Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
29-11-2021 22:12
Static task
static1
Behavioral task
behavioral1
Sample
ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe
Resource
win10-en-20211104
General
-
Target
ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe
-
Size
825KB
-
MD5
2be9be6f27a7de23f03741fdc13d9a25
-
SHA1
d5965d13a704e796db7d394c63b07e7f06e123ea
-
SHA256
ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d
-
SHA512
35fb842270eebaf07f1c006e5b12d6e9d2c21b8c600f1ae18652219e5f43423aa5e6c64c074cbb4d49f51adf9b595192d7d446ae99959c4781edf1a656f1c48c
Malware Config
Extracted
djvu
http://tzgl.org/lancer/get.php
-
extension
.yqal
-
offline_id
K3PMMX2aWwpnYby88Dzg7tmaIW7Tv0HMWvSyr7t1
-
payload_url
http://kotob.top/dl/build2.exe
http://tzgl.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-rIyEiK9ekc Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0356gSd743d
Signatures
-
Detected Djvu ransomware 6 IoCs
Processes:
resource yara_rule behavioral1/memory/4024-119-0x0000000000BE0000-0x0000000000CFB000-memory.dmp family_djvu behavioral1/memory/660-120-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/660-121-0x0000000000424141-mapping.dmp family_djvu behavioral1/memory/660-122-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/812-128-0x0000000000424141-mapping.dmp family_djvu behavioral1/memory/812-133-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\192ba449-32d6-406c-bd37-44f0831f7334\\ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe\" --AutoStart" ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 api.2ip.ua 19 api.2ip.ua 28 api.2ip.ua -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exead314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exedescription pid process target process PID 4024 set thread context of 660 4024 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe PID 2380 set thread context of 812 2380 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exead314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exepid process 660 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe 660 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe 812 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe 812 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exead314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exead314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exedescription pid process target process PID 4024 wrote to memory of 660 4024 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe PID 4024 wrote to memory of 660 4024 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe PID 4024 wrote to memory of 660 4024 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe PID 4024 wrote to memory of 660 4024 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe PID 4024 wrote to memory of 660 4024 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe PID 4024 wrote to memory of 660 4024 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe PID 4024 wrote to memory of 660 4024 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe PID 4024 wrote to memory of 660 4024 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe PID 4024 wrote to memory of 660 4024 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe PID 4024 wrote to memory of 660 4024 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe PID 660 wrote to memory of 1440 660 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe icacls.exe PID 660 wrote to memory of 1440 660 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe icacls.exe PID 660 wrote to memory of 1440 660 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe icacls.exe PID 660 wrote to memory of 2380 660 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe PID 660 wrote to memory of 2380 660 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe PID 660 wrote to memory of 2380 660 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe PID 2380 wrote to memory of 812 2380 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe PID 2380 wrote to memory of 812 2380 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe PID 2380 wrote to memory of 812 2380 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe PID 2380 wrote to memory of 812 2380 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe PID 2380 wrote to memory of 812 2380 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe PID 2380 wrote to memory of 812 2380 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe PID 2380 wrote to memory of 812 2380 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe PID 2380 wrote to memory of 812 2380 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe PID 2380 wrote to memory of 812 2380 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe PID 2380 wrote to memory of 812 2380 ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe"C:\Users\Admin\AppData\Local\Temp\ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe"C:\Users\Admin\AppData\Local\Temp\ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe"2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\192ba449-32d6-406c-bd37-44f0831f7334" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe"C:\Users\Admin\AppData\Local\Temp\ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe"C:\Users\Admin\AppData\Local\Temp\ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious behavior: EnumeratesProcesses
PID:812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
e15da05c12224abc690b1eb313a20137
SHA180f6284e35fa09eda4e69a5a866f052c9077e1f1
SHA2569708014af393827b1df1614e6d4d99de56f13fbda613e2ead63416a9c2c6e31c
SHA5124d41f757804943d5344476747024dd94aaa6d414d9b1652f9865927234d40c271a42468cde38c2bd68f6e833783ae8ea93727d2eb9e8c24263673eb8dd6b9937
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
2bef96fbf39da6a765ed4d36db41fc5a
SHA1af8b93b370a8bfd932552f840d54da310b51c071
SHA2569cf840b96cb69e5c7f2b93630f63e44c20ba7240ce29ffa7e5de6e648c57d3c8
SHA512a05166997abf2f29a1867f2ed649555eb5b153448087025b0d1a77cc14f78da0052a81bfd44d360731ca8b6520646b0d3e51e8fbbc2e045b990505dd46fa24d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
ca062b1569481badcb89688064d6224a
SHA145a387ad9af7aa71a9d5cbcc41ac26bb54488183
SHA256d0a87c9f2dddd52f30782689de6042b7036e1745de81eaa5124ca43b4390ecfa
SHA51225924abd66c83d674ebb6d438225be0cc6a80d92c9f652ee0f6dc8df503f520341fcd154ae1beaa54c8b20e63565fea790501b1735c5df56209dce45b295cc9c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
7a13ec0d8bd9631ff2e116f48db5ad42
SHA134caf1c3bf2d211f04606a804b848b04081aa7a1
SHA25632a84156ebdb4252981a0e3fdf096845a9be5e48d372cc28836f604fdca50e6e
SHA5121f4a300b6e1590bb17e58fdaed263401bbd39d2cf701108bddf7cb676c1d76b1016f4cb540be9a5afef8b49a52c407eef9347e63f11e80fe529689114c8129e1
-
C:\Users\Admin\AppData\Local\192ba449-32d6-406c-bd37-44f0831f7334\ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exeMD5
2be9be6f27a7de23f03741fdc13d9a25
SHA1d5965d13a704e796db7d394c63b07e7f06e123ea
SHA256ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d
SHA51235fb842270eebaf07f1c006e5b12d6e9d2c21b8c600f1ae18652219e5f43423aa5e6c64c074cbb4d49f51adf9b595192d7d446ae99959c4781edf1a656f1c48c
-
memory/660-121-0x0000000000424141-mapping.dmp
-
memory/660-122-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/660-120-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/812-128-0x0000000000424141-mapping.dmp
-
memory/812-133-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1440-123-0x0000000000000000-mapping.dmp
-
memory/2380-125-0x0000000000000000-mapping.dmp
-
memory/2380-126-0x00000000008EE000-0x000000000097F000-memory.dmpFilesize
580KB
-
memory/4024-118-0x0000000000A24000-0x0000000000AB5000-memory.dmpFilesize
580KB
-
memory/4024-119-0x0000000000BE0000-0x0000000000CFB000-memory.dmpFilesize
1.1MB