djvu | 6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e

General

Target

6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
Size

826KB
MD5

42f97ff274e7ed27343162a870e6a13c
SHA1

f5dc07f68af248afafcb458c5d86d39f23f17784
SHA256

6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e
SHA512

acba766e8819140b647e2a87ccb88279981d3919e1eba0fe6586a849bb71e278b3a3233c52311eba9ceaed7b3dd790e5699b6e13a3bcc7a482d1cf75049e6154

Score

10^/10

djvu discovery persistence ransomware suricata

Malware Config

Extracted

Family

djvu

C2

http://tzgl.org/lancer/get.php

Attributes

extension
.hgsh
offline_id
gYuqQ5GsAaJom08TivUVhlPzZDKd916x4NcXrWt1
payload_url
http://kotob.top/dl/build2.exe

http://tzgl.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-m8LBBi8x8F Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0358Sigrj

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4068-120-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/4068-119-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2016-121-0x00000000022E0000-0x00000000023FB000-memory.dmp	family_djvu
behavioral1/memory/4068-122-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3924-128-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/3924-133-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

304 icacls.exe

pid	process
304	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3de997f4-8331-48bd-bf31-353f878b41a1\\6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe\" --AutoStart"	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 api.2ip.ua
8 api.2ip.ua
9 api.2ip.ua

flow	ioc
25	api.2ip.ua
8	api.2ip.ua
9	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

Processes:

6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe

description	pid	process	target process
PID 2016 set thread context of 4068	2016	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
PID 3676 set thread context of 3924	3676	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe

pid	process
4068	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
4068	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
3924	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
3924	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe

C:\Users\Admin\AppData\Local\Temp\6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
"C:\Users\Admin\AppData\Local\Temp\6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
  "C:\Users\Admin\AppData\Local\Temp\6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe"
  2⤵
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\3de997f4-8331-48bd-bf31-353f878b41a1" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:304
- - C:\Users\Admin\AppData\Local\Temp\6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
    "C:\Users\Admin\AppData\Local\Temp\6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3676
  - - C:\Users\Admin\AppData\Local\Temp\6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
      "C:\Users\Admin\AppData\Local\Temp\6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5
1c63500df0b57e29edd1a5867d9f0e9b

SHA1
0475a0611ac4d171e90b46303b96317fc186b15d

SHA256
c8f7c1bd12b80996707a806866379d91dc3008d5d2b0eeeb6d97d418aeeb7914

SHA512
29b914ffe63496d98e8ffb76afde49702888743c88bd0fc6aabdf3e8855e3a5389d933a29ccb4564e8d3198c159a1debfb56d6f39f428689f8eb4d497b341bde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
65052acb8dc97b38007797064162c9a1

SHA1
862cf5f74d74b85103b088650a230ed0c6d32df3

SHA256
ef406913c83356f132bbc250646c24befee2acfdabbc9debcbca68c1da01a30f

SHA512
976f4bd21af190164d04534f4e534d44e14fd5d3c6798421f84ead4e0a53f25d386d4b59bfe0c7c5865af4f22593d975d6b48292b024a4b6ca0d65ff6ee735bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5
a8defa938be43126c536fb56cf2d31d3

SHA1
3f4f739c70ca0b432761191e9c2e5f85c5bc2817

SHA256
0a31cae785b19b8a686f2a5bb54d63fb1f9f2d7f4a623cc61b7b30ca6734be59

SHA512
3de579565af722df0b0327f534dd4bcf8d7b3733c6adecd9f5bb3898bef0dd4bae8f6cb473ab30d0107e117f75072221bd53563e0465a2288ae9bee86548fb72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
7a3de63512e4b5ac5f7ce1b105889a0d

SHA1
03e31567da5aa965d977e0d1a907adefaeaf0605

SHA256
f7b6feb0e52b52e0ea1cdd6b3f2565ce9e5c550256dcd650c8c55273779ef5f1

SHA512
82713f813afbf2163285ba242f9eb29c8402fadccc113e5dd1062bba6ffd0d1ae858f9fdf8271ca9bee162255f45143b39b64b00ef96f465cc20b843f8d79345

Download Submit
C:\Users\Admin\AppData\Local\3de997f4-8331-48bd-bf31-353f878b41a1\6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe

MD5
42f97ff274e7ed27343162a870e6a13c

SHA1
f5dc07f68af248afafcb458c5d86d39f23f17784

SHA256
6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e

SHA512
acba766e8819140b647e2a87ccb88279981d3919e1eba0fe6586a849bb71e278b3a3233c52311eba9ceaed7b3dd790e5699b6e13a3bcc7a482d1cf75049e6154

Download Submit
memory/304-123-0x0000000000000000-mapping.dmp

Download
memory/2016-121-0x00000000022E0000-0x00000000023FB000-memory.dmp

Filesize
1.1MB

Download
memory/2016-118-0x00000000021DF000-0x0000000002270000-memory.dmp

Filesize
580KB

Download
memory/3676-125-0x0000000000000000-mapping.dmp

Download
memory/3676-126-0x000000000215E000-0x00000000021EF000-memory.dmp

Filesize
580KB

Download
memory/3924-128-0x0000000000424141-mapping.dmp

Download
memory/3924-133-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4068-122-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4068-119-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4068-120-0x0000000000424141-mapping.dmp

Download

description	pid	process	target process
PID 2016 wrote to memory of 4068	2016	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
PID 2016 wrote to memory of 4068	2016	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
PID 2016 wrote to memory of 4068	2016	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
PID 2016 wrote to memory of 4068	2016	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
PID 2016 wrote to memory of 4068	2016	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
PID 2016 wrote to memory of 4068	2016	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
PID 2016 wrote to memory of 4068	2016	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
PID 2016 wrote to memory of 4068	2016	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
PID 2016 wrote to memory of 4068	2016	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
PID 2016 wrote to memory of 4068	2016	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
PID 4068 wrote to memory of 304	4068	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	icacls.exe
PID 4068 wrote to memory of 304	4068	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	icacls.exe
PID 4068 wrote to memory of 304	4068	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	icacls.exe
PID 4068 wrote to memory of 3676	4068	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
PID 4068 wrote to memory of 3676	4068	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
PID 4068 wrote to memory of 3676	4068	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
PID 3676 wrote to memory of 3924	3676	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
PID 3676 wrote to memory of 3924	3676	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
PID 3676 wrote to memory of 3924	3676	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
PID 3676 wrote to memory of 3924	3676	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
PID 3676 wrote to memory of 3924	3676	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
PID 3676 wrote to memory of 3924	3676	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
PID 3676 wrote to memory of 3924	3676	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
PID 3676 wrote to memory of 3924	3676	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
PID 3676 wrote to memory of 3924	3676	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe
PID 3676 wrote to memory of 3924	3676	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe	6588f6b244bffe05134673f066b77507d027bb7c870f0aeff26057c784e4b66e.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads