Analysis
-
max time kernel
145s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07-03-2023 02:14
Static task
static1
Behavioral task
behavioral1
Sample
f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe
Resource
win10v2004-20230220-en
General
-
Target
f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe
-
Size
811KB
-
MD5
9324c0b47400cd5fc392a52e57aafd5f
-
SHA1
da8b5b6db80edb0c995a4881f486442232827289
-
SHA256
f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef
-
SHA512
afa4dce0280e636b73c31a9710bec5576b1083059fb18225bb3a4a6ab8cb641fa2aa600c2a9415e9a6871c082394075a74b55a94a6fe6e6fd41633e1432c2d79
-
SSDEEP
12288:F/mA326U0Yd29fycRm6/xXg7jyXEuObDKfBQlsNXoGBq4w:cQ2cyRcDZgfpucDP+XbBq4w
Malware Config
Extracted
djvu
http://zexeq.com/test1/get.php
-
extension
.cosw
-
offline_id
fTU4hYOJ0niv7WAg9utRTzxXv2TcoEvGPJhzIot1
-
payload_url
http://uaery.top/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-hhA4nKfJBj Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0658JOsie
Signatures
-
Detected Djvu ransomware 16 IoCs
resource yara_rule behavioral1/memory/3832-134-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/5108-136-0x00000000049A0000-0x0000000004ABB000-memory.dmp family_djvu behavioral1/memory/3832-135-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3832-137-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3832-138-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3832-150-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2948-153-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2948-154-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2948-159-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2948-160-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2948-161-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2948-165-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2948-167-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2948-168-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2948-180-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2948-184-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe -
Executes dropped EXE 2 IoCs
pid Process 3888 build3.exe 4792 mstsca.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3748 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\eb21fa04-2469-44e0-bfba-845e84ab170f\\f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe\" --AutoStart" f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 api.2ip.ua 18 api.2ip.ua 38 api.2ip.ua -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5108 set thread context of 3832 5108 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 85 PID 5024 set thread context of 2948 5024 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4816 schtasks.exe 4216 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3832 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 3832 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 2948 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 2948 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 5108 wrote to memory of 3832 5108 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 85 PID 5108 wrote to memory of 3832 5108 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 85 PID 5108 wrote to memory of 3832 5108 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 85 PID 5108 wrote to memory of 3832 5108 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 85 PID 5108 wrote to memory of 3832 5108 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 85 PID 5108 wrote to memory of 3832 5108 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 85 PID 5108 wrote to memory of 3832 5108 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 85 PID 5108 wrote to memory of 3832 5108 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 85 PID 5108 wrote to memory of 3832 5108 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 85 PID 5108 wrote to memory of 3832 5108 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 85 PID 3832 wrote to memory of 3748 3832 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 86 PID 3832 wrote to memory of 3748 3832 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 86 PID 3832 wrote to memory of 3748 3832 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 86 PID 3832 wrote to memory of 5024 3832 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 87 PID 3832 wrote to memory of 5024 3832 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 87 PID 3832 wrote to memory of 5024 3832 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 87 PID 5024 wrote to memory of 2948 5024 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 89 PID 5024 wrote to memory of 2948 5024 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 89 PID 5024 wrote to memory of 2948 5024 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 89 PID 5024 wrote to memory of 2948 5024 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 89 PID 5024 wrote to memory of 2948 5024 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 89 PID 5024 wrote to memory of 2948 5024 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 89 PID 5024 wrote to memory of 2948 5024 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 89 PID 5024 wrote to memory of 2948 5024 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 89 PID 5024 wrote to memory of 2948 5024 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 89 PID 5024 wrote to memory of 2948 5024 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 89 PID 2948 wrote to memory of 3888 2948 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 93 PID 2948 wrote to memory of 3888 2948 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 93 PID 2948 wrote to memory of 3888 2948 f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe 93 PID 3888 wrote to memory of 4816 3888 build3.exe 94 PID 3888 wrote to memory of 4816 3888 build3.exe 94 PID 3888 wrote to memory of 4816 3888 build3.exe 94 PID 4792 wrote to memory of 4216 4792 mstsca.exe 108 PID 4792 wrote to memory of 4216 4792 mstsca.exe 108 PID 4792 wrote to memory of 4216 4792 mstsca.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe"C:\Users\Admin\AppData\Local\Temp\f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe"C:\Users\Admin\AppData\Local\Temp\f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\eb21fa04-2469-44e0-bfba-845e84ab170f" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:3748
-
-
C:\Users\Admin\AppData\Local\Temp\f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe"C:\Users\Admin\AppData\Local\Temp\f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe"C:\Users\Admin\AppData\Local\Temp\f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Local\1fc16eaf-40f0-4c60-8bd1-cdd1acd36b65\build3.exe"C:\Users\Admin\AppData\Local\1fc16eaf-40f0-4c60-8bd1-cdd1acd36b65\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"6⤵
- Creates scheduled task(s)
PID:4816
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"2⤵
- Creates scheduled task(s)
PID:4216
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize2KB
MD55ebbd3148318b887eccd6d81bd608ec7
SHA1ac423bb92c9d74450c668b8c69926774f2ae147b
SHA256ed62e08399e483e87941ea69f03fec9ea48186b14c9d1fd54f238a97935dade5
SHA5125c6e1c4df548d66ca68f0d169361c7d53ed104e916db2d2c6fd41de929b8bdc9cdb5f635657cda94e710c4c7ef44d457b5e3c13c6c20a758d1537bbdb1fadef8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize1KB
MD5bf56fe61b0bda7a5625f77c70820d98a
SHA1bc52c58737644c029bc68177da93f885e2efb505
SHA2565e2a6b3fee5aee875bbb5e5bc8236de647c6a77ff4d024881c878dcaa5c4cf1e
SHA51274e6db364d6f0718d1f8874532e58f6271c5988825223752226508e20b656e67a64b10a76167eb7749d156a58322212c4db8e83895779b5815f41256a8274649
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize488B
MD5f0a568473e64c02d4297fb5e461ebe5a
SHA1f8626d415a9ef428830f4d5a9552739d37dbf491
SHA256574b2a6464d8ebcd97c83cf5bc72dd84b30b0e2dc6a91a87ed97f11b03bcd084
SHA51246e2863deae3ce4fde48aa3e5d8a3b2ef1bc40908e94b344ffd74ee0bc1c4dd6a5a46170b9adeb2c573b2b84fd4f168b886eb81fe48c63833f6351073af5073f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD5bfa9c1c9a913125d9b2decf7c0181cf8
SHA10f76b49c4f849425fbc27aa5cd28c715f4ed159d
SHA25691900dbc601ed857a294524298f8084f415beeb73a5d83320deeefd4b912f7c1
SHA5126515a8a515254259c225be3cfa126c617f8186c21020f538dfb9c269850c6d9afdbfa5114a87881780d3c236a0cf6d581883587b2569cacfc7da51c40ac0f19a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
C:\Users\Admin\AppData\Local\eb21fa04-2469-44e0-bfba-845e84ab170f\f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef.exe
Filesize811KB
MD59324c0b47400cd5fc392a52e57aafd5f
SHA1da8b5b6db80edb0c995a4881f486442232827289
SHA256f969ddcaa91d3667396ef39dea56bb739120ef95f8d2e29281cc139bc9f301ef
SHA512afa4dce0280e636b73c31a9710bec5576b1083059fb18225bb3a4a6ab8cb641fa2aa600c2a9415e9a6871c082394075a74b55a94a6fe6e6fd41633e1432c2d79
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a