Analysis

  • max time kernel
    143s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2023 10:25

General

  • Target

    NEAS.ae8c13e3aa1b5b5f4bd7870b47a0a408b462834a4b8efc19ffaa758b674eb054.exe

  • Size

    807KB

  • MD5

    c8f255dd1d501e90d5b383fe057d056b

  • SHA1

    66549427459c996431584a6d597e5b755f0f4bae

  • SHA256

    ae8c13e3aa1b5b5f4bd7870b47a0a408b462834a4b8efc19ffaa758b674eb054

  • SHA512

    0cf26c04a2c6abf39b684e9501cf0dbc82b0f8d0ecd3d53b62c192c2b1e31d548ea58ce2054f4be40f4afe5a7b7d398c99e75e2a0a62d5ab0070cca45dacff0c

  • SSDEEP

    24576:yQhoQwr33TTTXutUnq2/DFcrfun0EOAO7sHcQEzEJSgaBrI:yQho3r33DDdrhnXRpjJS

Malware Config

Extracted

Family

djvu

C2

http://zexeq.com/test1/get.php

Attributes
  • extension

    .jazi

  • offline_id

    UlJXrkKDIkENh0vb5W9For2Yyh6riGytjO5p2St1

  • payload_url

    http://brusuax.com/dl/build2.exe

    http://zexeq.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iu965qqEb1 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0830Usdk

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 9 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.ae8c13e3aa1b5b5f4bd7870b47a0a408b462834a4b8efc19ffaa758b674eb054.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.ae8c13e3aa1b5b5f4bd7870b47a0a408b462834a4b8efc19ffaa758b674eb054.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4324
    • C:\Users\Admin\AppData\Local\Temp\NEAS.ae8c13e3aa1b5b5f4bd7870b47a0a408b462834a4b8efc19ffaa758b674eb054.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.ae8c13e3aa1b5b5f4bd7870b47a0a408b462834a4b8efc19ffaa758b674eb054.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3272
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\e0daa11d-c57c-4321-96da-0bb0df1d5734" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:208
      • C:\Users\Admin\AppData\Local\Temp\NEAS.ae8c13e3aa1b5b5f4bd7870b47a0a408b462834a4b8efc19ffaa758b674eb054.exe
        "C:\Users\Admin\AppData\Local\Temp\NEAS.ae8c13e3aa1b5b5f4bd7870b47a0a408b462834a4b8efc19ffaa758b674eb054.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4020
        • C:\Users\Admin\AppData\Local\Temp\NEAS.ae8c13e3aa1b5b5f4bd7870b47a0a408b462834a4b8efc19ffaa758b674eb054.exe
          "C:\Users\Admin\AppData\Local\Temp\NEAS.ae8c13e3aa1b5b5f4bd7870b47a0a408b462834a4b8efc19ffaa758b674eb054.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
            PID:4308
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 224
              5⤵
              • Program crash
              PID:3984
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4308 -ip 4308
      1⤵
        PID:4900

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      File and Directory Permissions Modification

      1
      T1222

      Modify Registry

      1
      T1112

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\e0daa11d-c57c-4321-96da-0bb0df1d5734\NEAS.ae8c13e3aa1b5b5f4bd7870b47a0a408b462834a4b8efc19ffaa758b674eb054.exe
        Filesize

        807KB

        MD5

        c8f255dd1d501e90d5b383fe057d056b

        SHA1

        66549427459c996431584a6d597e5b755f0f4bae

        SHA256

        ae8c13e3aa1b5b5f4bd7870b47a0a408b462834a4b8efc19ffaa758b674eb054

        SHA512

        0cf26c04a2c6abf39b684e9501cf0dbc82b0f8d0ecd3d53b62c192c2b1e31d548ea58ce2054f4be40f4afe5a7b7d398c99e75e2a0a62d5ab0070cca45dacff0c

      • memory/3272-3-0x0000000000400000-0x0000000000537000-memory.dmp
        Filesize

        1.2MB

      • memory/3272-4-0x0000000000400000-0x0000000000537000-memory.dmp
        Filesize

        1.2MB

      • memory/3272-5-0x0000000000400000-0x0000000000537000-memory.dmp
        Filesize

        1.2MB

      • memory/3272-6-0x0000000000400000-0x0000000000537000-memory.dmp
        Filesize

        1.2MB

      • memory/3272-15-0x0000000000400000-0x0000000000537000-memory.dmp
        Filesize

        1.2MB

      • memory/4020-18-0x0000000002500000-0x000000000259F000-memory.dmp
        Filesize

        636KB

      • memory/4308-20-0x0000000000400000-0x0000000000537000-memory.dmp
        Filesize

        1.2MB

      • memory/4308-21-0x0000000000400000-0x0000000000537000-memory.dmp
        Filesize

        1.2MB

      • memory/4308-23-0x0000000000400000-0x0000000000537000-memory.dmp
        Filesize

        1.2MB

      • memory/4324-1-0x00000000024A0000-0x0000000002540000-memory.dmp
        Filesize

        640KB

      • memory/4324-2-0x0000000002580000-0x000000000269B000-memory.dmp
        Filesize

        1.1MB