Overview

overview

10

Static

static

841c411cb9...b1.exe

windows7_x64

10

841c411cb9...b1.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 18:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe

  • Size

    759KB

  • MD5

    617b2beb7fd1f162b3a552a2906b5b1b

  • SHA1

    c542b59788570f5334d4ea9b3c85661ee01f0fd3

  • SHA256

    841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1

  • SHA512

    c17cd4c6b05a38b69cffb655a7cb6c27a38f33ed95e43985beb89c7a7ff99a3903f146fd1e4f6398ce5dbf5cffd96a47606c8a6919b5b6f23c30e6c0b90532c0

Score
10/10
djvudiscoverypersistenceransomwaresuricata

Malware Config

Extracted

Family

djvu

C2

http://cjto.top/nddddhsspen6/get.php

Attributes
  • extension

    .geno

  • offline_id

    Gq9C3wfB3EovXBFkGxv1b5wkUKUxVy1x63fasTt1

  • payload_url

    http://cjto.top/files/penelop/updatewin1.exe

    http://cjto.top/files/penelop/updatewin2.exe

    http://cjto.top/files/penelop/updatewin.exe

    http://cjto.top/files/penelop/3.exe

    http://cjto.top/files/penelop/4.exe

    http://cjto.top/files/penelop/5.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-ZLZ4pVnuS4 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: helpmanager@mail.ch Reserve e-mail address to contact us: restoremanager@airmail.cc Your personal ID: 0248Oowhu34

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 4 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • suricata: ET MALWARE APT-C-23 Activity (GET)

    suricata: ET MALWARE APT-C-23 Activity (GET)

    suricata
  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    suricata
  • suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key

    suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key

    suricata
  • suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload

    suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload

    suricata
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe
    "C:\Users\Admin\AppData\Local\Temp\841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:396
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\00dffbd3-ad2f-4d79-a625-9c6d0b6f3746" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      2⤵
      • Modifies file permissions
      PID:4720
    • C:\Users\Admin\AppData\Local\Temp\841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe
      "C:\Users\Admin\AppData\Local\Temp\841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe" --Admin IsNotAutoStart IsNotTask
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:816
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 1576
      2⤵
      • Program crash
      PID:4980
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 396 -ip 396
    1⤵
      PID:2524
    • C:\Users\Admin\AppData\Local\00dffbd3-ad2f-4d79-a625-9c6d0b6f3746\841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe
      C:\Users\Admin\AppData\Local\00dffbd3-ad2f-4d79-a625-9c6d0b6f3746\841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe --Task
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2440
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1100
        2⤵
        • Program crash
        PID:3764
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2440 -ip 2440
      1⤵
        PID:5088

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      File Permissions Modification

      1
      T1222

      Modify Registry

      2
      T1112

      Install Root Certificate

      1
      T1130

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
        Filesize

        727B

        MD5

        93995ad095112907cfc088998c161574

        SHA1

        518c7127e11809bb74ff0f68ea7e86ea5aebc798

        SHA256

        fd16d238bcac3441688e7ca940c27bb02df8f0bf43b26d8e551414a18748c1cc

        SHA512

        c2a3153c65f0acbc821bf663b38591821402d9a00680e2e22f410bf1735752194c08b96f77b7e6712082584a8b6605f7ab9552ad2f6c193fbd13c90bb60436e9

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
        Filesize

        471B

        MD5

        c04f441d0220712231531a90823834db

        SHA1

        68dd18f1e0c51f1fdc4621394091a2dad08e4a08

        SHA256

        055641d3987ae98e2dd627d3214ea8084ae773a3df9592191b86977c752a29e7

        SHA512

        3156cf79585a45d919d4b27da4fe860f06e3206961fe1d20347ad74ef17de81c47857f35acd5cda3fae5ade28ab9747529ea3e8e79ca80aaf98e1f0e852bed53

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
        Filesize

        402B

        MD5

        877fc4cf2908fbbb9f46e43fc8d2bd27

        SHA1

        ceecaf421462af1b10aad924a0ec7467b8397637

        SHA256

        114abebdd927514e63ea965f15a582a0e686e110026f9d87e490ffddb01374a1

        SHA512

        17c860aa0127c88921dab90d3ac9fe03902a637713c528477cd87bb00101d18d889fa8341eebb7ced4214f8a57d1ed2c12ba9aa23ae4dff932b921a658b99a92

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
        Filesize

        396B

        MD5

        3dbeecefd13489cf10f122f65e127058

        SHA1

        3ce58ed6fa0fa0d8949b713c7c08e02e78a25b59

        SHA256

        2479317669858455af1b2ac1369e8d80d194a3279cd2dd82b0489549f1f6242a

        SHA512

        1735a8d33017277913af1466bb79fcc01edf08f4c718087fdc55b2d3ea7029a3c006b7717f7cf95ac5724bed826ea4cdf812b3f5a065d4ac3e77eea4bc5b3815

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
        Filesize

        396B

        MD5

        060e73f46c2f4b0badbcd62d644e9f1e

        SHA1

        a9c9718829fe6509e5dc1d223b2f291d9fff2180

        SHA256

        76a88357bd748dd4f8e07a42368293ab5857a40399e6507f8b74744355a33fb8

        SHA512

        44d1bd76d005d8e42488721947debeb4d803acf5e9dccd7a29bce0225f379d2c3de8d0329fb5406ace0d7bcf5d89404b4447e47c9588b6155f5c94cf3871b14b

        Download Submit
      • C:\Users\Admin\AppData\Local\00dffbd3-ad2f-4d79-a625-9c6d0b6f3746\841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe
        Filesize

        759KB

        MD5

        617b2beb7fd1f162b3a552a2906b5b1b

        SHA1

        c542b59788570f5334d4ea9b3c85661ee01f0fd3

        SHA256

        841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1

        SHA512

        c17cd4c6b05a38b69cffb655a7cb6c27a38f33ed95e43985beb89c7a7ff99a3903f146fd1e4f6398ce5dbf5cffd96a47606c8a6919b5b6f23c30e6c0b90532c0

        Download Submit
      • C:\Users\Admin\AppData\Local\00dffbd3-ad2f-4d79-a625-9c6d0b6f3746\841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe
        Filesize

        759KB

        MD5

        617b2beb7fd1f162b3a552a2906b5b1b

        SHA1

        c542b59788570f5334d4ea9b3c85661ee01f0fd3

        SHA256

        841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1

        SHA512

        c17cd4c6b05a38b69cffb655a7cb6c27a38f33ed95e43985beb89c7a7ff99a3903f146fd1e4f6398ce5dbf5cffd96a47606c8a6919b5b6f23c30e6c0b90532c0

        Download Submit
      • memory/396-130-0x0000000000B84000-0x0000000000C15000-memory.dmp
        Filesize

        580KB

        Download
      • memory/396-132-0x0000000000400000-0x0000000000A12000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/396-131-0x0000000000C20000-0x0000000000D3A000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/816-135-0x0000000000000000-mapping.dmp
        Download
      • memory/816-140-0x0000000000B2E000-0x0000000000BBF000-memory.dmp
        Filesize

        580KB

        Download
      • memory/816-141-0x0000000000400000-0x0000000000A12000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/2440-143-0x0000000000C00000-0x0000000000C91000-memory.dmp
        Filesize

        580KB

        Download
      • memory/2440-145-0x0000000000400000-0x0000000000A12000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/4720-133-0x0000000000000000-mapping.dmp
        Download