Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07-06-2023 01:33
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
750KB
-
MD5
03483bad9b960538fe39ff5aab1a907a
-
SHA1
444d08535d4d700a4259f27a056275d5b0a4610d
-
SHA256
c041c2a6e4803095086cc704bb84f9c7b377c6c4720bc45f76fc93fb53beb1fd
-
SHA512
91474555982ac716f407367b5f91e3544a1a877c1f436c1fbeeb24e1fbb5d822588b9d2da767d0179a180313469051cb8cd8169c9df44a0645084cffdc6a2774
-
SSDEEP
12288:T5fbu5mbzSITzDOR3TgKOl1XHcaeS+lQS4qEuqLMUmLjpLfP+b0:T5fdnSWOXcHBeS+W/qEdMUmRL3+
Malware Config
Extracted
djvu
http://zexeq.com/test1/get.php
-
extension
.nerz
-
offline_id
0vTA6MA1m5nzrdffOCJC7YmAa4Lp6YNN8lOJ4mt1
-
payload_url
http://colisumy.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-vc50LyB2yb Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0722JOsie
Signatures
-
Detected Djvu ransomware 17 IoCs
Processes:
resource yara_rule behavioral2/memory/1292-134-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1292-135-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1292-137-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3676-136-0x0000000004A60000-0x0000000004B7B000-memory.dmp family_djvu behavioral2/memory/1292-138-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1292-149-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3944-153-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3944-154-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3944-155-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3944-162-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3944-163-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3944-167-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3944-169-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3944-170-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3944-171-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3944-172-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3944-183-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exefile.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation file.exe -
Executes dropped EXE 2 IoCs
Processes:
build3.exemstsca.exepid process 4232 build3.exe 1672 mstsca.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
file.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a7ff7e6b-6178-49f9-b2a7-b64f342ca114\\file.exe\" --AutoStart" file.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 api.2ip.ua 10 api.2ip.ua 25 api.2ip.ua -
Suspicious use of SetThreadContext 2 IoCs
Processes:
file.exefile.exedescription pid process target process PID 3676 set thread context of 1292 3676 file.exe file.exe PID 4328 set thread context of 3944 4328 file.exe file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4980 schtasks.exe 1712 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
file.exefile.exepid process 1292 file.exe 1292 file.exe 3944 file.exe 3944 file.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
file.exefile.exefile.exefile.exebuild3.exemstsca.exedescription pid process target process PID 3676 wrote to memory of 1292 3676 file.exe file.exe PID 3676 wrote to memory of 1292 3676 file.exe file.exe PID 3676 wrote to memory of 1292 3676 file.exe file.exe PID 3676 wrote to memory of 1292 3676 file.exe file.exe PID 3676 wrote to memory of 1292 3676 file.exe file.exe PID 3676 wrote to memory of 1292 3676 file.exe file.exe PID 3676 wrote to memory of 1292 3676 file.exe file.exe PID 3676 wrote to memory of 1292 3676 file.exe file.exe PID 3676 wrote to memory of 1292 3676 file.exe file.exe PID 3676 wrote to memory of 1292 3676 file.exe file.exe PID 1292 wrote to memory of 1528 1292 file.exe icacls.exe PID 1292 wrote to memory of 1528 1292 file.exe icacls.exe PID 1292 wrote to memory of 1528 1292 file.exe icacls.exe PID 1292 wrote to memory of 4328 1292 file.exe file.exe PID 1292 wrote to memory of 4328 1292 file.exe file.exe PID 1292 wrote to memory of 4328 1292 file.exe file.exe PID 4328 wrote to memory of 3944 4328 file.exe file.exe PID 4328 wrote to memory of 3944 4328 file.exe file.exe PID 4328 wrote to memory of 3944 4328 file.exe file.exe PID 4328 wrote to memory of 3944 4328 file.exe file.exe PID 4328 wrote to memory of 3944 4328 file.exe file.exe PID 4328 wrote to memory of 3944 4328 file.exe file.exe PID 4328 wrote to memory of 3944 4328 file.exe file.exe PID 4328 wrote to memory of 3944 4328 file.exe file.exe PID 4328 wrote to memory of 3944 4328 file.exe file.exe PID 4328 wrote to memory of 3944 4328 file.exe file.exe PID 3944 wrote to memory of 4232 3944 file.exe build3.exe PID 3944 wrote to memory of 4232 3944 file.exe build3.exe PID 3944 wrote to memory of 4232 3944 file.exe build3.exe PID 4232 wrote to memory of 4980 4232 build3.exe schtasks.exe PID 4232 wrote to memory of 4980 4232 build3.exe schtasks.exe PID 4232 wrote to memory of 4980 4232 build3.exe schtasks.exe PID 1672 wrote to memory of 1712 1672 mstsca.exe schtasks.exe PID 1672 wrote to memory of 1712 1672 mstsca.exe schtasks.exe PID 1672 wrote to memory of 1712 1672 mstsca.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\a7ff7e6b-6178-49f9-b2a7-b64f342ca114" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\8287ace7-842f-4e8c-b03a-9d87edf5087b\build3.exe"C:\Users\Admin\AppData\Local\8287ace7-842f-4e8c-b03a-9d87edf5087b\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DFilesize
2KB
MD572cce08db064d193dd1c8db96e30a0e7
SHA1a76ef6bbfb2cadde26e7d713e9a71a8818d68991
SHA256e904584bfbd2b92b1b9063f660abbe337c58e623ca78df5107f036d272d66c38
SHA512e1d719a6a5d446c2b3348930cfcea61f85cff76adc38948dfb144aa7f95eac5453d7787706bca70ce75de931724cff7e6e146f9b662e34eb36d948995fbca1f4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
1KB
MD5e5ef4e3f5fd7934cb9c76b42b58ea45c
SHA1c76f9fad9a12335d281771454f657036efc5881a
SHA2563b247db7937565d22f6455fb744771e14de3380d133192e00a8f5fadf6492bdb
SHA5121f18d5a9aead87cf00682a6fccdfc2896d29a92f808491fb0c1a97a86941734d9c6f1dee6786a9151eba488916d84c220c6ae78a93c1246301de73c2d034373f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DFilesize
488B
MD58e6928897c2535c71b929f89345cb11e
SHA18b289b5a4c7fa12a84fa8f76aae322601d21acb6
SHA256bcd9b954f1eba7d72176bce55fd4986457830d6f4afe0186767714004ba5e902
SHA5121a7cf222ea186178ed23cfc99e301b3ecc9e0591132071dfd8aaa7f1d01991b48115d64ab964d0825e03d43d5cfc971e30b6a32c6b6f1cc688f7648ddc420123
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
482B
MD54dc2043a2f50f62a60b4a9001e86fca9
SHA1baf05e9627dbe1b15760b7f9d8236a66317018a5
SHA256dfca2a52c375727c5ded0b613060ea8ef0597f283f11769b374563ead3bdca76
SHA5125daa16aa793bc4e3eaf6af96d7753d5afde079c34f84f389c5bbc18f993aedd59db5df8981aa48d51d918fc6a91ec85d4d8210376d4fd4b55a3591273208ecba
-
C:\Users\Admin\AppData\Local\8287ace7-842f-4e8c-b03a-9d87edf5087b\build3.exeFilesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
C:\Users\Admin\AppData\Local\8287ace7-842f-4e8c-b03a-9d87edf5087b\build3.exeFilesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
C:\Users\Admin\AppData\Local\8287ace7-842f-4e8c-b03a-9d87edf5087b\build3.exeFilesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
C:\Users\Admin\AppData\Local\a7ff7e6b-6178-49f9-b2a7-b64f342ca114\file.exeFilesize
750KB
MD503483bad9b960538fe39ff5aab1a907a
SHA1444d08535d4d700a4259f27a056275d5b0a4610d
SHA256c041c2a6e4803095086cc704bb84f9c7b377c6c4720bc45f76fc93fb53beb1fd
SHA51291474555982ac716f407367b5f91e3544a1a877c1f436c1fbeeb24e1fbb5d822588b9d2da767d0179a180313469051cb8cd8169c9df44a0645084cffdc6a2774
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeFilesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeFilesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
memory/1292-149-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1292-134-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1292-135-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1292-137-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1292-138-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3676-136-0x0000000004A60000-0x0000000004B7B000-memory.dmpFilesize
1.1MB
-
memory/3944-163-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3944-169-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3944-170-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3944-171-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3944-172-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3944-167-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3944-183-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3944-155-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3944-162-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3944-153-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3944-154-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB