Overview

overview

10

Static

static

34745abeba...16.exe

windows7_x64

10

34745abeba...16.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    137s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    19-06-2022 21:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe

  • Size

    717KB

  • MD5

    690f4210136edf1fdffc5df710f49fc5

  • SHA1

    2dc9707fab0c03ee122665c791717461b84c0edf

  • SHA256

    34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616

  • SHA512

    bfe9a8d68d710e63ad7249c49b4e24bba64d3b8be1e615cd3e5fdbf3ea2a36e7eb92028bb50746ba69507b8d333d39efbbc648f754f83fa919df2a6fcad6866c

Score
10/10
djvudiscoverypersistenceransomware

Malware Config

Extracted

Family

djvu

C2

http://ring1.ug/As73yhsyU34578hxxx/SDf565g/get.php

Attributes
  • extension

    .coot

  • offline_id

    MRQ5kb5Z12tWuP3e25YoRt4PRDrJd2yuI3coott1

  • payload_url

    http://ring1.ug/files/cost/updatewin1.exe

    http://ring1.ug/files/cost/updatewin2.exe

    http://ring1.ug/files/cost/updatewin.exe

    http://ring1.ug/files/cost/3.exe

    http://ring1.ug/files/cost/4.exe

    http://ring1.ug/files/cost/5.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-IbdGyCKhdr Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: salesrestoresoftware@firemail.cc Reserve e-mail address to contact us: salesrestoresoftware@gmail.com Your personal ID: 0175Asd374y5iuhld

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 6 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe
    "C:\Users\Admin\AppData\Local\Temp\34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4060
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\e8b2a52f-3bf0-4470-aadf-7e7dfe528d14" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      2⤵
      • Modifies file permissions
      PID:1428
    • C:\Users\Admin\AppData\Local\Temp\34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe
      "C:\Users\Admin\AppData\Local\Temp\34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe" --Admin IsNotAutoStart IsNotTask
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:5000
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 2140
      2⤵
      • Program crash
      PID:4412
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4060 -ip 4060
    1⤵
      PID:216

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    File Permissions Modification

    1
    T1222

    Modify Registry

    2
    T1112

    Install Root Certificate

    1
    T1130

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3538626A1FCCCA43C7E18F220BDD9B02
      Filesize

      978B

      MD5

      fd3c0ed2f903b82cee8366ae5210a574

      SHA1

      04d9fb84e566fbf5eca379c7951747829aada0d3

      SHA256

      0e69ae7cf7b20c41107208d239d24da5868525ae23c9add3a82c4b1811d7674c

      SHA512

      3c1e0ca39bedb33114b1910fe4972de4ef08edee13adf24361e362d540b30382ff7836c085ca2936e78d3a351a6523fed9e75face0c2456d4efc884c81018bdf

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      471B

      MD5

      ea4b6ff54ad5a61da518bb85641eddbd

      SHA1

      e940a49ce73a178c951fadf5fb3ee0ed18cc8d0a

      SHA256

      9af94c096f9fafbe3f4107a74cf79c0e2b9c0435fe7025a26717add3e593e01f

      SHA512

      f7fd53ece3d03caa928674c1a23c9d66af9a2122d2f7502dd921e08efa85398fe3b29aaca54ff490ab17803ba45d4fa7236c62cc67fb589637cf7d3a1e871168

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3538626A1FCCCA43C7E18F220BDD9B02
      Filesize

      274B

      MD5

      7ffc5e271c62417b2e80e08d1050a166

      SHA1

      ccab57771c0755707d8b9432ec7ddf80efa5df4c

      SHA256

      3ce6ddf08e92f44ca7412a476787a260216f8211a7af0b32a58232c1217d7ad9

      SHA512

      ad6c0b5d17ff7e5b9880a194d0a5704bc069bc3ecd4966132d70931b0e0c8112fe9a2a9e353c19c18eb6b1d11ee38ecd235239b14a23bdc2b0b67e79fafab1b9

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      396B

      MD5

      aa912c1daf3e5ce65f8358359f98b51b

      SHA1

      f03caa37eed1bcccf46b28e6223105d9110bca50

      SHA256

      0ada1741577e5d1fa00e482c1ffb491c2443771344672b64425703a6b6fb7a28

      SHA512

      00853f2f0fb93ba762b0fcef358e393ac3906f0d28b85185ab28f0cd2c6aa99972dcf5268aefdffe1afe296853f9a781ddf993b7ec8ffe2eb998d28d6c729c89

      Download Submit
    • C:\Users\Admin\AppData\Local\e8b2a52f-3bf0-4470-aadf-7e7dfe528d14\34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe
      Filesize

      717KB

      MD5

      690f4210136edf1fdffc5df710f49fc5

      SHA1

      2dc9707fab0c03ee122665c791717461b84c0edf

      SHA256

      34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616

      SHA512

      bfe9a8d68d710e63ad7249c49b4e24bba64d3b8be1e615cd3e5fdbf3ea2a36e7eb92028bb50746ba69507b8d333d39efbbc648f754f83fa919df2a6fcad6866c

      Download Submit
    • memory/1428-133-0x0000000000000000-mapping.dmp
      Download
    • memory/4060-130-0x0000000006CA9000-0x0000000006D3A000-memory.dmp
      Filesize

      580KB

      Download
    • memory/4060-132-0x0000000000400000-0x0000000004F0C000-memory.dmp
      Filesize

      75.0MB

      Download
    • memory/4060-131-0x0000000006D40000-0x0000000006E5A000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/4060-143-0x0000000006CA9000-0x0000000006D3A000-memory.dmp
      Filesize

      580KB

      Download
    • memory/4060-144-0x0000000000400000-0x0000000004F0C000-memory.dmp
      Filesize

      75.0MB

      Download
    • memory/5000-135-0x0000000000000000-mapping.dmp
      Download
    • memory/5000-136-0x0000000006BCC000-0x0000000006C5D000-memory.dmp
      Filesize

      580KB

      Download
    • memory/5000-137-0x0000000006CD0000-0x0000000006DEA000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/5000-142-0x0000000000400000-0x0000000004F0C000-memory.dmp
      Filesize

      75.0MB

      Download
    • memory/5000-145-0x0000000000400000-0x0000000004F0C000-memory.dmp
      Filesize

      75.0MB

      Download