Overview

overview

10

Static

static

08b6c38e79...b3.exe

windows7_x64

10

08b6c38e79...b3.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    85s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    30-05-2022 21:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08b6c38e79c9ac0ce7a7fafaaae1334c41d70b860ff2c8eb6b2742c58cdb06b3.exe

  • Size

    755KB

  • MD5

    959b266cad13ba35aee35d8d4b723ed4

  • SHA1

    026d092515263021e450372713937d0c4f352e2f

  • SHA256

    08b6c38e79c9ac0ce7a7fafaaae1334c41d70b860ff2c8eb6b2742c58cdb06b3

  • SHA512

    d261068c3e26d8471a187b2c9e00dc2d447a0d7d70e917cd6dbaeaac668f05e6246a2da85ff2bd69e39ccf07d7e66abde118201cb27ce3f037dc0b74c00d4383

Score
10/10
djvudiscoverypersistenceransomware

Malware Config

Extracted

Family

djvu

C2

http://ring1.ug/As73yhsyU34578hxxx/SDf565g/get.php

Attributes
  • extension

    .coot

  • offline_id

    MRQ5kb5Z12tWuP3e25YoRt4PRDrJd2yuI3coott1

  • payload_url

    http://ring1.ug/files/cost/updatewin1.exe

    http://ring1.ug/files/cost/updatewin2.exe

    http://ring1.ug/files/cost/updatewin.exe

    http://ring1.ug/files/cost/3.exe

    http://ring1.ug/files/cost/4.exe

    http://ring1.ug/files/cost/5.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-IbdGyCKhdr Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: salesrestoresoftware@firemail.cc Reserve e-mail address to contact us: salesrestoresoftware@gmail.com Your personal ID: 0175Asd374y5iuhld

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 5 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08b6c38e79c9ac0ce7a7fafaaae1334c41d70b860ff2c8eb6b2742c58cdb06b3.exe
    "C:\Users\Admin\AppData\Local\Temp\08b6c38e79c9ac0ce7a7fafaaae1334c41d70b860ff2c8eb6b2742c58cdb06b3.exe"
    1⤵
    • Adds Run key to start application
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\dfc1a548-77aa-45ce-b71c-cde4b4e6b7b0" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      2⤵
      • Modifies file permissions
      PID:572
    • C:\Users\Admin\AppData\Local\Temp\08b6c38e79c9ac0ce7a7fafaaae1334c41d70b860ff2c8eb6b2742c58cdb06b3.exe
      "C:\Users\Admin\AppData\Local\Temp\08b6c38e79c9ac0ce7a7fafaaae1334c41d70b860ff2c8eb6b2742c58cdb06b3.exe" --Admin IsNotAutoStart IsNotTask
      2⤵
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      PID:1068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

1
T1222

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    727B

    MD5

    78077c9c0f44735ebc285343f6cddb03

    SHA1

    f16447f2ade323433685e824ee10fe6f251497cc

    SHA256

    cb322181548b26c639ccae02c2e6c35b82943e6f0655f2726a1415c688f030b1

    SHA512

    707b3ea73dfa939ce4e1b8c94c77b03a94541b228a28c36df953b6e495df940b346c350959747363a1a32760f0c53180e0e90f628c4f4bf09e53c19ba8e35460

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    60KB

    MD5

    308336e7f515478969b24c13ded11ede

    SHA1

    8fb0cf42b77dbbef224a1e5fc38abc2486320775

    SHA256

    889b832323726a9f10ad03f85562048fdcfe20c9ff6f9d37412cf477b4e92ff9

    SHA512

    61ad97228cd6c3909ef3ac5e4940199971f293bdd0d5eb7916e60469573a44b6287c0fa1e0b6c1389df35eb6c9a7d2a61fdb318d4a886a3821ef5a9dab3ac24f

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    471B

    MD5

    c68c131be481d00a6e7680b8abede43c

    SHA1

    6fe949c56d2746a93915c862cc84d526d004bf7f

    SHA256

    5ca8816929c5b74f39fa15656ca061f31bef42eb5bc9964bf7ccbbf441a34e5f

    SHA512

    f9d8ee9d070f352e4d9e32a161353546459dfa3836676eca21f5894db009a05b467e461280c7120464c721c821c4675ed9f41427bfe83d4f0f4d85bb172c55ea

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    402B

    MD5

    ebf6d2b53304af71b33b7c5e0d00827e

    SHA1

    53fe8aee9875204a45da314c74a716876a5076da

    SHA256

    9d8c703f96241d5a0f3bc6fbadfb8fdf6abc2faa9b4c39c1fbb25d091f178e82

    SHA512

    76213feeab3a573ad8bd3b45e3b3e963d519321984a30543b0bc60e8d66a626b65fcc297779b882407c651b89e3b9c1c507d8142a5991041f510a1850456b204

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    0c0bb6d5e1e16ae85b0155cfd52490f3

    SHA1

    c2ab7a56b8fe43922b47732db88810b1a2f4cdbb

    SHA256

    076c13e30815d7e91c69fc9964c2fd19ac7d18c0ecc39dfd87616260fb5ba32e

    SHA512

    3f87c6bdb27b1a4c067ab408ca5829b02358fff8a616c681f6ed12035ed9181c36be11fd05b7f86fbde24c826feba6bb0e5aa9ec03b3e4a54acff781e15a7321

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    396B

    MD5

    523d2a8a1f22c8d42d2e5f94c913d439

    SHA1

    5d6719da2f8c831f766cdea271ea47e75fc43391

    SHA256

    707f74b5dcad9f812c1911fd15913018a0600b6a18c82113606bd7d798b7a57f

    SHA512

    6e9d2060aed6c60ca9a6ff92975dfe539cc6edf1170bc8f330ddc1741f0e344c2ac5fac7e1787eeb8e7f4e2dcd3b6ceec54acb4e50fa1a62ae08a6906b0c0a78

    Download Submit
  • C:\Users\Admin\AppData\Local\dfc1a548-77aa-45ce-b71c-cde4b4e6b7b0\08b6c38e79c9ac0ce7a7fafaaae1334c41d70b860ff2c8eb6b2742c58cdb06b3.exe
    Filesize

    755KB

    MD5

    959b266cad13ba35aee35d8d4b723ed4

    SHA1

    026d092515263021e450372713937d0c4f352e2f

    SHA256

    08b6c38e79c9ac0ce7a7fafaaae1334c41d70b860ff2c8eb6b2742c58cdb06b3

    SHA512

    d261068c3e26d8471a187b2c9e00dc2d447a0d7d70e917cd6dbaeaac668f05e6246a2da85ff2bd69e39ccf07d7e66abde118201cb27ce3f037dc0b74c00d4383

    Download Submit
  • memory/572-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1068-63-0x00000000002A0000-0x0000000000331000-memory.dmp
    Filesize

    580KB

    Download
  • memory/1068-65-0x00000000002A0000-0x0000000000331000-memory.dmp
    Filesize

    580KB

    Download
  • memory/1068-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1068-72-0x0000000000400000-0x00000000058A5000-memory.dmp
    Filesize

    84.6MB

    Download
  • memory/1068-73-0x0000000000400000-0x00000000058A5000-memory.dmp
    Filesize

    84.6MB

    Download
  • memory/1992-62-0x0000000000400000-0x00000000058A5000-memory.dmp
    Filesize

    84.6MB

    Download
  • memory/1992-54-0x00000000058B0000-0x0000000005941000-memory.dmp
    Filesize

    580KB

    Download
  • memory/1992-58-0x0000000000400000-0x00000000058A5000-memory.dmp
    Filesize

    84.6MB

    Download
  • memory/1992-57-0x0000000005AB0000-0x0000000005BCA000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1992-56-0x00000000058B0000-0x0000000005941000-memory.dmp
    Filesize

    580KB

    Download
  • memory/1992-55-0x0000000074E91000-0x0000000074E93000-memory.dmp
    Filesize

    8KB

    Download