Overview

overview

10

Static

static

7b3eb4e7ca...c3.exe

windows7_x64

10

7b3eb4e7ca...c3.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    01-07-2022 03:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe

  • Size

    740KB

  • MD5

    5aad3088c1ccdb8ce85b137074fa9bd6

  • SHA1

    b964df4fe2ae3ab72e54a8e5e362ea8d15305270

  • SHA256

    7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3

  • SHA512

    26f8cc1b776ccd43073f72f3cd1466744a4437d851234b950ecd84d3c48595584ccb2ccad2e6f086e652e1d54b4735465b70cbdd659a0ca48ae76008b25eb0b1

Score
10/10
djvudiscoverypersistenceransomware

Malware Config

Extracted

Family

djvu

C2

http://ring1.ug/As73yhsyU34578hxxx/SDf565g/get.php

Attributes
  • extension

    .meka

  • offline_id

    iToA4bsB4p1U6eP9sYfwett26TIoVaIjXvmekat1

  • payload_url

    http://ring1.ug/files/cost/updatewin1.exe

    http://ring1.ug/files/cost/updatewin2.exe

    http://ring1.ug/files/cost/updatewin.exe

    http://ring1.ug/files/cost/3.exe

    http://ring1.ug/files/cost/4.exe

    http://ring1.ug/files/cost/5.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-h159DSA7cz Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: salesrestoresoftware@firemail.cc Reserve e-mail address to contact us: salesrestoresoftware@gmail.com Your personal ID: 0178Asd374y5iuhld

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 6 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe
    "C:\Users\Admin\AppData\Local\Temp\7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3488
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\88d9e43b-38e9-4284-b019-467547e83545" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      2⤵
      • Modifies file permissions
      PID:4584
    • C:\Users\Admin\AppData\Local\Temp\7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe
      "C:\Users\Admin\AppData\Local\Temp\7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe" --Admin IsNotAutoStart IsNotTask
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1968
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1956
      2⤵
      • Program crash
      PID:4416
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3488 -ip 3488
    1⤵
      PID:1888

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    File Permissions Modification

    1
    T1222

    Modify Registry

    2
    T1112

    Install Root Certificate

    1
    T1130

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3538626A1FCCCA43C7E18F220BDD9B02
      Filesize

      978B

      MD5

      53f5b8be760bdfa4cbecd3d6492723f2

      SHA1

      ae68ecd6b74d6f7b6e6496c039b997481fd16a81

      SHA256

      5e388e290b9db7db1470d39f56ce369d6928a57a16ea7efe25c9038c895ebd31

      SHA512

      6d0f4082520d0571092452d1c892b189c092dacf7377f79314ca8e7b54ae9726b3e878fa436795e9b60ae816d5c5943ce8855ba7e0044901862da8356a629f50

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      471B

      MD5

      b315b3f5f97226f5dd9e59adbdac03e4

      SHA1

      e7f513b703598517413b702f6a7e5db0f479e31a

      SHA256

      16b96325c2dbd241387842c4d464d1098827cbd97abd940647e7893a12243fea

      SHA512

      5650e2c7e80debdd930c016c674390e2fa5c6d7bbdade707785708f4dddecf5a0650bb0c2a52e1015f3c32e510901a70da9fc0e99898b97a6ed945bdb31e1c3b

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3538626A1FCCCA43C7E18F220BDD9B02
      Filesize

      274B

      MD5

      7e1489d58ae123ab87ce1aa58580f24c

      SHA1

      443dada8cf876107fed1ac606a338f5dced185a2

      SHA256

      2719bf9bc73fa7115e706e7d9680fe8a3d4e4ec621ccd78a4a85ccde554bd267

      SHA512

      8f355dc37d85ae100dbad476369b0ee499bc9686a2db18c00f9e9f43869067e6b9ddd2df34f502b8d703e4ff92d4cd5b081a39a3eeb76eb6d60072479b4aca14

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      396B

      MD5

      440d21f8e0b2f2ec6afa53e926eeb7d7

      SHA1

      e55ddef032acc163b7622d9a945960150228353a

      SHA256

      06e50f0491edfdb8121a25bfd4e47033b4f92f16b6053fd3f660b6832a82176e

      SHA512

      08e5f352cde5f3629449e4280759601d41a5efed07f99ce6346aca9a768611f779e8611e8f07624f5779928048157f7e2f466b00fe9998a4acc5588424bde783

      Download Submit
    • C:\Users\Admin\AppData\Local\88d9e43b-38e9-4284-b019-467547e83545\7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe
      Filesize

      740KB

      MD5

      5aad3088c1ccdb8ce85b137074fa9bd6

      SHA1

      b964df4fe2ae3ab72e54a8e5e362ea8d15305270

      SHA256

      7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3

      SHA512

      26f8cc1b776ccd43073f72f3cd1466744a4437d851234b950ecd84d3c48595584ccb2ccad2e6f086e652e1d54b4735465b70cbdd659a0ca48ae76008b25eb0b1

      Download Submit
    • memory/1968-136-0x0000000000000000-mapping.dmp
      Download
    • memory/1968-141-0x0000000000D8F000-0x0000000000E20000-memory.dmp
      Filesize

      580KB

      Download
    • memory/1968-142-0x0000000000400000-0x0000000000C56000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/1968-143-0x0000000000400000-0x0000000000C56000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/3488-130-0x000000000113B000-0x00000000011CC000-memory.dmp
      Filesize

      580KB

      Download
    • memory/3488-133-0x0000000001290000-0x00000000013AA000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3488-132-0x0000000000400000-0x0000000000C56000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/3488-131-0x0000000001290000-0x00000000013AA000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3488-144-0x0000000000400000-0x0000000000C56000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/4584-134-0x0000000000000000-mapping.dmp
      Download