Resubmissions
24/12/2023, 18:24
231224-w112ksffdr 1024/12/2023, 18:21
231224-wzcycsfchm 1007/11/2023, 17:16
231107-vs31jadh73 10Analysis
-
max time kernel
147s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
24/12/2023, 18:21
General
-
Target
95e9cb14d98addba28afd394f68a90d4500fa5396a6b27fdbe5024bd17f972b4.exe
-
Size
765KB
-
MD5
52f22c2a5b2c339e75f176bf5bfcb3f3
-
SHA1
0a3b96aa59d5eda04c731bfb9c2ba7fef997d1b9
-
SHA256
95e9cb14d98addba28afd394f68a90d4500fa5396a6b27fdbe5024bd17f972b4
-
SHA512
ec5f24367c46ff558110022ad8e1106fe5d1d9b9f94cf423b0cd1e1cd7d5ee3111e16cc12ccf3d6e65c5a5d5358691726172e33fb6338e1b7291be9566766da8
-
SSDEEP
12288:mokzmesNcOJCG4jm2E2SLZJsiXlg8XGB2P3yo1jaUPC4t56ha6DJof5:izk/QDo2SVJsylBXjVNPyvu
Malware Config
Extracted
djvu
http://zexeq.com/test1/get.php
-
extension
.jzeq
-
offline_id
4FMaMDK6uqPZOxJj64677pqiSGF54A1Dam9zfUt1
-
payload_url
http://colisumy.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-TAbs6oTGSU Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0821ASdw
Signatures
-
Detected Djvu ransomware 14 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\95e9cb14d98addba28afd394f68a90d4500fa5396a6b27fdbe5024bd17f972b4.exe"C:\Users\Admin\AppData\Local\Temp\95e9cb14d98addba28afd394f68a90d4500fa5396a6b27fdbe5024bd17f972b4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\95e9cb14d98addba28afd394f68a90d4500fa5396a6b27fdbe5024bd17f972b4.exe"C:\Users\Admin\AppData\Local\Temp\95e9cb14d98addba28afd394f68a90d4500fa5396a6b27fdbe5024bd17f972b4.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\1f2f931c-0057-4f9c-b52b-e79970f4150b" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\95e9cb14d98addba28afd394f68a90d4500fa5396a6b27fdbe5024bd17f972b4.exe"C:\Users\Admin\AppData\Local\Temp\95e9cb14d98addba28afd394f68a90d4500fa5396a6b27fdbe5024bd17f972b4.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\95e9cb14d98addba28afd394f68a90d4500fa5396a6b27fdbe5024bd17f972b4.exe"C:\Users\Admin\AppData\Local\Temp\95e9cb14d98addba28afd394f68a90d4500fa5396a6b27fdbe5024bd17f972b4.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\b15bd37f-9427-4ad4-9348-7f9a9b4a71dd\build3.exe"C:\Users\Admin\AppData\Local\b15bd37f-9427-4ad4-9348-7f9a9b4a71dd\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\b15bd37f-9427-4ad4-9348-7f9a9b4a71dd\build3.exe"C:\Users\Admin\AppData\Local\b15bd37f-9427-4ad4-9348-7f9a9b4a71dd\build3.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {69F7EA45-4A8E-4F06-AA6C-B15168E4C472} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"1⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ad1b831e6b39763c118dd6bf34d8641a
SHA143e23a3d91315736f59751521ade3224f45ece86
SHA256fe673f5da906667a2f5b08f086d292da711c854fce0268f8e4ed7d4d6e62d58a
SHA512cabe0d43a8bc792b9725af5bdb918a7edfe4e7542771cceb57d8686fab0c2c1a5201346f8e960ee31cfa46c1c291d59bcee04b867ff43dfea2520066c8da3fc1
-
Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
Filesize
410B
MD53046b466de23a56e12235012ca00caee
SHA198ef6e6de2effb29c1c8fc55f5a6750329b81d4d
SHA2560977f7eb7ffa33856be780a2c03cb13d484f62ddfea451e334822b65098e69b6
SHA5122542702a3a2410f01ec33fccec2416be647a343170c7c687d32341c51563a36780e751ed5cdd1c8dea3c7ecba07a4f90822df3c35f5be4b4e377b4cc44a23c70
-
Filesize
344B
MD5f08f7db66f709e8e0cab64e9ed575478
SHA15ac03322aca3db5adf9bf26d6bb2861d0b93f15c
SHA256757b04b2fc65445d3efe0a8e97c6071ab5be42b9e58a6809e7962a92a4a9e829
SHA5124f149ca48740077c5f421b3bef38dce5a4e398ce85336de95b33cf0ca612a2aebb5711559f3117ff5b5e2476cc46cdae6032db16526d7150f98916ee4a6f9dbb
-
Filesize
392B
MD53476b4c6d6f8fa50ef36fc0e86c47dde
SHA1c5d2a4d52a224e396e311b1b2d4200a0ff06614f
SHA25654c52aacb156fde91890eadb7a5fadbbc58ae626d771ab4a9fe58c51a4263960
SHA512ddbd0587f1038ee65de2561f3e0e78ffec24eaa18569271d20f9bc1e102c3d5571787a2adc0496560edfee7df423abfa31359a43a54454a8918944a368784536
-
Filesize
113KB
MD5344b2c215e9b3bf61a7047a44dd5a933
SHA17c111b055614aaeea2ab353846e497a830b86b55
SHA256bc01fdf556fc9ee8143b280c86e420afbe919208c830a635f68d057c9c43d842
SHA512ccbb784f2c2fd4cf1ab0b4f558d53e5e5d5b73c72701a4eb9ac63cb6eed1f1f70c05c3822e704e74371e6ecc02b9800584f71a58f73d261414d25e5d23b970f1
-
Filesize
45KB
MD5dc38d629e51926a750b443772d7c8c65
SHA12868765523e76b2e6706f18ecb665f4631a00d00
SHA25621a98ea45d4ca76fc03cd769b01345da379395b41295e1506644149d0a378883
SHA512beb8198332e8771a0475a925a4b31a8a80df9a04dc889442d1a4e024b1b66709acc3e347d50af1868d5d0c351d489cd454fc2523f752ea9dec56b9a9d6048ef4
-
Filesize
25KB
MD56a6b819914b8d32573534e764afd75e8
SHA19b28d0eb9810049c64fecf2729e801598d8c4bcd
SHA256684e844dcd909165d81df03a4c5d5746a28acee128734e0dc243b8e579126acc
SHA5122152ed48762c752256188de5d1bcfb6276f6e295fc44b8b43c958792bc8ae0b5c5d66b946d069ba93222cac043886999105a57842924644ae5811a39a886993b
-
Filesize
59KB
MD5dd6f6ac4cd9743d427bd35d17bff63d0
SHA1ca46abe92326cdfbafb288512d08880a1cc57603
SHA256cc3ab67101021e019251a05ee0558d7733a18c893aacafb2d675f25af1569324
SHA512bb5d83326b7ea508b7f1379c56173b5cf28249f86761f8fd3920b9b283ae461a52981f6c13686280ccb8fc1ed2dd7d7b2fce8dc12491d3c856bab99fcccc8a71
-
Filesize
91KB
MD5bc90cc3455964b06aa0bc96e3d293c76
SHA13c701e2e23a498928101d7b8ba80397047d13ac1
SHA256729ddbd5e36ab2eae293e4d8f3dc82777c4564ef29e75a0d184bb831f4f736a7
SHA5123d73786b2d40cad354173298610bfe2754c1534738494b8fcc5df6e02c242391ed1bfcbbfca283c1e55c0087f6bcf413dabf73619bc00cef5ce2abe24884c3b0
-
Filesize
90KB
MD55c529c0aba49b9bedb7c7508788b83e0
SHA1115ebd45975b10032b775eb53ef7cc32d56ed3f3
SHA256688e0e5683641c64d800a4a309e6221df81c77efad078f2e539b1ac7f608492d
SHA5121bf7ea3c94bd6acddd46a9f3cb9e5cf1b29b5f973370698f998df5ed0f9cf862d12484b5e6d07c88ebbdaa7329349923a3543aca2734ce9d455bc3270343fbd0
-
Filesize
226KB
MD5ced69ef951dae1ed5d276749d61cd523
SHA1302cbbf1c2a719bd026e26f96bbb5dc162667b10
SHA256cfc1163d9d5ab70c63608e685f6f53c6eab23f58a3412f3a4af5fdf309ac0991
SHA51208789467128f64ca16c58eded91925cd86b990ec80919bbafbf67e35a4c4077768213099e427bbacb47e9b05f7e2c673099164cb45ba52503514f6cdaa4e4451
-
Filesize
247KB
MD5b927957fd5395711be898e746706cfdd
SHA14a8999a009ea851a4f21ff3a719bf411f626b2c7
SHA256565e379f81af7325a3578daab1c57004234b3c62f0f93a8145c861465e298acc
SHA512759714824bda144aa111579f44b9d740cd6ff93d99210a35576f4e8249178be7f06ec4c0d7b070be016473616743b66d18ea8dfea8ab77b9c5138fd7dac960e3
-
Filesize
280KB
MD5a71f7e470960e9b879fce5e04efa4c2b
SHA15ebf6c88cdcbb01510f0abc3f62da7bf138a51e6
SHA256dcd1f803dcb5e159a4001eecb48a5f7c0866f2a001f8ee90626b27a5f721f0fd
SHA512d0f897e8ef73e7259d5860650b9e925039063cd48a90e4d8f989e72424efcdc80efb5a29799fe16d8127c7de8d65478196aebf324988da866c0ce1ada64d782c
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
51KB
MD56ff02950a81821b0318fce81c48f1e52
SHA1fa7f05f4665fd01abc691b9e0d7e4a5a0f31e7f6
SHA256b5f35debf509df45fd372a78bb00905b45eb0980ee8cd5b78dd560b5c4d46dd2
SHA512281f6c19178b8db80a87e889be8bb7eace5be2c789e42b861f75ea60ee9c73aebc50d5c922e6a5a6c43d657b35b7d7a1a8818c7f79f312e3b1b50fc81f2156cc
-
Filesize
27KB
MD54d61c524665fcf42f5f6b42978e6b21a
SHA145d4e46615029b7312bf1d4a4c55c66b25c5b451
SHA25655f392e55aa5017349b5ef6f78620200b167f3909ff3d1a981f70fa457e772b7
SHA512f5768b2698e015bc96256e8993a81a9db9bd5634b591d01af6e002d954309b487b01e31438c82e716e6d8a2bc018c61a330dc53e040f85818acfe1eb57865a4d
-
Filesize
64KB
-
Filesize
68KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
584KB
-
Filesize
1.1MB
-
Filesize
584KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1024KB
-
Filesize
584KB
-
Filesize
584KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
4KB
-
Filesize
24KB