Overview

overview

10

Static

static

3

Nezur_Internal.exe

windows7-x64

Nezur_Internal.exe

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    n4jy44.zip

  • Size

    1.1MB

  • Sample

    250119-tb3g1avjcy

  • MD5

    69970a8e87c5f74862fd8226a8caa0b1

  • SHA1

    bb6749a19c04d07b84f7928a8acf37d18abe2882

  • SHA256

    88d0612d150853b8e7f3d3e3bfbc5d96d0469df4b53b6e2afbb882e39324b3c6

  • SHA512

    1532fc72cfb5b3bd6e0e274e5d6fe1f3226ded0415aa5baf7d1d6828094fe2dc0e4fb13449f1f2fee9ef0994222bea5d8d83074f8d3f58bd18a8a706f7395a5d

  • SSDEEP

    24576:VpTcb0buDzgfSKWQKGPzhfdfy2Np9nSlBYJkH4ghPDgeA/M:VpjqDEfyGPzXy2Npcla8h5OM

Score
10/10
wannacryxwormbootkitdefense_evasiondiscoverypersistenceransomwareratspywarestealertrojanworm

Malware Config

Extracted

Family

xworm

C2

drive-mens.gl.at.ply.gg:20498

Attributes
  • Install_directory

    %AppData%

  • install_file

    SystemUser.exe

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

    • Target

      Nezur_Internal.exe

    • Size

      1.3MB

    • MD5

      c8e3253dfa6d5a21b87950dd7eb2c652

    • SHA1

      c0d8849408efd3b42e07b8f43ecb2979158c9c0f

    • SHA256

      b8d5ab8adf0da37f5fcd09e09d3bab66458f4cd6fefc5760daa8c247fd55eb76

    • SHA512

      efa4cc3ccaa797c9f9c64c4aa6f4f0aa995d3e36bfe0563b7ffce0978ff880bc4fa913c363fbf7792fe552753098e870642b35602cf8625938e9ff84a1d376d9

    • SSDEEP

      24576:cUTaQIolipFeyKvY4JMdA9MpBO++aBIbH1CAB1v:caIowzeth9KIbHhBp

    Score
    10/10
    xwormrattrojanwannacrybootkitdefense_evasiondiscoverypersistenceransomwarespywarestealerworm

    • Detect Xworm Payload

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Wannacry family

      wannacry

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks