Analysis

  • max time kernel
    127s
  • max time network
    121s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    21-10-2021 15:50

General

  • Target

    9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe

  • Size

    782KB

  • MD5

    f8965a89dea0bc5a9eb9473e15203c4b

  • SHA1

    4c64c26c74c0fac039a0974a95ab5e48f8e8d4e3

  • SHA256

    9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d

  • SHA512

    79dd477be26046d4eba9039fa148fdaeba85100bd3d78e0af8db95571672964603c187864b2f11fcf366abc61263bd87117bfed2b943d4d2c632330b6023e1c3

Malware Config

Extracted

Family

djvu

C2

http://rlrz.org/fhsgtsspen6

Signatures

  • Detected Djvu ransomware 6 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe
    "C:\Users\Admin\AppData\Local\Temp\9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1328
    • C:\Users\Admin\AppData\Local\Temp\9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe
      "C:\Users\Admin\AppData\Local\Temp\9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe"
      2⤵
      • Adds Run key to start application
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\633ab587-c642-451d-8b22-0d410722ec77" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:3952
      • C:\Users\Admin\AppData\Local\Temp\9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe
        "C:\Users\Admin\AppData\Local\Temp\9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2232
        • C:\Users\Admin\AppData\Local\Temp\9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe
          "C:\Users\Admin\AppData\Local\Temp\9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2964
          • C:\Users\Admin\AppData\Local\c82fbb1c-9e61-437e-898b-0bbe64dea29c\build3.exe
            "C:\Users\Admin\AppData\Local\c82fbb1c-9e61-437e-898b-0bbe64dea29c\build3.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1308
            • C:\Users\Admin\AppData\Local\c82fbb1c-9e61-437e-898b-0bbe64dea29c\build3.exe
              "C:\Users\Admin\AppData\Local\c82fbb1c-9e61-437e-898b-0bbe64dea29c\build3.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:404
              • C:\Windows\SysWOW64\schtasks.exe
                /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                7⤵
                • Creates scheduled task(s)
                PID:3632
  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4012
    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1560
      • C:\Windows\SysWOW64\schtasks.exe
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        3⤵
        • Creates scheduled task(s)
        PID:1712
  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      2⤵
      • Executes dropped EXE
      PID:2216

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

File Permissions Modification

1
T1222

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    MD5

    50d9d5311b74576fbbb5c9f204fdc16b

    SHA1

    7dd97b713e33f287440441aa3bb7966a2cb68321

    SHA256

    d76a71e8dfd6961d4912a23b2fd207f2a93c67523dfcda252358eafa5821b2ad

    SHA512

    67d02ce79bb8fd641783ba12ab5587900a03416627939084ce87f22b42ca7d50765947e2238b3c6a70a74bce3c9233b486aaa10feb57e714646e4d02c0c926c0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    MD5

    8f19b97ffda28eb06efc2181fd126b9c

    SHA1

    142443021d6ffaf32d3d60635d0edf540a039f2e

    SHA256

    49607d1b931a79642c5268292b4f16f2db7ec77b53f8abddbc0cce36ed88e3f7

    SHA512

    6577704c531cc07d1ae8d61dfe6d8735d29d1386038fa9e3f5580c80c30dc04570ec0160f51903d05b180c4af68f0eb8e23e2106c3bb367afd32d033aae031e6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    MD5

    91e5798f6070530e69820fe23ecabbe2

    SHA1

    83c2b15fac84573ca3ea3d59df21f4edf557a2a9

    SHA256

    08783d2857908ffbb26e7f7ad4bb082a469e541cccf1db08c9090a2acb1012a2

    SHA512

    d9efe05eff84bcd491868080202d64459f258ce150adb3f765cc311f46eef954d20b0b4222a24dbeb03e4abe2f80944e0477dbf0d0dad8a058e7361b3416ac62

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    MD5

    272d862bbfd93e995b050c79cdc54612

    SHA1

    92405fac71026754ed0a0c3539db7f7180d9838e

    SHA256

    a03ad174cc4a1c3e48738a0378e8cba1f53c5a6dd72b22dcd7220cd121b3fa78

    SHA512

    e6ae3f210b5b2278941970df7a1bf76e086645a427bf43148806204da4d41c90247b9c9e336cff5d501f6c07a4084b8289dcf1f61fbc5ef7434c4dee1ad970af

  • C:\Users\Admin\AppData\Local\633ab587-c642-451d-8b22-0d410722ec77\9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe
    MD5

    f8965a89dea0bc5a9eb9473e15203c4b

    SHA1

    4c64c26c74c0fac039a0974a95ab5e48f8e8d4e3

    SHA256

    9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d

    SHA512

    79dd477be26046d4eba9039fa148fdaeba85100bd3d78e0af8db95571672964603c187864b2f11fcf366abc61263bd87117bfed2b943d4d2c632330b6023e1c3

  • C:\Users\Admin\AppData\Local\c82fbb1c-9e61-437e-898b-0bbe64dea29c\build3.exe
    MD5

    0fea771099e342facd95a9d659548919

    SHA1

    9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

    SHA256

    6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

    SHA512

    2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

  • C:\Users\Admin\AppData\Local\c82fbb1c-9e61-437e-898b-0bbe64dea29c\build3.exe
    MD5

    0fea771099e342facd95a9d659548919

    SHA1

    9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

    SHA256

    6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

    SHA512

    2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

  • C:\Users\Admin\AppData\Local\c82fbb1c-9e61-437e-898b-0bbe64dea29c\build3.exe
    MD5

    0fea771099e342facd95a9d659548919

    SHA1

    9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

    SHA256

    6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

    SHA512

    2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    MD5

    0fea771099e342facd95a9d659548919

    SHA1

    9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

    SHA256

    6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

    SHA512

    2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    MD5

    0fea771099e342facd95a9d659548919

    SHA1

    9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

    SHA256

    6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

    SHA512

    2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    MD5

    0fea771099e342facd95a9d659548919

    SHA1

    9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

    SHA256

    6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

    SHA512

    2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    MD5

    0fea771099e342facd95a9d659548919

    SHA1

    9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

    SHA256

    6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

    SHA512

    2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    MD5

    0fea771099e342facd95a9d659548919

    SHA1

    9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

    SHA256

    6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

    SHA512

    2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

  • memory/404-135-0x0000000000401AFA-mapping.dmp
  • memory/404-139-0x0000000000400000-0x0000000000406000-memory.dmp
    Filesize

    24KB

  • memory/404-134-0x0000000000400000-0x0000000000406000-memory.dmp
    Filesize

    24KB

  • memory/1308-130-0x0000000000000000-mapping.dmp
  • memory/1308-138-0x00000000032A0000-0x00000000032A4000-memory.dmp
    Filesize

    16KB

  • memory/1328-118-0x0000000004D40000-0x0000000004E5B000-memory.dmp
    Filesize

    1MB

  • memory/1328-117-0x0000000004CA0000-0x0000000004D32000-memory.dmp
    Filesize

    584KB

  • memory/1512-116-0x0000000000424141-mapping.dmp
  • memory/1512-119-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1MB

  • memory/1512-115-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1MB

  • memory/1560-144-0x0000000000401AFA-mapping.dmp
  • memory/1712-146-0x0000000000000000-mapping.dmp
  • memory/2096-148-0x00000000035BE000-0x00000000035CE000-memory.dmp
    Filesize

    64KB

  • memory/2096-152-0x0000000003250000-0x000000000339A000-memory.dmp
    Filesize

    1MB

  • memory/2216-150-0x0000000000401AFA-mapping.dmp
  • memory/2232-122-0x0000000000000000-mapping.dmp
  • memory/2964-125-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1MB

  • memory/2964-124-0x0000000000424141-mapping.dmp
  • memory/3632-137-0x0000000000000000-mapping.dmp
  • memory/3952-120-0x0000000000000000-mapping.dmp
  • memory/4012-142-0x00000000033A8000-0x00000000033B9000-memory.dmp
    Filesize

    68KB