djvu | f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2

General

Target

f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe
Size

745KB
MD5

ea5f9e5a6230afdf746ca66d73a562fe
SHA1

e87f7c58123d206c0b2d6bbff53a776672337624
SHA256

f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2
SHA512

f24dc06251bf035973737fee95bedb976ce0eaa0e671a02e364de5d5ea6584b00685aef1466dd1baebc4a74823ae69dc58f01a42a3b5015a02eab8066d61ccdc

Score

10^/10

djvu discovery persistence ransomware suricata

Malware Config

Extracted

Family

djvu

C2

http://cjto.top/nddddhsspen6/get.php

Attributes

extension
.ogdo
offline_id
XIyyRCNH8lJ6pGHLNnQPCMfabY9p3AQCEQc3Lnt1
payload_url
http://cjto.top/files/penelop/updatewin1.exe

http://cjto.top/files/penelop/updatewin2.exe

http://cjto.top/files/penelop/updatewin.exe

http://cjto.top/files/penelop/3.exe

http://cjto.top/files/penelop/4.exe

http://cjto.top/files/penelop/5.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-SY0GqQtRAT Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0250riuyfgh

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2540-131-0x0000000000DA0000-0x0000000000EBA000-memory.dmp	family_djvu
behavioral2/memory/2540-132-0x0000000000400000-0x0000000000A0A000-memory.dmp	family_djvu
behavioral2/memory/4076-141-0x0000000000400000-0x0000000000A0A000-memory.dmp	family_djvu
behavioral2/memory/3144-144-0x0000000000400000-0x0000000000A0A000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
suricata: ET MALWARE APT-C-23 Activity (GET)
suricata: ET MALWARE APT-C-23 Activity (GET)
suricata
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata
Executes dropped EXE 1 IoCs

Processes:

f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe

pid process

3144 f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe

pid	process
3144	f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4324 icacls.exe

pid	process
4324	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c9995d8f-d4ca-46ea-95e8-06630a4015d3\\f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe\" --AutoStart"	f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

95 api.2ip.ua
6 api.2ip.ua
7 api.2ip.ua
22 api.2ip.ua
94 api.2ip.ua
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
95	api.2ip.ua
6	api.2ip.ua
7	api.2ip.ua
22	api.2ip.ua
94	api.2ip.ua

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
1200	2540	WerFault.exe	f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe
4324	3144	WerFault.exe	f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exef7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exef7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe

pid	process
2540	f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe
2540	f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe
4076	f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe
4076	f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe
3144	f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe
3144	f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe

description	pid	process	target process
PID 2540 wrote to memory of 4324	2540	f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe	icacls.exe
PID 2540 wrote to memory of 4324	2540	f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe	icacls.exe
PID 2540 wrote to memory of 4324	2540	f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe	icacls.exe
PID 2540 wrote to memory of 4076	2540	f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe	f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe
PID 2540 wrote to memory of 4076	2540	f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe	f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe
PID 2540 wrote to memory of 4076	2540	f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe	f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe

C:\Users\Admin\AppData\Local\Temp\f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe
"C:\Users\Admin\AppData\Local\Temp\f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\c9995d8f-d4ca-46ea-95e8-06630a4015d3" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:4324
- C:\Users\Admin\AppData\Local\Temp\f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe
  "C:\Users\Admin\AppData\Local\Temp\f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 2256
  2⤵
  - Program crash
  PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2540 -ip 2540
1⤵
PID:1500

C:\Users\Admin\AppData\Local\c9995d8f-d4ca-46ea-95e8-06630a4015d3\f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe
C:\Users\Admin\AppData\Local\c9995d8f-d4ca-46ea-95e8-06630a4015d3\f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe --Task
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1632
  2⤵
  - Program crash
  PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 3144 -ip 3144
1⤵
PID:2536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
727B

MD5
8ae6f45bb6c9f288a96a3402dc17e2d9

SHA1
9ddb0d782cb4728675a1f5b61cfc632997349cdf

SHA256
ae4681e5db7de9744bdd78a943d6be6a390aa925125935d6cb691a27c8b2ebd3

SHA512
ee94f18f21437c1fba42cca69d535997c89438801ea6e823e99d384e9bc0239b041dc5ed854063a571bac2bbd2f83d7113c7f456d130b15e7db847e7fe4e8ec7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\572BF21E454637C9F000BE1AF9B1E1A9

Filesize
506B

MD5
77658ff40aeafeb456f73900ec6deaff

SHA1
19cf09afd53339e1e1ca9a8abd86b29446d16720

SHA256
41e750255bfb1d351cdaa00af9e43093eb800ac12cc2fda278ebf63212967dda

SHA512
337d550df86721081fc090d08c9d1ca58c00c6fc27dca14058a0d71a10e0babf9dd0f8dde3c0ca101ed9929ba1c42f3f6ca06ba4e8ec3f629a978a457716f113

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
402B

MD5
bed3ca173b41e7218d81942cc855aad5

SHA1
06c66780dd5e28a77b4efb2d56d4fba37fc13f4f

SHA256
7ebc799e3414a546366c20380ea7244a82a07adf967d41f5390f4a16555087a5

SHA512
c3278ed4534cff9da76364c8bd8a3426355efbcf577af17e00b1e2d3347ad011eb51f4ea99e0819713492c9f674fd7f2b9eb63aae48e6ab6aac46a3f7f56659a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9

Filesize
248B

MD5
baca092dcd009e4f054262f6ef82c606

SHA1
8d0231d445e1e7c6fc2301e11b9b769fb25dff7f

SHA256
e2f8782c5e62f3c12ba0ffe2f787a1e411ddf109780c037e555aaf5c726874c3

SHA512
6a243ac3334b586194c9bc7670739eae1d88ce95658c6292c619405e4dccc7fd95a01cd2b25686144b16a951b0c402a6f777a986de78388401b19d337ac0b699

Download Submit
C:\Users\Admin\AppData\Local\c9995d8f-d4ca-46ea-95e8-06630a4015d3\f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe

Filesize
745KB

MD5
ea5f9e5a6230afdf746ca66d73a562fe

SHA1
e87f7c58123d206c0b2d6bbff53a776672337624

SHA256
f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2

SHA512
f24dc06251bf035973737fee95bedb976ce0eaa0e671a02e364de5d5ea6584b00685aef1466dd1baebc4a74823ae69dc58f01a42a3b5015a02eab8066d61ccdc

Download Submit
C:\Users\Admin\AppData\Local\c9995d8f-d4ca-46ea-95e8-06630a4015d3\f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2.exe

Filesize
745KB

MD5
ea5f9e5a6230afdf746ca66d73a562fe

SHA1
e87f7c58123d206c0b2d6bbff53a776672337624

SHA256
f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2

SHA512
f24dc06251bf035973737fee95bedb976ce0eaa0e671a02e364de5d5ea6584b00685aef1466dd1baebc4a74823ae69dc58f01a42a3b5015a02eab8066d61ccdc

Download Submit
memory/2540-132-0x0000000000400000-0x0000000000A0A000-memory.dmp

Filesize
6.0MB

Download
memory/2540-131-0x0000000000DA0000-0x0000000000EBA000-memory.dmp

Filesize
1.1MB

Download
memory/2540-130-0x0000000000AE6000-0x0000000000B77000-memory.dmp

Filesize
580KB

Download
memory/3144-143-0x0000000000C16000-0x0000000000CA7000-memory.dmp

Filesize
580KB

Download
memory/3144-144-0x0000000000400000-0x0000000000A0A000-memory.dmp

Filesize
6.0MB

Download
memory/4076-135-0x0000000000000000-mapping.dmp

Download
memory/4076-140-0x0000000000C82000-0x0000000000D13000-memory.dmp

Filesize
580KB

Download
memory/4076-141-0x0000000000400000-0x0000000000A0A000-memory.dmp

Filesize
6.0MB

Download
memory/4324-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads