08F08C46AE6FF5D960668B82013E9525965C08FEAC59905E523AFA5398BB4FE63B2CF2E6BDBCF23CC7EE74F91737F81E9B887DE474498E330166000645A3AC70FA399684E391EDCFA9ED42C81B53804B7C25B5F9AFB54796F467616180AA1F5CB80536436DAE613A7195C4A53198F085A32B98B63D9C6A21D579AA2EABBF1CC53B99E5FCE436D5DA90ED5CFE2A38C64B481A84F41ACF383EE429E56772BFB58282BD60C82E91CD88F59311337BD8F156075806865AB75EE7737406FD4314732F873156AEB1C69E6C88319394B24E2CA020FB1040000</textarea> </center> </body>
Emails

<strong>[email protected]</strong>

Signatures

  • SatanCryptor

    Golang ransomware first seen in early 2020.

    ransomwaresatancryptor
  • Satancryptor family
    satancryptor
  • Zebrocy

    Zebrocy is a backdoor created by Sofacy threat group and has multiple variants developed in different languages.

    trojanbackdoorzebrocy
  • Zebrocy Go Variant 1 IoCs
  • Zebrocy family
    zebrocy
  • Renames multiple (2226) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 28 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.Win32.Generic-41c059f4dfaa143cc75df07f38f50d7d6ac0c6416d3e21aac2e530683c037fdf.7z"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3132
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:432
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /1
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4280
  • C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.Win32.Generic-41c059f4dfaa143cc75df07f38f50d7d6ac0c6416d3e21aac2e530683c037fdf.exe
    "C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.Win32.Generic-41c059f4dfaa143cc75df07f38f50d7d6ac0c6416d3e21aac2e530683c037fdf.exe"
    1⤵
    • Drops startup file
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:4636
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ver
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3744
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C del C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.Win32.Generic-41c059f4dfaa143cc75df07f38f50d7d6ac0c6416d3e21aac2e530683c037fdf.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3964
  • C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\# M0rphine Help #.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1656
  • C:\Windows\SysWOW64\werfault.exe
    werfault.exe /h /shared Global\e5600510024141f4b070ce2ad4152d20 /t 4760 /p 1656
    1⤵
      PID:3316
    • C:\Windows\System32\DataExchangeHost.exe
      C:\Windows\System32\DataExchangeHost.exe -Embedding
      1⤵
        PID:4356

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Adobe\# M0rphine Help #.hta
        Filesize

        4KB

        MD5

        82c45567b0c72c3d606cb1e50a3dd706

        SHA1

        0b39a9e0f00df29038bf5228b9f454eed99a701f

        SHA256

        df7b5532cebc4f9ab12a0bb34d521a99387591be6ac343bd3000150058166445

        SHA512

        c7c334a7c77da3c8814afbe61451eb54ffffa84bc88f76d255e523fbc7db0e02f77d29607ec00fe739fc70226eb689678bf031f1b1e0095b02c06fd4aae5321d

        Download Submit

      • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
        Filesize

        64KB

        MD5

        d2fb266b97caff2086bf0fa74eddb6b2

        SHA1

        2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

        SHA256

        b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

        SHA512

        c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

        Download Submit

      • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
        Filesize

        4B

        MD5

        f49655f856acb8884cc0ace29216f511

        SHA1

        cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

        SHA256

        7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

        SHA512

        599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

        Download Submit

      • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
        Filesize

        634B

        MD5

        c8fd45777ad26b12e6f07b3133911835

        SHA1

        2667f66f7230a5ac00db1d38a15c110beac640fd

        SHA256

        74a912912db7b5d1348715e879279ba2ec987ad7c99031dd74eb7f9aef53943c

        SHA512

        44e4cb9ed2d7282767c457bf529abf6cdb4d74100cf50f88ac81faddefdb6cba7d39288db7f4660e1b897888ece0ba931b7a116380f56ce801a2ea6fcfbb0a76

        Download Submit

      • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
        Filesize

        944B

        MD5

        6bd369f7c74a28194c991ed1404da30f

        SHA1

        0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

        SHA256

        878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

        SHA512

        8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

        Download Submit

      • C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.Win32.Generic-41c059f4dfaa143cc75df07f38f50d7d6ac0c6416d3e21aac2e530683c037fdf.exe
        Filesize

        4.7MB

        MD5

        d2654d7085cfa021953f9a42c8057bba

        SHA1

        e86ad4024e568938ca94454f00d04a9303f5f7af

        SHA256

        41c059f4dfaa143cc75df07f38f50d7d6ac0c6416d3e21aac2e530683c037fdf

        SHA512

        2767f4ab916d58a0700d1df4933f6b8edb7d6e54ec9920a6b228ae1c130563942dbf4828e7ca9066fa71f1f195047a3b78a38e63ef67a0d8232f1599d4f00ea3

        Download Submit

      • memory/432-14-0x0000020F0D2F0000-0x0000020F0D2F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/432-11-0x0000020F0D2F0000-0x0000020F0D2F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/432-10-0x0000020F0D2F0000-0x0000020F0D2F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/432-9-0x0000020F0D2F0000-0x0000020F0D2F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/432-12-0x0000020F0D2F0000-0x0000020F0D2F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/432-13-0x0000020F0D2F0000-0x0000020F0D2F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/432-4-0x0000020F0D2F0000-0x0000020F0D2F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/432-8-0x0000020F0D2F0000-0x0000020F0D2F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/432-2-0x0000020F0D2F0000-0x0000020F0D2F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/432-3-0x0000020F0D2F0000-0x0000020F0D2F1000-memory.dmp

        Filesize

        4KB

        Download