Analysis
-
max time kernel
129s -
max time network
131s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
04-12-2021 08:15
Static task
static1
Behavioral task
behavioral1
Sample
29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe
Resource
win10-en-20211014
General
-
Target
29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe
-
Size
796KB
-
MD5
472097765682071245c1543bd74bb1df
-
SHA1
29c08b95b015df3a7c5f76462af0f760feed3774
-
SHA256
29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec
-
SHA512
7c98c19e00834beb69b8049eec840537864e5267b6a9b0be0809d9edb4b04bf51376a10a87350d6b5cc4c6bc9bec25c554fadbc538e8d1012e7a9088c16f083f
Malware Config
Extracted
djvu
http://tzgl.org/lancer/get.php
-
extension
.yqal
-
offline_id
K3PMMX2aWwpnYby88Dzg7tmaIW7Tv0HMWvSyr7t1
-
payload_url
http://kotob.top/dl/build2.exe
http://tzgl.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-rIyEiK9ekc Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0356gSd743d
Signatures
-
Detected Djvu ransomware 6 IoCs
Processes:
resource yara_rule behavioral1/memory/3792-116-0x00000000022F0000-0x000000000240B000-memory.dmp family_djvu behavioral1/memory/664-117-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/664-118-0x0000000000424141-mapping.dmp family_djvu behavioral1/memory/664-119-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1040-125-0x0000000000424141-mapping.dmp family_djvu behavioral1/memory/1040-130-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\212b0a64-a1fd-4cd3-8fcc-fadd7059a8e5\\29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe\" --AutoStart" 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 api.2ip.ua 15 api.2ip.ua 28 api.2ip.ua -
Suspicious use of SetThreadContext 2 IoCs
Processes:
29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exedescription pid process target process PID 3792 set thread context of 664 3792 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe PID 3588 set thread context of 1040 3588 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exepid process 664 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 664 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 1040 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 1040 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exedescription pid process target process PID 3792 wrote to memory of 664 3792 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe PID 3792 wrote to memory of 664 3792 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe PID 3792 wrote to memory of 664 3792 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe PID 3792 wrote to memory of 664 3792 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe PID 3792 wrote to memory of 664 3792 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe PID 3792 wrote to memory of 664 3792 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe PID 3792 wrote to memory of 664 3792 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe PID 3792 wrote to memory of 664 3792 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe PID 3792 wrote to memory of 664 3792 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe PID 3792 wrote to memory of 664 3792 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe PID 664 wrote to memory of 3312 664 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe icacls.exe PID 664 wrote to memory of 3312 664 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe icacls.exe PID 664 wrote to memory of 3312 664 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe icacls.exe PID 664 wrote to memory of 3588 664 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe PID 664 wrote to memory of 3588 664 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe PID 664 wrote to memory of 3588 664 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe PID 3588 wrote to memory of 1040 3588 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe PID 3588 wrote to memory of 1040 3588 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe PID 3588 wrote to memory of 1040 3588 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe PID 3588 wrote to memory of 1040 3588 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe PID 3588 wrote to memory of 1040 3588 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe PID 3588 wrote to memory of 1040 3588 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe PID 3588 wrote to memory of 1040 3588 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe PID 3588 wrote to memory of 1040 3588 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe PID 3588 wrote to memory of 1040 3588 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe PID 3588 wrote to memory of 1040 3588 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe 29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe"C:\Users\Admin\AppData\Local\Temp\29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe"C:\Users\Admin\AppData\Local\Temp\29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe"2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\212b0a64-a1fd-4cd3-8fcc-fadd7059a8e5" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe"C:\Users\Admin\AppData\Local\Temp\29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe"C:\Users\Admin\AppData\Local\Temp\29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
6a4823dd14ee6616a4ef99d2bea9a44c
SHA11b0952c188fce7f3a0014cb473a80a66f3c71337
SHA256cef0b13034255ff54ac6ee3a35c93cd92fe3d80e5793c2b5e63c0a42fcc3ff98
SHA512a41d2a3f5c827518c102487af315e1303a50578eb258f65c17591eba0bc027ee2aa0a4941c494b9b5eb89842382f60ab3fec66e15a3f77cbf03cbae6dd9974c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
efd1d8e8293f5bd8d688fef877221ccb
SHA155fd26b5c3ad5242aa08d1910c2e085d30489549
SHA25643be67b3e85dd203dfabd04252b7b5a261b21ec846e11d760a4f07e70bf528c1
SHA512755e7c67c4a0bc84debd21727d38dca438e7ea3ac8dc98b5f4140ae3f5de32c34aacd63c7cbfb110e1a2d3859089317a4401e07b7db5c36d2d167d9b764ec2cb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
49db569e8a344a19f30303017c953fdc
SHA184be3fd5b52ae7a096692be3718060dded043311
SHA2560772b5885c4b809e36c5ed2e0e7ca4bddd35a9aabfdafdc2b4360f32567c5649
SHA512c19ae791662279974775d771746567eb26525749ffd4d2833979e1f318e5f6f58821adef5d290f05bcfa9796309bc385ba0c333106a8f38c3f619531c7817ff8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
dcb6809489d52fa9694217cb9a699caa
SHA1d5175e4689275badf312b3464e2752a7e694eca5
SHA256df412fe5ab1d7815d6195a19da490f1748c7f9cf7be1f64032161bcc83f99a83
SHA51226fa6e90b74b609c9560729c3688e0ba163faf075eb87711bc4f132b9249c54f9805de8414a7cb0b300a9f2cd22435bc632113dc249484aae4b11e5bf054f95a
-
C:\Users\Admin\AppData\Local\212b0a64-a1fd-4cd3-8fcc-fadd7059a8e5\29eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec.exeMD5
472097765682071245c1543bd74bb1df
SHA129c08b95b015df3a7c5f76462af0f760feed3774
SHA25629eadaa32588aadb70d41e985bc1a87e232464a85a21ad7e663b1939439e28ec
SHA5127c98c19e00834beb69b8049eec840537864e5267b6a9b0be0809d9edb4b04bf51376a10a87350d6b5cc4c6bc9bec25c554fadbc538e8d1012e7a9088c16f083f
-
memory/664-118-0x0000000000424141-mapping.dmp
-
memory/664-119-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/664-117-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1040-125-0x0000000000424141-mapping.dmp
-
memory/1040-130-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3312-120-0x0000000000000000-mapping.dmp
-
memory/3588-122-0x0000000000000000-mapping.dmp
-
memory/3588-123-0x0000000002145000-0x00000000021D6000-memory.dmpFilesize
580KB
-
memory/3792-115-0x0000000002202000-0x0000000002293000-memory.dmpFilesize
580KB
-
memory/3792-116-0x00000000022F0000-0x000000000240B000-memory.dmpFilesize
1.1MB