Overview

overview

10

Static

static

34745abeba...16.exe

windows7_x64

10

34745abeba...16.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    92s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    19-06-2022 21:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe

  • Size

    717KB

  • MD5

    690f4210136edf1fdffc5df710f49fc5

  • SHA1

    2dc9707fab0c03ee122665c791717461b84c0edf

  • SHA256

    34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616

  • SHA512

    bfe9a8d68d710e63ad7249c49b4e24bba64d3b8be1e615cd3e5fdbf3ea2a36e7eb92028bb50746ba69507b8d333d39efbbc648f754f83fa919df2a6fcad6866c

Score
10/10
djvudiscoverypersistenceransomware

Malware Config

Extracted

Family

djvu

C2

http://ring1.ug/As73yhsyU34578hxxx/SDf565g/get.php

Attributes
  • extension

    .coot

  • offline_id

    MRQ5kb5Z12tWuP3e25YoRt4PRDrJd2yuI3coott1

  • payload_url

    http://ring1.ug/files/cost/updatewin1.exe

    http://ring1.ug/files/cost/updatewin2.exe

    http://ring1.ug/files/cost/updatewin.exe

    http://ring1.ug/files/cost/3.exe

    http://ring1.ug/files/cost/4.exe

    http://ring1.ug/files/cost/5.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-IbdGyCKhdr Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: salesrestoresoftware@firemail.cc Reserve e-mail address to contact us: salesrestoresoftware@gmail.com Your personal ID: 0175Asd374y5iuhld

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 6 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe
    "C:\Users\Admin\AppData\Local\Temp\34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe"
    1⤵
    • Adds Run key to start application
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\bcacf2dd-3513-4016-9649-11e3be21bd41" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      2⤵
      • Modifies file permissions
      PID:1784
    • C:\Users\Admin\AppData\Local\Temp\34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe
      "C:\Users\Admin\AppData\Local\Temp\34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe" --Admin IsNotAutoStart IsNotTask
      2⤵
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      PID:428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

1
T1222

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    727B

    MD5

    235c65f2ce463eb47a4ca165438636f8

    SHA1

    bc61b7bbf2fca53b75bc26f37be92a39892bcf3a

    SHA256

    095ced30e9c931b9ca1607c737938439e996e58c92975fcfc136fd685d9d9598

    SHA512

    32af8a6bb45cecba9c05f775655b6d938ed762a2ea91137f3f457b2592c0f4b99b8ea59f3b9ba62081e0414b440f37c6d05db0de6d2cb7345dcfb92749425fb5

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    60KB

    MD5

    308336e7f515478969b24c13ded11ede

    SHA1

    8fb0cf42b77dbbef224a1e5fc38abc2486320775

    SHA256

    889b832323726a9f10ad03f85562048fdcfe20c9ff6f9d37412cf477b4e92ff9

    SHA512

    61ad97228cd6c3909ef3ac5e4940199971f293bdd0d5eb7916e60469573a44b6287c0fa1e0b6c1389df35eb6c9a7d2a61fdb318d4a886a3821ef5a9dab3ac24f

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    471B

    MD5

    ea4b6ff54ad5a61da518bb85641eddbd

    SHA1

    e940a49ce73a178c951fadf5fb3ee0ed18cc8d0a

    SHA256

    9af94c096f9fafbe3f4107a74cf79c0e2b9c0435fe7025a26717add3e593e01f

    SHA512

    f7fd53ece3d03caa928674c1a23c9d66af9a2122d2f7502dd921e08efa85398fe3b29aaca54ff490ab17803ba45d4fa7236c62cc67fb589637cf7d3a1e871168

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    402B

    MD5

    b85f5db5b49560a4520ff079f95ddd04

    SHA1

    6c3611fae975d621841aef28e5d30c02add5aa74

    SHA256

    f319d18c849bb3da3670b4e7f3de1f9a01c5fa087b66b38394baecd362994459

    SHA512

    df5158ab13ee7ab72203c3c893b7337fc92ceb0884d7ac1552163ee0d1dcc00f74cb210adcbaf4f11870f328d9947932a3454b9e457c87da13876ad83c1696f1

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    0e117709198c2bb8e7205acc62aab761

    SHA1

    271b62c05eb243915ee26396b2e935af1838a593

    SHA256

    f11e352d60cf2ed03370af9a5c3fd1d3a372d8259175f918afb089f3b82f3fe4

    SHA512

    f45f5b3b234a0e8ce0953c08487cb9599bccaf040065bb759589a32072d87e4a42b674bde2a9d4e746e3a93532c3fb8f45a3cddb6aee8da552d5748de2715365

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    396B

    MD5

    f7712174da998110bb1c669d5aad049e

    SHA1

    b5beb7c0ae4e4f8a154700e1eac177e495b331b6

    SHA256

    84a85158d66a3efbd199dca651f74619105c9cfdf1a92cd39604ef3b4bf04672

    SHA512

    d4fdfc53a6ff6d929ebb0cf846a791228a80ef6e5989998c8a3334695c17b849288f4098482eee5ecaa10219e8e05987cf4d2bf1a04fe5b2392d37ae4018d3b2

    Download Submit
  • C:\Users\Admin\AppData\Local\bcacf2dd-3513-4016-9649-11e3be21bd41\34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe
    Filesize

    717KB

    MD5

    690f4210136edf1fdffc5df710f49fc5

    SHA1

    2dc9707fab0c03ee122665c791717461b84c0edf

    SHA256

    34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616

    SHA512

    bfe9a8d68d710e63ad7249c49b4e24bba64d3b8be1e615cd3e5fdbf3ea2a36e7eb92028bb50746ba69507b8d333d39efbbc648f754f83fa919df2a6fcad6866c

    Download Submit
  • memory/428-64-0x0000000004F10000-0x0000000004FA1000-memory.dmp
    Filesize

    580KB

    Download
  • memory/428-62-0x0000000000000000-mapping.dmp
    Download
  • memory/428-72-0x0000000004F10000-0x0000000004FA1000-memory.dmp
    Filesize

    580KB

    Download
  • memory/428-73-0x0000000000400000-0x0000000004F0C000-memory.dmp
    Filesize

    75.0MB

    Download
  • memory/428-74-0x0000000000400000-0x0000000004F0C000-memory.dmp
    Filesize

    75.0MB

    Download
  • memory/1704-63-0x0000000000400000-0x0000000004F0C000-memory.dmp
    Filesize

    75.0MB

    Download
  • memory/1704-54-0x0000000000220000-0x00000000002B1000-memory.dmp
    Filesize

    580KB

    Download
  • memory/1704-61-0x0000000000400000-0x0000000004F0C000-memory.dmp
    Filesize

    75.0MB

    Download
  • memory/1704-58-0x0000000000400000-0x0000000004F0C000-memory.dmp
    Filesize

    75.0MB

    Download
  • memory/1704-57-0x0000000006850000-0x000000000696A000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1704-56-0x0000000000220000-0x00000000002B1000-memory.dmp
    Filesize

    580KB

    Download
  • memory/1704-55-0x0000000076241000-0x0000000076243000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1784-59-0x0000000000000000-mapping.dmp
    Download