zeronine | 8eee962604f560e0a00cd592dbe6bc3cf2aae138439b5bdb132d92ee32830bfe

Analysis

max time kernel
230s
max time network
52s
platform
windows7_x64
resource
win7v200430
submitted
14/05/2020, 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zeranine.exe
Size

49KB
MD5

d28ebd73070fa0186dfc2ca7d8cb318e
SHA1

7475d4abdb7e7572ae0e963d0b2b4052068f918e
SHA256

8eee962604f560e0a00cd592dbe6bc3cf2aae138439b5bdb132d92ee32830bfe
SHA512

c4bc498d5eb5e667cd9cf01294900653ead7acc8c7f70304ab5ec08a9e396c3afcc2a06408c662c29eae789fdbf95d42f7a95635ebdc12c80ec1485df4187144

Score

10^/10

ransomware zeronine

Malware Config

Signatures

Zeronine Ransomware
Encrypts files with .zeronine extension and displays popup with ransom instructions in Turkish and English.
ransomware zeronine

Modifies registry class 31 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	zeranine.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	zeranine.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	zeranine.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	zeranine.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	zeranine.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	zeranine.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	zeranine.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	zeranine.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	zeranine.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg	zeranine.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	zeranine.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	zeranine.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	zeranine.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	zeranine.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	zeranine.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	zeranine.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	zeranine.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	zeranine.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	zeranine.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	zeranine.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	zeranine.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	zeranine.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	zeranine.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	zeranine.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_Classes\Local Settings	zeranine.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	zeranine.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	zeranine.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	zeranine.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	zeranine.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	zeranine.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	zeranine.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1440	zeranine.exe

C:\Users\Admin\AppData\Local\Temp\zeranine.exe
"C:\Users\Admin\AppData\Local\Temp\zeranine.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1440-2-0x0000000008600000-0x0000000008601000-memory.dmp

Filesize
4KB

Download
memory/1440-4-0x0000000008600000-0x0000000008601000-memory.dmp

Filesize
4KB

Download
memory/1440-7-0x0000000008600000-0x0000000008601000-memory.dmp

Filesize
4KB

Download
memory/1440-9-0x0000000008600000-0x0000000008601000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads