djvu | e9a78c00f0c651f605119a584225f7ac87ef48eff719b6b4414931c88e7df7df

General

Target

c80ad6ada1635b8bca10287561eeae15.exe
Size

693KB
MD5

c80ad6ada1635b8bca10287561eeae15
SHA1

adcdbf7bffc69fb590785637a9a78a195421a375
SHA256

e9a78c00f0c651f605119a584225f7ac87ef48eff719b6b4414931c88e7df7df
SHA512

b08ae40cedcace5a918553923dc5a87ea488364c948fe5f3562d2a6353eac0a31779ecd18ef30770b3a5a2098ea7ec8886dc09b73026e407ebc52c39222025ba

Score

10^/10

djvu discovery persistence ransomware suricata

Malware Config

Signatures

Detected Djvu ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3704-115-0x0000000002490000-0x00000000025AB000-memory.dmp	family_djvu
behavioral2/memory/3748-117-0x0000000000424141-mapping.dmp	family_djvu
behavioral2/memory/3748-116-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3748-118-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1628-123-0x0000000000424141-mapping.dmp	family_djvu
behavioral2/memory/1628-124-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

756 icacls.exe

pid	process
756	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c80ad6ada1635b8bca10287561eeae15.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f5fd33de-4dd5-4e86-8602-7c113b45808c\\c80ad6ada1635b8bca10287561eeae15.exe\" --AutoStart"	c80ad6ada1635b8bca10287561eeae15.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 api.2ip.ua
3 api.2ip.ua
10 api.2ip.ua

flow	ioc
2	api.2ip.ua
3	api.2ip.ua
10	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

Processes:

c80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exe

description	pid	process	target process
PID 3704 set thread context of 3748	3704	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 3180 set thread context of 1628	3180	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

c80ad6ada1635b8bca10287561eeae15.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	c80ad6ada1635b8bca10287561eeae15.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	c80ad6ada1635b8bca10287561eeae15.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

c80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exe

pid	process
3748	c80ad6ada1635b8bca10287561eeae15.exe
3748	c80ad6ada1635b8bca10287561eeae15.exe
1628	c80ad6ada1635b8bca10287561eeae15.exe
1628	c80ad6ada1635b8bca10287561eeae15.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

c80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exe

C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe
"C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3704

C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe
"C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe"
2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\f5fd33de-4dd5-4e86-8602-7c113b45808c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:756

C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe
"C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3180

C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe
"C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
57ba3fd55153ccfffc38981d45eb27ef

SHA1
8b89079e2a405fe04a1a87fe901d88982ef516cb

SHA256
19d84b87ec3acb0894fbbb2c95b23053373568282aa6817da64607ed3225dcef

SHA512
58ae33ebb38e6bec6332b9085f8b41850b53d7de804bc87a462f9ce7b1e960051d3682fb87a14c159041a7577a36af95cb2edf971e4d23c902d583da9945c0b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
3f5ce173eed18d061760acea4c8f69f3

SHA1
c8a02499ede88cb10496fbbc77fee1f2757e6629

SHA256
b7666f21ebc73a75f02fefbf7d6f17700897b69301eae07ce4bab6b32ab107c8

SHA512
22f7b2af2a230e7f6ae2830d27b5769c07f0c3f8d327cfb6be6a4c632af012e823e303514c62dac8f70c973e4df81aeba10138a930d4a8880caf18c8a7062d24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
e9ae5896bb7511e9a94a159152858d4e

SHA1
7fbd07af9fcbda341fcbdbb41eab86d7135b0184

SHA256
079a91e666d9232f8a2bb901cd7f0cce93cd990539765b1ab91567333e3f39ac

SHA512
851cc9ef58d466b584b42856b98b3bb73d5992f7c26c3b53c5a3744a6e49eee5cfd1ed0e0bea0f14e4562e6a7dce0c64f2f68a35806c0d7267b4657a7191d57c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
b5c54e3a3bceb561d800673fda4407f0

SHA1
58b154feb7097b8eb6daaba09acbcafa4121b506

SHA256
378ae3372c9ba24158f73169511e469ca014b36962be34dedd52447d850758e9

SHA512
f67fa4bf0f6aafd7f4ff87d5d0564317dc89872b6cfbdb989e0dd6e7684a63a5ab64888771ffa6a349da46f69a0d0a54ab9d45c9fe66dd6a8642d1215389f0e1

Download Submit
C:\Users\Admin\AppData\Local\f5fd33de-4dd5-4e86-8602-7c113b45808c\c80ad6ada1635b8bca10287561eeae15.exe
MD5
c80ad6ada1635b8bca10287561eeae15

SHA1
adcdbf7bffc69fb590785637a9a78a195421a375

SHA256
e9a78c00f0c651f605119a584225f7ac87ef48eff719b6b4414931c88e7df7df

SHA512
b08ae40cedcace5a918553923dc5a87ea488364c948fe5f3562d2a6353eac0a31779ecd18ef30770b3a5a2098ea7ec8886dc09b73026e407ebc52c39222025ba

Download Submit
memory/756-119-0x0000000000000000-mapping.dmp

Download
memory/1628-124-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1628-123-0x0000000000424141-mapping.dmp

Download
memory/3180-121-0x0000000000000000-mapping.dmp

Download
memory/3704-115-0x0000000002490000-0x00000000025AB000-memory.dmp

Filesize
1.1MB

Download
memory/3748-118-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3748-116-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3748-117-0x0000000000424141-mapping.dmp

Download

description	pid	process	target process
PID 3704 wrote to memory of 3748	3704	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 3704 wrote to memory of 3748	3704	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 3704 wrote to memory of 3748	3704	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 3704 wrote to memory of 3748	3704	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 3704 wrote to memory of 3748	3704	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 3704 wrote to memory of 3748	3704	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 3704 wrote to memory of 3748	3704	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 3704 wrote to memory of 3748	3704	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 3704 wrote to memory of 3748	3704	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 3704 wrote to memory of 3748	3704	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 3748 wrote to memory of 756	3748	c80ad6ada1635b8bca10287561eeae15.exe	icacls.exe
PID 3748 wrote to memory of 756	3748	c80ad6ada1635b8bca10287561eeae15.exe	icacls.exe
PID 3748 wrote to memory of 756	3748	c80ad6ada1635b8bca10287561eeae15.exe	icacls.exe
PID 3748 wrote to memory of 3180	3748	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 3748 wrote to memory of 3180	3748	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 3748 wrote to memory of 3180	3748	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 3180 wrote to memory of 1628	3180	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 3180 wrote to memory of 1628	3180	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 3180 wrote to memory of 1628	3180	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 3180 wrote to memory of 1628	3180	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 3180 wrote to memory of 1628	3180	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 3180 wrote to memory of 1628	3180	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 3180 wrote to memory of 1628	3180	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 3180 wrote to memory of 1628	3180	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 3180 wrote to memory of 1628	3180	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 3180 wrote to memory of 1628	3180	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads