djvu | e9a78c00f0c651f605119a584225f7ac87ef48eff719b6b4414931c88e7df7df

General

Target

c80ad6ada1635b8bca10287561eeae15.exe
Size

693KB
MD5

c80ad6ada1635b8bca10287561eeae15
SHA1

adcdbf7bffc69fb590785637a9a78a195421a375
SHA256

e9a78c00f0c651f605119a584225f7ac87ef48eff719b6b4414931c88e7df7df
SHA512

b08ae40cedcace5a918553923dc5a87ea488364c948fe5f3562d2a6353eac0a31779ecd18ef30770b3a5a2098ea7ec8886dc09b73026e407ebc52c39222025ba

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Signatures

Detected Djvu ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/908-115-0x0000000000424141-mapping.dmp	family_djvu
behavioral2/memory/908-114-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/644-116-0x0000000002210000-0x000000000232B000-memory.dmp	family_djvu
behavioral2/memory/908-117-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1800-122-0x0000000000424141-mapping.dmp	family_djvu
behavioral2/memory/1800-127-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1236 icacls.exe

pid	process
1236	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c80ad6ada1635b8bca10287561eeae15.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\90e727f6-d0f2-4c46-88ba-10431bf9599d\\c80ad6ada1635b8bca10287561eeae15.exe\" --AutoStart"	c80ad6ada1635b8bca10287561eeae15.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 api.2ip.ua
3 api.2ip.ua
10 api.2ip.ua

flow	ioc
2	api.2ip.ua
3	api.2ip.ua
10	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

Processes:

c80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exe

description	pid	process	target process
PID 644 set thread context of 908	644	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1484 set thread context of 1800	1484	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

c80ad6ada1635b8bca10287561eeae15.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	c80ad6ada1635b8bca10287561eeae15.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	c80ad6ada1635b8bca10287561eeae15.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

c80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exe

pid	process
908	c80ad6ada1635b8bca10287561eeae15.exe
908	c80ad6ada1635b8bca10287561eeae15.exe
1800	c80ad6ada1635b8bca10287561eeae15.exe
1800	c80ad6ada1635b8bca10287561eeae15.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

c80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exe

C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe
"C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe
"C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe"
2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\90e727f6-d0f2-4c46-88ba-10431bf9599d" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1236

C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe
"C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1484

C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe
"C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
57ba3fd55153ccfffc38981d45eb27ef

SHA1
8b89079e2a405fe04a1a87fe901d88982ef516cb

SHA256
19d84b87ec3acb0894fbbb2c95b23053373568282aa6817da64607ed3225dcef

SHA512
58ae33ebb38e6bec6332b9085f8b41850b53d7de804bc87a462f9ce7b1e960051d3682fb87a14c159041a7577a36af95cb2edf971e4d23c902d583da9945c0b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
3f5ce173eed18d061760acea4c8f69f3

SHA1
c8a02499ede88cb10496fbbc77fee1f2757e6629

SHA256
b7666f21ebc73a75f02fefbf7d6f17700897b69301eae07ce4bab6b32ab107c8

SHA512
22f7b2af2a230e7f6ae2830d27b5769c07f0c3f8d327cfb6be6a4c632af012e823e303514c62dac8f70c973e4df81aeba10138a930d4a8880caf18c8a7062d24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
57947eb0a7ec4e30e160f26f6ec52f14

SHA1
60deefaad68596b030dbf699933f285153d58447

SHA256
210664441cb2c53da66862f12c1e7d7cc410077f85af087b13cbafbe33390010

SHA512
0dad47476ecab60e07684f690f4e1fc07c58ef9ab63840f48f4d8a4f91372081cf1400e220655e38d2c4c891e548c35eb48c52d2a91379addfc5d77f4a6c7ac7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
9ae70e68a95ba552b9739980c86b3e9e

SHA1
c306d157d7698552e6e89684d3fe91c463287143

SHA256
61c833a8e3255f22a73bd2bb9409776eb092d5f0c25ba6c5566a0825370f5f2f

SHA512
000fd333fe9204e4b0e17b01d48e19618559e4b10ccb3de7b6a7f366a3de796cb4b81af73a8301bd88e8af9001783aed74db50dc8685ed528788e8a549ec3105

Download Submit
C:\Users\Admin\AppData\Local\90e727f6-d0f2-4c46-88ba-10431bf9599d\c80ad6ada1635b8bca10287561eeae15.exe
MD5
c80ad6ada1635b8bca10287561eeae15

SHA1
adcdbf7bffc69fb590785637a9a78a195421a375

SHA256
e9a78c00f0c651f605119a584225f7ac87ef48eff719b6b4414931c88e7df7df

SHA512
b08ae40cedcace5a918553923dc5a87ea488364c948fe5f3562d2a6353eac0a31779ecd18ef30770b3a5a2098ea7ec8886dc09b73026e407ebc52c39222025ba

Download Submit
memory/644-116-0x0000000002210000-0x000000000232B000-memory.dmp

Filesize
1.1MB

Download
memory/908-117-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/908-115-0x0000000000424141-mapping.dmp

Download
memory/908-114-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1236-118-0x0000000000000000-mapping.dmp

Download
memory/1484-120-0x0000000000000000-mapping.dmp

Download
memory/1800-122-0x0000000000424141-mapping.dmp

Download
memory/1800-127-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download

description	pid	process	target process
PID 644 wrote to memory of 908	644	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 644 wrote to memory of 908	644	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 644 wrote to memory of 908	644	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 644 wrote to memory of 908	644	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 644 wrote to memory of 908	644	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 644 wrote to memory of 908	644	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 644 wrote to memory of 908	644	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 644 wrote to memory of 908	644	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 644 wrote to memory of 908	644	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 644 wrote to memory of 908	644	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 908 wrote to memory of 1236	908	c80ad6ada1635b8bca10287561eeae15.exe	icacls.exe
PID 908 wrote to memory of 1236	908	c80ad6ada1635b8bca10287561eeae15.exe	icacls.exe
PID 908 wrote to memory of 1236	908	c80ad6ada1635b8bca10287561eeae15.exe	icacls.exe
PID 908 wrote to memory of 1484	908	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 908 wrote to memory of 1484	908	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 908 wrote to memory of 1484	908	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1484 wrote to memory of 1800	1484	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1484 wrote to memory of 1800	1484	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1484 wrote to memory of 1800	1484	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1484 wrote to memory of 1800	1484	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1484 wrote to memory of 1800	1484	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1484 wrote to memory of 1800	1484	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1484 wrote to memory of 1800	1484	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1484 wrote to memory of 1800	1484	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1484 wrote to memory of 1800	1484	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe
PID 1484 wrote to memory of 1800	1484	c80ad6ada1635b8bca10287561eeae15.exe	c80ad6ada1635b8bca10287561eeae15.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads