Analysis
-
max time kernel
67s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-09-2021 15:03
Static task
static1
Behavioral task
behavioral1
Sample
c80ad6ada1635b8bca10287561eeae15.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
c80ad6ada1635b8bca10287561eeae15.exe
Resource
win10v20210408
General
-
Target
c80ad6ada1635b8bca10287561eeae15.exe
-
Size
693KB
-
MD5
c80ad6ada1635b8bca10287561eeae15
-
SHA1
adcdbf7bffc69fb590785637a9a78a195421a375
-
SHA256
e9a78c00f0c651f605119a584225f7ac87ef48eff719b6b4414931c88e7df7df
-
SHA512
b08ae40cedcace5a918553923dc5a87ea488364c948fe5f3562d2a6353eac0a31779ecd18ef30770b3a5a2098ea7ec8886dc09b73026e407ebc52c39222025ba
Malware Config
Signatures
-
Detected Djvu ransomware 6 IoCs
Processes:
resource yara_rule behavioral2/memory/908-115-0x0000000000424141-mapping.dmp family_djvu behavioral2/memory/908-114-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/644-116-0x0000000002210000-0x000000000232B000-memory.dmp family_djvu behavioral2/memory/908-117-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1800-122-0x0000000000424141-mapping.dmp family_djvu behavioral2/memory/1800-127-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c80ad6ada1635b8bca10287561eeae15.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\90e727f6-d0f2-4c46-88ba-10431bf9599d\\c80ad6ada1635b8bca10287561eeae15.exe\" --AutoStart" c80ad6ada1635b8bca10287561eeae15.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.2ip.ua 3 api.2ip.ua 10 api.2ip.ua -
Suspicious use of SetThreadContext 2 IoCs
Processes:
c80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exedescription pid process target process PID 644 set thread context of 908 644 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 1484 set thread context of 1800 1484 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
c80ad6ada1635b8bca10287561eeae15.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 c80ad6ada1635b8bca10287561eeae15.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e c80ad6ada1635b8bca10287561eeae15.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
c80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exepid process 908 c80ad6ada1635b8bca10287561eeae15.exe 908 c80ad6ada1635b8bca10287561eeae15.exe 1800 c80ad6ada1635b8bca10287561eeae15.exe 1800 c80ad6ada1635b8bca10287561eeae15.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
c80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exec80ad6ada1635b8bca10287561eeae15.exedescription pid process target process PID 644 wrote to memory of 908 644 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 644 wrote to memory of 908 644 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 644 wrote to memory of 908 644 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 644 wrote to memory of 908 644 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 644 wrote to memory of 908 644 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 644 wrote to memory of 908 644 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 644 wrote to memory of 908 644 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 644 wrote to memory of 908 644 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 644 wrote to memory of 908 644 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 644 wrote to memory of 908 644 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 908 wrote to memory of 1236 908 c80ad6ada1635b8bca10287561eeae15.exe icacls.exe PID 908 wrote to memory of 1236 908 c80ad6ada1635b8bca10287561eeae15.exe icacls.exe PID 908 wrote to memory of 1236 908 c80ad6ada1635b8bca10287561eeae15.exe icacls.exe PID 908 wrote to memory of 1484 908 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 908 wrote to memory of 1484 908 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 908 wrote to memory of 1484 908 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 1484 wrote to memory of 1800 1484 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 1484 wrote to memory of 1800 1484 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 1484 wrote to memory of 1800 1484 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 1484 wrote to memory of 1800 1484 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 1484 wrote to memory of 1800 1484 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 1484 wrote to memory of 1800 1484 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 1484 wrote to memory of 1800 1484 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 1484 wrote to memory of 1800 1484 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 1484 wrote to memory of 1800 1484 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe PID 1484 wrote to memory of 1800 1484 c80ad6ada1635b8bca10287561eeae15.exe c80ad6ada1635b8bca10287561eeae15.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe"C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe"C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe"2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\90e727f6-d0f2-4c46-88ba-10431bf9599d" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe"C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe"C:\Users\Admin\AppData\Local\Temp\c80ad6ada1635b8bca10287561eeae15.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
57ba3fd55153ccfffc38981d45eb27ef
SHA18b89079e2a405fe04a1a87fe901d88982ef516cb
SHA25619d84b87ec3acb0894fbbb2c95b23053373568282aa6817da64607ed3225dcef
SHA51258ae33ebb38e6bec6332b9085f8b41850b53d7de804bc87a462f9ce7b1e960051d3682fb87a14c159041a7577a36af95cb2edf971e4d23c902d583da9945c0b4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
3f5ce173eed18d061760acea4c8f69f3
SHA1c8a02499ede88cb10496fbbc77fee1f2757e6629
SHA256b7666f21ebc73a75f02fefbf7d6f17700897b69301eae07ce4bab6b32ab107c8
SHA51222f7b2af2a230e7f6ae2830d27b5769c07f0c3f8d327cfb6be6a4c632af012e823e303514c62dac8f70c973e4df81aeba10138a930d4a8880caf18c8a7062d24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
57947eb0a7ec4e30e160f26f6ec52f14
SHA160deefaad68596b030dbf699933f285153d58447
SHA256210664441cb2c53da66862f12c1e7d7cc410077f85af087b13cbafbe33390010
SHA5120dad47476ecab60e07684f690f4e1fc07c58ef9ab63840f48f4d8a4f91372081cf1400e220655e38d2c4c891e548c35eb48c52d2a91379addfc5d77f4a6c7ac7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
9ae70e68a95ba552b9739980c86b3e9e
SHA1c306d157d7698552e6e89684d3fe91c463287143
SHA25661c833a8e3255f22a73bd2bb9409776eb092d5f0c25ba6c5566a0825370f5f2f
SHA512000fd333fe9204e4b0e17b01d48e19618559e4b10ccb3de7b6a7f366a3de796cb4b81af73a8301bd88e8af9001783aed74db50dc8685ed528788e8a549ec3105
-
C:\Users\Admin\AppData\Local\90e727f6-d0f2-4c46-88ba-10431bf9599d\c80ad6ada1635b8bca10287561eeae15.exeMD5
c80ad6ada1635b8bca10287561eeae15
SHA1adcdbf7bffc69fb590785637a9a78a195421a375
SHA256e9a78c00f0c651f605119a584225f7ac87ef48eff719b6b4414931c88e7df7df
SHA512b08ae40cedcace5a918553923dc5a87ea488364c948fe5f3562d2a6353eac0a31779ecd18ef30770b3a5a2098ea7ec8886dc09b73026e407ebc52c39222025ba
-
memory/644-116-0x0000000002210000-0x000000000232B000-memory.dmpFilesize
1.1MB
-
memory/908-117-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/908-115-0x0000000000424141-mapping.dmp
-
memory/908-114-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1236-118-0x0000000000000000-mapping.dmp
-
memory/1484-120-0x0000000000000000-mapping.dmp
-
memory/1800-122-0x0000000000424141-mapping.dmp
-
memory/1800-127-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB