Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 14:52
Static task
static1
Behavioral task
behavioral1
Sample
c80ad6ada1635b8bca10287561eeae15.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
c80ad6ada1635b8bca10287561eeae15.exe
Resource
win10-en-20210920
General
-
Target
c80ad6ada1635b8bca10287561eeae15.exe
-
Size
693KB
-
MD5
c80ad6ada1635b8bca10287561eeae15
-
SHA1
adcdbf7bffc69fb590785637a9a78a195421a375
-
SHA256
e9a78c00f0c651f605119a584225f7ac87ef48eff719b6b4414931c88e7df7df
-
SHA512
b08ae40cedcace5a918553923dc5a87ea488364c948fe5f3562d2a6353eac0a31779ecd18ef30770b3a5a2098ea7ec8886dc09b73026e407ebc52c39222025ba
Malware Config
Signatures
-
Detected Djvu ransomware 6 IoCs
Processes:
resource yara_rule behavioral2/memory/3704-115-0x0000000002490000-0x00000000025AB000-memory.dmp family_djvu behavioral2/memory/3748-117-0x0000000000424141-mapping.dmp family_djvu behavioral2/memory/3748-116-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3748-118-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1628-123-0x0000000000424141-mapping.dmp family_djvu behavioral2/memory/1628-124-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c80ad6ada1635b8bca10287561eeae15.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f5fd33de-4dd5-4e86-8602-7c113b45808c\\c80ad6ada1635b8bca10287561eeae15.exe\" --AutoStart" c80ad6ada1635b8bca10287561eeae15.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.2ip.ua 3 api.2ip.ua 10 api.2ip.ua -
Suspicious use of SetThreadContext 2 IoCs
Processes:
c80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exedescription pid process target process PID 3704 set thread context of 3748 3704 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 3180 set thread context of 1628 3180 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
c80ad6ada1635b8bca10287561eeae15.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 c80ad6ada1635b8bca10287561eeae15.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e c80ad6ada1635b8bca10287561eeae15.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
c80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exepid process 3748 c80ad6ada1635b8bca10287561eeae15.exe 3748 c80ad6ada1635b8bca10287561eeae15.exe 1628 c80ad6ada1635b8bca10287561eeae15.exe 1628 c80ad6ada1635b8bca10287561eeae15.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
c80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exedescription pid process target process PID 3704 wrote to memory of 3748 3704 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 3704 wrote to memory of 3748 3704 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 3704 wrote to memory of 3748 3704 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 3704 wrote to memory of 3748 3704 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 3704 wrote to memory of 3748 3704 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 3704 wrote to memory of 3748 3704 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 3704 wrote to memory of 3748 3704 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 3704 wrote to memory of 3748 3704 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 3704 wrote to memory of 3748 3704 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 3704 wrote to memory of 3748 3704 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 3748 wrote to memory of 756 3748 c80ad6ada1635b8bca10287561eeae15.exe icacls.exe PID 3748 wrote to memory of 756 3748 c80ad6ada1635b8bca10287561eeae15.exe icacls.exe PID 3748 wrote to memory of 756 3748 c80ad6ada1635b8bca10287561eeae15.exe icacls.exe PID 3748 wrote to memory of 3180 3748 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 3748 wrote to memory of 3180 3748 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 3748 wrote to memory of 3180 3748 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 3180 wrote to memory of 1628 3180 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 3180 wrote to memory of 1628 3180 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 3180 wrote to memory of 1628 3180 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 3180 wrote to memory of 1628 3180 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 3180 wrote to memory of 1628 3180 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 3180 wrote to memory of 1628 3180 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 3180 wrote to memory of 1628 3180 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 3180 wrote to memory of 1628 3180 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 3180 wrote to memory of 1628 3180 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 3180 wrote to memory of 1628 3180 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe"C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe"C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe"2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\f5fd33de-4dd5-4e86-8602-7c113b45808c" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe"C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe"C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
57ba3fd55153ccfffc38981d45eb27ef
SHA18b89079e2a405fe04a1a87fe901d88982ef516cb
SHA25619d84b87ec3acb0894fbbb2c95b23053373568282aa6817da64607ed3225dcef
SHA51258ae33ebb38e6bec6332b9085f8b41850b53d7de804bc87a462f9ce7b1e960051d3682fb87a14c159041a7577a36af95cb2edf971e4d23c902d583da9945c0b4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
3f5ce173eed18d061760acea4c8f69f3
SHA1c8a02499ede88cb10496fbbc77fee1f2757e6629
SHA256b7666f21ebc73a75f02fefbf7d6f17700897b69301eae07ce4bab6b32ab107c8
SHA51222f7b2af2a230e7f6ae2830d27b5769c07f0c3f8d327cfb6be6a4c632af012e823e303514c62dac8f70c973e4df81aeba10138a930d4a8880caf18c8a7062d24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
e9ae5896bb7511e9a94a159152858d4e
SHA17fbd07af9fcbda341fcbdbb41eab86d7135b0184
SHA256079a91e666d9232f8a2bb901cd7f0cce93cd990539765b1ab91567333e3f39ac
SHA512851cc9ef58d466b584b42856b98b3bb73d5992f7c26c3b53c5a3744a6e49eee5cfd1ed0e0bea0f14e4562e6a7dce0c64f2f68a35806c0d7267b4657a7191d57c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
b5c54e3a3bceb561d800673fda4407f0
SHA158b154feb7097b8eb6daaba09acbcafa4121b506
SHA256378ae3372c9ba24158f73169511e469ca014b36962be34dedd52447d850758e9
SHA512f67fa4bf0f6aafd7f4ff87d5d0564317dc89872b6cfbdb989e0dd6e7684a63a5ab64888771ffa6a349da46f69a0d0a54ab9d45c9fe66dd6a8642d1215389f0e1
-
C:\Users\Admin\AppData\Local\f5fd33de-4dd5-4e86-8602-7c113b45808c\c80ad6ada1635b8bca10287561eeae15.exeMD5
c80ad6ada1635b8bca10287561eeae15
SHA1adcdbf7bffc69fb590785637a9a78a195421a375
SHA256e9a78c00f0c651f605119a584225f7ac87ef48eff719b6b4414931c88e7df7df
SHA512b08ae40cedcace5a918553923dc5a87ea488364c948fe5f3562d2a6353eac0a31779ecd18ef30770b3a5a2098ea7ec8886dc09b73026e407ebc52c39222025ba
-
memory/756-119-0x0000000000000000-mapping.dmp
-
memory/1628-124-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1628-123-0x0000000000424141-mapping.dmp
-
memory/3180-121-0x0000000000000000-mapping.dmp
-
memory/3704-115-0x0000000002490000-0x00000000025AB000-memory.dmpFilesize
1.1MB
-
memory/3748-118-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3748-116-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3748-117-0x0000000000424141-mapping.dmp