djvu | d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6

General

Target

d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
Size

854KB
MD5

a6302fea85ed3f4e505cd5751ca5b9c7
SHA1

9c7db8e46dbb562ab4be33a499c9d4fa30a75172
SHA256

d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6
SHA512

a33dea96679bab9bc2a98325898ff04c5a166a9a8ad799afd55375b0547c153a2136e404ea0ada1620f39e34f9a0b84d4b47545695a95fd4eafa177eb3384378

Score

10^/10

djvu discovery persistence ransomware suricata

Malware Config

Extracted

Family

djvu

C2

http://pqkl.org/lancer/get.php

Attributes

extension
.qmak
offline_id
mGOVYjwKN5zpBZyRsr2Nqza9xnxDzO1NGhAl47t1
payload_url
http://kotob.top/dl/build2.exe

http://pqkl.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-W7mpKFSSv2 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0348gSd743d

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 6 IoCs

resource	yara_rule
behavioral1/memory/3044-116-0x00000000049F0000-0x0000000004B0B000-memory.dmp	family_djvu
behavioral1/memory/2760-117-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2760-118-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/2760-119-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3164-125-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/3164-130-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2656	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\432d7a55-2c21-46fb-8644-69980109aa17\\d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe\" --AutoStart"	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	api.2ip.ua
8	api.2ip.ua
9	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 2760	3044	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	68
PID 1304 set thread context of 3164	1304	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	73

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2760	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
2760	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
3164	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
3164	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2760	3044	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	68
PID 3044 wrote to memory of 2760	3044	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	68
PID 3044 wrote to memory of 2760	3044	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	68
PID 3044 wrote to memory of 2760	3044	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	68
PID 3044 wrote to memory of 2760	3044	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	68
PID 3044 wrote to memory of 2760	3044	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	68
PID 3044 wrote to memory of 2760	3044	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	68
PID 3044 wrote to memory of 2760	3044	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	68
PID 3044 wrote to memory of 2760	3044	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	68
PID 3044 wrote to memory of 2760	3044	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	68
PID 2760 wrote to memory of 2656	2760	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	70
PID 2760 wrote to memory of 2656	2760	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	70
PID 2760 wrote to memory of 2656	2760	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	70
PID 2760 wrote to memory of 1304	2760	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	71
PID 2760 wrote to memory of 1304	2760	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	71
PID 2760 wrote to memory of 1304	2760	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	71
PID 1304 wrote to memory of 3164	1304	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	73
PID 1304 wrote to memory of 3164	1304	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	73
PID 1304 wrote to memory of 3164	1304	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	73
PID 1304 wrote to memory of 3164	1304	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	73
PID 1304 wrote to memory of 3164	1304	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	73
PID 1304 wrote to memory of 3164	1304	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	73
PID 1304 wrote to memory of 3164	1304	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	73
PID 1304 wrote to memory of 3164	1304	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	73
PID 1304 wrote to memory of 3164	1304	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	73
PID 1304 wrote to memory of 3164	1304	d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe	73

C:\Users\Admin\AppData\Local\Temp\d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
"C:\Users\Admin\AppData\Local\Temp\d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
  "C:\Users\Admin\AppData\Local\Temp\d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe"
  2⤵
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\432d7a55-2c21-46fb-8644-69980109aa17" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2656
- - C:\Users\Admin\AppData\Local\Temp\d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
    "C:\Users\Admin\AppData\Local\Temp\d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Users\Admin\AppData\Local\Temp\d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe
      "C:\Users\Admin\AppData\Local\Temp\d74d5bef2452c3848115df8db591b3986f449c62b1d8a3fd5d685eb1e9ab40c6.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1304-123-0x00000000048C6000-0x0000000004957000-memory.dmp

Filesize
580KB

Download
memory/2760-119-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2760-117-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3044-115-0x000000000495A000-0x00000000049EB000-memory.dmp

Filesize
580KB

Download
memory/3044-116-0x00000000049F0000-0x0000000004B0B000-memory.dmp

Filesize
1.1MB

Download
memory/3164-130-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads