Analysis
-
max time kernel
258s -
max time network
298s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
11/10/2023, 20:50
General
-
Target
dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375.exe
-
Size
817KB
-
MD5
c082d1ba8c66d2c5adee770992c8c249
-
SHA1
b32b610c10181cd4dad3c40e7a86c709f6127fc2
-
SHA256
dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
-
SHA512
ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194
-
SSDEEP
12288:YBDAUXwqzvevScTOFyqOEhz3txgdEGtKGjRQR/q18co3jqCHJT:VWzWvS7FNOEJ3Mdt8GQpcuJ
Malware Config
Extracted
djvu
http://zexeq.com/lancer/get.php
-
extension
.azop
-
offline_id
GQ9DjFmWFDqpsyzsOnaxE1Xr4MPL1dG4vPfPDNt1
-
payload_url
http://colisumy.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-e5pgPH03fe Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0792
Signatures
-
Detected Djvu ransomware 16 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Downloads MZ/PE file
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375.exe"C:\Users\Admin\AppData\Local\Temp\dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375.exe"C:\Users\Admin\AppData\Local\Temp\dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\b557fc64-0b89-406c-a3a1-bc701dfbacc6" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375.exe"C:\Users\Admin\AppData\Local\Temp\dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375.exe"C:\Users\Admin\AppData\Local\Temp\dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\377fe1d0-9b1d-4b10-ba47-b591a543e164\build2.exe"C:\Users\Admin\AppData\Local\377fe1d0-9b1d-4b10-ba47-b591a543e164\build2.exe"5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5923f6e4d45a5884f0abbfe60aaf2a972
SHA1b77ca54adace5c1e34615832c53f9f7f3ee02887
SHA25645c2b4583dd60ac1d507af81ee09b636d4605f246c7596526e26d1a8d4af4df1
SHA51272f0bfdb3dd6a0b9f8dd9a14e7f6f410f16ff7e516f110266bd8c87d7a81a27e6174a3ccabd80c828e50867e129d895ff93de1c45b1cdb70e2024139c14efa98
-
Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
Filesize
184B
MD51b5ade94a90a8394d42a4fa50ca6da54
SHA18c33f7d71d91df0963f7082cd709a8b07435cff5
SHA2562016baa8359b607231ecba9011e4df785ce133052826927a1e84d69cc789c8bb
SHA51209d0048f4e634d5a8556eb540edc4585a2219c757edca9597015d13daa7547300af33eb03a5f27a89c0cd0db9b4a451701fe0d73631a92482119fa37b0b460c5
-
Filesize
344B
MD55741f140f018a70c91fc3858754e84a0
SHA10eb444c08beea58229f690d42e5b100644d12606
SHA2560229c2e266671b7a16b05a3d9743539919c39b3a616fe3a764c75c713e95c9ee
SHA512cc1337621f2e964236e69122bef7b9c97f0507cce505999b15525d00d6762fec375536e68642945e84c73223b98f9a1d4c7c1771824da9688fc46c6e68fd30ca
-
Filesize
392B
MD53f7ad90f34950908782aad7fac802d89
SHA12ab00870da140a2a999d1eb2b81a40fda9351ef9
SHA25676d59f7c8fa04fd8aa3229b598f92bb56b7ca857fa0763994214b783755e2e6a
SHA512e4664f531fe3f3e2d0be8dd61dd4ef15cc49bbf2a531f7628b430ce5fe744da68e114bb471fd708fa568573fa5436a2bb1c816b72e0f8121febc6847ee903f98
-
Filesize
404KB
MD522f2fd94f57b71f36a31ea18be7d4b34
SHA1a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA5125b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173
-
Filesize
404KB
MD522f2fd94f57b71f36a31ea18be7d4b34
SHA1a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA5125b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
817KB
MD5c082d1ba8c66d2c5adee770992c8c249
SHA1b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194
-
Filesize
404KB
MD522f2fd94f57b71f36a31ea18be7d4b34
SHA1a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA5125b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173
-
Filesize
404KB
MD522f2fd94f57b71f36a31ea18be7d4b34
SHA1a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA5125b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173
-
Filesize
584KB
-
Filesize
584KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
584KB
-
Filesize
1.1MB
-
Filesize
584KB