Overview

overview

10

Static

static

3

NEAS.ae8c1...54.exe

windows7-x64

10

NEAS.ae8c1...54.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2023 10:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.ae8c13e3aa1b5b5f4bd7870b47a0a408b462834a4b8efc19ffaa758b674eb054.exe

  • Size

    807KB

  • MD5

    c8f255dd1d501e90d5b383fe057d056b

  • SHA1

    66549427459c996431584a6d597e5b755f0f4bae

  • SHA256

    ae8c13e3aa1b5b5f4bd7870b47a0a408b462834a4b8efc19ffaa758b674eb054

  • SHA512

    0cf26c04a2c6abf39b684e9501cf0dbc82b0f8d0ecd3d53b62c192c2b1e31d548ea58ce2054f4be40f4afe5a7b7d398c99e75e2a0a62d5ab0070cca45dacff0c

  • SSDEEP

    24576:yQhoQwr33TTTXutUnq2/DFcrfun0EOAO7sHcQEzEJSgaBrI:yQho3r33DDdrhnXRpjJS

Score
10/10
djvudiscoverypersistenceransomware

Malware Config

Extracted

Family

djvu

C2

http://zexeq.com/test1/get.php

Attributes
  • extension

    .jazi

  • offline_id

    UlJXrkKDIkENh0vb5W9For2Yyh6riGytjO5p2St1

  • payload_url

    http://brusuax.com/dl/build2.exe

    http://zexeq.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iu965qqEb1 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0830Usdk

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 9 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.ae8c13e3aa1b5b5f4bd7870b47a0a408b462834a4b8efc19ffaa758b674eb054.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.ae8c13e3aa1b5b5f4bd7870b47a0a408b462834a4b8efc19ffaa758b674eb054.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4324
    • C:\Users\Admin\AppData\Local\Temp\NEAS.ae8c13e3aa1b5b5f4bd7870b47a0a408b462834a4b8efc19ffaa758b674eb054.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.ae8c13e3aa1b5b5f4bd7870b47a0a408b462834a4b8efc19ffaa758b674eb054.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3272
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\e0daa11d-c57c-4321-96da-0bb0df1d5734" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:208
      • C:\Users\Admin\AppData\Local\Temp\NEAS.ae8c13e3aa1b5b5f4bd7870b47a0a408b462834a4b8efc19ffaa758b674eb054.exe
        "C:\Users\Admin\AppData\Local\Temp\NEAS.ae8c13e3aa1b5b5f4bd7870b47a0a408b462834a4b8efc19ffaa758b674eb054.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4020
        • C:\Users\Admin\AppData\Local\Temp\NEAS.ae8c13e3aa1b5b5f4bd7870b47a0a408b462834a4b8efc19ffaa758b674eb054.exe
          "C:\Users\Admin\AppData\Local\Temp\NEAS.ae8c13e3aa1b5b5f4bd7870b47a0a408b462834a4b8efc19ffaa758b674eb054.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
            PID:4308
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 224
              5⤵
              • Program crash
              PID:3984
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4308 -ip 4308
      1⤵
        PID:4900

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      File and Directory Permissions Modification

      1
      T1222

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\e0daa11d-c57c-4321-96da-0bb0df1d5734\NEAS.ae8c13e3aa1b5b5f4bd7870b47a0a408b462834a4b8efc19ffaa758b674eb054.exe
        Filesize

        807KB

        MD5

        c8f255dd1d501e90d5b383fe057d056b

        SHA1

        66549427459c996431584a6d597e5b755f0f4bae

        SHA256

        ae8c13e3aa1b5b5f4bd7870b47a0a408b462834a4b8efc19ffaa758b674eb054

        SHA512

        0cf26c04a2c6abf39b684e9501cf0dbc82b0f8d0ecd3d53b62c192c2b1e31d548ea58ce2054f4be40f4afe5a7b7d398c99e75e2a0a62d5ab0070cca45dacff0c

        Download Submit
      • memory/3272-3-0x0000000000400000-0x0000000000537000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/3272-4-0x0000000000400000-0x0000000000537000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/3272-5-0x0000000000400000-0x0000000000537000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/3272-6-0x0000000000400000-0x0000000000537000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/3272-15-0x0000000000400000-0x0000000000537000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/4020-18-0x0000000002500000-0x000000000259F000-memory.dmp
        Filesize

        636KB

        Download
      • memory/4308-20-0x0000000000400000-0x0000000000537000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/4308-21-0x0000000000400000-0x0000000000537000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/4308-23-0x0000000000400000-0x0000000000537000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/4324-1-0x00000000024A0000-0x0000000002540000-memory.dmp
        Filesize

        640KB

        Download
      • memory/4324-2-0x0000000002580000-0x000000000269B000-memory.dmp
        Filesize

        1.1MB

        Download