Analysis
-
max time kernel
143s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:46
Static task
static1
Behavioral task
behavioral1
Sample
841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe
Resource
win10v2004-20220414-en
General
-
Target
841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe
-
Size
759KB
-
MD5
617b2beb7fd1f162b3a552a2906b5b1b
-
SHA1
c542b59788570f5334d4ea9b3c85661ee01f0fd3
-
SHA256
841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1
-
SHA512
c17cd4c6b05a38b69cffb655a7cb6c27a38f33ed95e43985beb89c7a7ff99a3903f146fd1e4f6398ce5dbf5cffd96a47606c8a6919b5b6f23c30e6c0b90532c0
Malware Config
Extracted
djvu
http://cjto.top/nddddhsspen6/get.php
-
extension
.geno
-
offline_id
Gq9C3wfB3EovXBFkGxv1b5wkUKUxVy1x63fasTt1
-
payload_url
http://cjto.top/files/penelop/updatewin1.exe
http://cjto.top/files/penelop/updatewin2.exe
http://cjto.top/files/penelop/updatewin.exe
http://cjto.top/files/penelop/3.exe
http://cjto.top/files/penelop/4.exe
http://cjto.top/files/penelop/5.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-ZLZ4pVnuS4 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: helpmanager@mail.ch Reserve e-mail address to contact us: restoremanager@airmail.cc Your personal ID: 0248Oowhu34
Signatures
-
Detected Djvu ransomware 4 IoCs
Processes:
resource yara_rule behavioral2/memory/396-131-0x0000000000C20000-0x0000000000D3A000-memory.dmp family_djvu behavioral2/memory/396-132-0x0000000000400000-0x0000000000A12000-memory.dmp family_djvu behavioral2/memory/816-141-0x0000000000400000-0x0000000000A12000-memory.dmp family_djvu behavioral2/memory/2440-145-0x0000000000400000-0x0000000000A12000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
suricata: ET MALWARE APT-C-23 Activity (GET)
suricata: ET MALWARE APT-C-23 Activity (GET)
-
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
-
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
-
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
-
Executes dropped EXE 1 IoCs
Processes:
841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exepid process 2440 841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\00dffbd3-ad2f-4d79-a625-9c6d0b6f3746\\841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe\" --AutoStart" 841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 api.2ip.ua 10 api.2ip.ua 36 api.2ip.ua 84 api.2ip.ua -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4980 396 WerFault.exe 841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe 3764 2440 WerFault.exe 841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe -
Processes:
841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exepid process 396 841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe 396 841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe 816 841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe 816 841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe 2440 841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe 2440 841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exedescription pid process target process PID 396 wrote to memory of 4720 396 841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe icacls.exe PID 396 wrote to memory of 4720 396 841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe icacls.exe PID 396 wrote to memory of 4720 396 841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe icacls.exe PID 396 wrote to memory of 816 396 841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe 841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe PID 396 wrote to memory of 816 396 841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe 841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe PID 396 wrote to memory of 816 396 841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe 841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe"C:\Users\Admin\AppData\Local\Temp\841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\00dffbd3-ad2f-4d79-a625-9c6d0b6f3746" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe"C:\Users\Admin\AppData\Local\Temp\841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 15762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 396 -ip 3961⤵
-
C:\Users\Admin\AppData\Local\00dffbd3-ad2f-4d79-a625-9c6d0b6f3746\841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exeC:\Users\Admin\AppData\Local\00dffbd3-ad2f-4d79-a625-9c6d0b6f3746\841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exe --Task1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 11002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2440 -ip 24401⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DFilesize
727B
MD593995ad095112907cfc088998c161574
SHA1518c7127e11809bb74ff0f68ea7e86ea5aebc798
SHA256fd16d238bcac3441688e7ca940c27bb02df8f0bf43b26d8e551414a18748c1cc
SHA512c2a3153c65f0acbc821bf663b38591821402d9a00680e2e22f410bf1735752194c08b96f77b7e6712082584a8b6605f7ab9552ad2f6c193fbd13c90bb60436e9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
471B
MD5c04f441d0220712231531a90823834db
SHA168dd18f1e0c51f1fdc4621394091a2dad08e4a08
SHA256055641d3987ae98e2dd627d3214ea8084ae773a3df9592191b86977c752a29e7
SHA5123156cf79585a45d919d4b27da4fe860f06e3206961fe1d20347ad74ef17de81c47857f35acd5cda3fae5ade28ab9747529ea3e8e79ca80aaf98e1f0e852bed53
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DFilesize
402B
MD5877fc4cf2908fbbb9f46e43fc8d2bd27
SHA1ceecaf421462af1b10aad924a0ec7467b8397637
SHA256114abebdd927514e63ea965f15a582a0e686e110026f9d87e490ffddb01374a1
SHA51217c860aa0127c88921dab90d3ac9fe03902a637713c528477cd87bb00101d18d889fa8341eebb7ced4214f8a57d1ed2c12ba9aa23ae4dff932b921a658b99a92
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
396B
MD53dbeecefd13489cf10f122f65e127058
SHA13ce58ed6fa0fa0d8949b713c7c08e02e78a25b59
SHA2562479317669858455af1b2ac1369e8d80d194a3279cd2dd82b0489549f1f6242a
SHA5121735a8d33017277913af1466bb79fcc01edf08f4c718087fdc55b2d3ea7029a3c006b7717f7cf95ac5724bed826ea4cdf812b3f5a065d4ac3e77eea4bc5b3815
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
396B
MD5060e73f46c2f4b0badbcd62d644e9f1e
SHA1a9c9718829fe6509e5dc1d223b2f291d9fff2180
SHA25676a88357bd748dd4f8e07a42368293ab5857a40399e6507f8b74744355a33fb8
SHA51244d1bd76d005d8e42488721947debeb4d803acf5e9dccd7a29bce0225f379d2c3de8d0329fb5406ace0d7bcf5d89404b4447e47c9588b6155f5c94cf3871b14b
-
C:\Users\Admin\AppData\Local\00dffbd3-ad2f-4d79-a625-9c6d0b6f3746\841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exeFilesize
759KB
MD5617b2beb7fd1f162b3a552a2906b5b1b
SHA1c542b59788570f5334d4ea9b3c85661ee01f0fd3
SHA256841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1
SHA512c17cd4c6b05a38b69cffb655a7cb6c27a38f33ed95e43985beb89c7a7ff99a3903f146fd1e4f6398ce5dbf5cffd96a47606c8a6919b5b6f23c30e6c0b90532c0
-
C:\Users\Admin\AppData\Local\00dffbd3-ad2f-4d79-a625-9c6d0b6f3746\841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1.exeFilesize
759KB
MD5617b2beb7fd1f162b3a552a2906b5b1b
SHA1c542b59788570f5334d4ea9b3c85661ee01f0fd3
SHA256841c411cb975d201002933442dfd995194f098254d7d6762128d222a2f5a18b1
SHA512c17cd4c6b05a38b69cffb655a7cb6c27a38f33ed95e43985beb89c7a7ff99a3903f146fd1e4f6398ce5dbf5cffd96a47606c8a6919b5b6f23c30e6c0b90532c0
-
memory/396-130-0x0000000000B84000-0x0000000000C15000-memory.dmpFilesize
580KB
-
memory/396-132-0x0000000000400000-0x0000000000A12000-memory.dmpFilesize
6.1MB
-
memory/396-131-0x0000000000C20000-0x0000000000D3A000-memory.dmpFilesize
1.1MB
-
memory/816-135-0x0000000000000000-mapping.dmp
-
memory/816-140-0x0000000000B2E000-0x0000000000BBF000-memory.dmpFilesize
580KB
-
memory/816-141-0x0000000000400000-0x0000000000A12000-memory.dmpFilesize
6.1MB
-
memory/2440-143-0x0000000000C00000-0x0000000000C91000-memory.dmpFilesize
580KB
-
memory/2440-145-0x0000000000400000-0x0000000000A12000-memory.dmpFilesize
6.1MB
-
memory/4720-133-0x0000000000000000-mapping.dmp