Analysis
-
max time kernel
137s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
19-06-2022 21:17
Static task
static1
Behavioral task
behavioral1
Sample
34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe
Resource
win10v2004-20220414-en
General
-
Target
34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe
-
Size
717KB
-
MD5
690f4210136edf1fdffc5df710f49fc5
-
SHA1
2dc9707fab0c03ee122665c791717461b84c0edf
-
SHA256
34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616
-
SHA512
bfe9a8d68d710e63ad7249c49b4e24bba64d3b8be1e615cd3e5fdbf3ea2a36e7eb92028bb50746ba69507b8d333d39efbbc648f754f83fa919df2a6fcad6866c
Malware Config
Extracted
djvu
http://ring1.ug/As73yhsyU34578hxxx/SDf565g/get.php
-
extension
.coot
-
offline_id
MRQ5kb5Z12tWuP3e25YoRt4PRDrJd2yuI3coott1
-
payload_url
http://ring1.ug/files/cost/updatewin1.exe
http://ring1.ug/files/cost/updatewin2.exe
http://ring1.ug/files/cost/updatewin.exe
http://ring1.ug/files/cost/3.exe
http://ring1.ug/files/cost/4.exe
http://ring1.ug/files/cost/5.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-IbdGyCKhdr Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: salesrestoresoftware@firemail.cc Reserve e-mail address to contact us: salesrestoresoftware@gmail.com Your personal ID: 0175Asd374y5iuhld
Signatures
-
Detected Djvu ransomware 6 IoCs
Processes:
resource yara_rule behavioral2/memory/4060-131-0x0000000006D40000-0x0000000006E5A000-memory.dmp family_djvu behavioral2/memory/4060-132-0x0000000000400000-0x0000000004F0C000-memory.dmp family_djvu behavioral2/memory/5000-137-0x0000000006CD0000-0x0000000006DEA000-memory.dmp family_djvu behavioral2/memory/5000-142-0x0000000000400000-0x0000000004F0C000-memory.dmp family_djvu behavioral2/memory/4060-144-0x0000000000400000-0x0000000004F0C000-memory.dmp family_djvu behavioral2/memory/5000-145-0x0000000000400000-0x0000000004F0C000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e8b2a52f-3bf0-4470-aadf-7e7dfe528d14\\34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe\" --AutoStart" 34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 api.2ip.ua 15 api.2ip.ua 33 api.2ip.ua -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4412 4060 WerFault.exe 34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe -
Processes:
34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exepid process 4060 34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe 4060 34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe 5000 34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe 5000 34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exedescription pid process target process PID 4060 wrote to memory of 1428 4060 34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe icacls.exe PID 4060 wrote to memory of 1428 4060 34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe icacls.exe PID 4060 wrote to memory of 1428 4060 34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe icacls.exe PID 4060 wrote to memory of 5000 4060 34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe 34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe PID 4060 wrote to memory of 5000 4060 34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe 34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe PID 4060 wrote to memory of 5000 4060 34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe 34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe"C:\Users\Admin\AppData\Local\Temp\34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\e8b2a52f-3bf0-4470-aadf-7e7dfe528d14" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe"C:\Users\Admin\AppData\Local\Temp\34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 21402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4060 -ip 40601⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3538626A1FCCCA43C7E18F220BDD9B02Filesize
978B
MD5fd3c0ed2f903b82cee8366ae5210a574
SHA104d9fb84e566fbf5eca379c7951747829aada0d3
SHA2560e69ae7cf7b20c41107208d239d24da5868525ae23c9add3a82c4b1811d7674c
SHA5123c1e0ca39bedb33114b1910fe4972de4ef08edee13adf24361e362d540b30382ff7836c085ca2936e78d3a351a6523fed9e75face0c2456d4efc884c81018bdf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
471B
MD5ea4b6ff54ad5a61da518bb85641eddbd
SHA1e940a49ce73a178c951fadf5fb3ee0ed18cc8d0a
SHA2569af94c096f9fafbe3f4107a74cf79c0e2b9c0435fe7025a26717add3e593e01f
SHA512f7fd53ece3d03caa928674c1a23c9d66af9a2122d2f7502dd921e08efa85398fe3b29aaca54ff490ab17803ba45d4fa7236c62cc67fb589637cf7d3a1e871168
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3538626A1FCCCA43C7E18F220BDD9B02Filesize
274B
MD57ffc5e271c62417b2e80e08d1050a166
SHA1ccab57771c0755707d8b9432ec7ddf80efa5df4c
SHA2563ce6ddf08e92f44ca7412a476787a260216f8211a7af0b32a58232c1217d7ad9
SHA512ad6c0b5d17ff7e5b9880a194d0a5704bc069bc3ecd4966132d70931b0e0c8112fe9a2a9e353c19c18eb6b1d11ee38ecd235239b14a23bdc2b0b67e79fafab1b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
396B
MD5aa912c1daf3e5ce65f8358359f98b51b
SHA1f03caa37eed1bcccf46b28e6223105d9110bca50
SHA2560ada1741577e5d1fa00e482c1ffb491c2443771344672b64425703a6b6fb7a28
SHA51200853f2f0fb93ba762b0fcef358e393ac3906f0d28b85185ab28f0cd2c6aa99972dcf5268aefdffe1afe296853f9a781ddf993b7ec8ffe2eb998d28d6c729c89
-
C:\Users\Admin\AppData\Local\e8b2a52f-3bf0-4470-aadf-7e7dfe528d14\34745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616.exeFilesize
717KB
MD5690f4210136edf1fdffc5df710f49fc5
SHA12dc9707fab0c03ee122665c791717461b84c0edf
SHA25634745abeba30e12a9dee88bcb7c3c9b119f8c21451a2d8ab2aec298c76b35616
SHA512bfe9a8d68d710e63ad7249c49b4e24bba64d3b8be1e615cd3e5fdbf3ea2a36e7eb92028bb50746ba69507b8d333d39efbbc648f754f83fa919df2a6fcad6866c
-
memory/1428-133-0x0000000000000000-mapping.dmp
-
memory/4060-130-0x0000000006CA9000-0x0000000006D3A000-memory.dmpFilesize
580KB
-
memory/4060-132-0x0000000000400000-0x0000000004F0C000-memory.dmpFilesize
75.0MB
-
memory/4060-131-0x0000000006D40000-0x0000000006E5A000-memory.dmpFilesize
1.1MB
-
memory/4060-143-0x0000000006CA9000-0x0000000006D3A000-memory.dmpFilesize
580KB
-
memory/4060-144-0x0000000000400000-0x0000000004F0C000-memory.dmpFilesize
75.0MB
-
memory/5000-135-0x0000000000000000-mapping.dmp
-
memory/5000-136-0x0000000006BCC000-0x0000000006C5D000-memory.dmpFilesize
580KB
-
memory/5000-137-0x0000000006CD0000-0x0000000006DEA000-memory.dmpFilesize
1.1MB
-
memory/5000-142-0x0000000000400000-0x0000000004F0C000-memory.dmpFilesize
75.0MB
-
memory/5000-145-0x0000000000400000-0x0000000004F0C000-memory.dmpFilesize
75.0MB