Analysis
-
max time kernel
152s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 03:56
Static task
static1
Behavioral task
behavioral1
Sample
7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe
Resource
win10v2004-20220414-en
General
-
Target
7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe
-
Size
740KB
-
MD5
5aad3088c1ccdb8ce85b137074fa9bd6
-
SHA1
b964df4fe2ae3ab72e54a8e5e362ea8d15305270
-
SHA256
7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3
-
SHA512
26f8cc1b776ccd43073f72f3cd1466744a4437d851234b950ecd84d3c48595584ccb2ccad2e6f086e652e1d54b4735465b70cbdd659a0ca48ae76008b25eb0b1
Malware Config
Extracted
djvu
http://ring1.ug/As73yhsyU34578hxxx/SDf565g/get.php
-
extension
.meka
-
offline_id
iToA4bsB4p1U6eP9sYfwett26TIoVaIjXvmekat1
-
payload_url
http://ring1.ug/files/cost/updatewin1.exe
http://ring1.ug/files/cost/updatewin2.exe
http://ring1.ug/files/cost/updatewin.exe
http://ring1.ug/files/cost/3.exe
http://ring1.ug/files/cost/4.exe
http://ring1.ug/files/cost/5.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-h159DSA7cz Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: salesrestoresoftware@firemail.cc Reserve e-mail address to contact us: salesrestoresoftware@gmail.com Your personal ID: 0178Asd374y5iuhld
Signatures
-
Detected Djvu ransomware 6 IoCs
Processes:
resource yara_rule behavioral2/memory/3488-131-0x0000000001290000-0x00000000013AA000-memory.dmp family_djvu behavioral2/memory/3488-132-0x0000000000400000-0x0000000000C56000-memory.dmp family_djvu behavioral2/memory/3488-133-0x0000000001290000-0x00000000013AA000-memory.dmp family_djvu behavioral2/memory/1968-142-0x0000000000400000-0x0000000000C56000-memory.dmp family_djvu behavioral2/memory/1968-143-0x0000000000400000-0x0000000000C56000-memory.dmp family_djvu behavioral2/memory/3488-144-0x0000000000400000-0x0000000000C56000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\88d9e43b-38e9-4284-b019-467547e83545\\7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe\" --AutoStart" 7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.2ip.ua 7 api.2ip.ua 28 api.2ip.ua -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4416 3488 WerFault.exe 7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe -
Processes:
7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exepid process 3488 7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe 3488 7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe 1968 7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe 1968 7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exedescription pid process target process PID 3488 wrote to memory of 4584 3488 7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe icacls.exe PID 3488 wrote to memory of 4584 3488 7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe icacls.exe PID 3488 wrote to memory of 4584 3488 7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe icacls.exe PID 3488 wrote to memory of 1968 3488 7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe 7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe PID 3488 wrote to memory of 1968 3488 7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe 7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe PID 3488 wrote to memory of 1968 3488 7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe 7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe"C:\Users\Admin\AppData\Local\Temp\7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\88d9e43b-38e9-4284-b019-467547e83545" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe"C:\Users\Admin\AppData\Local\Temp\7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 19562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3488 -ip 34881⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3538626A1FCCCA43C7E18F220BDD9B02Filesize
978B
MD553f5b8be760bdfa4cbecd3d6492723f2
SHA1ae68ecd6b74d6f7b6e6496c039b997481fd16a81
SHA2565e388e290b9db7db1470d39f56ce369d6928a57a16ea7efe25c9038c895ebd31
SHA5126d0f4082520d0571092452d1c892b189c092dacf7377f79314ca8e7b54ae9726b3e878fa436795e9b60ae816d5c5943ce8855ba7e0044901862da8356a629f50
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
471B
MD5b315b3f5f97226f5dd9e59adbdac03e4
SHA1e7f513b703598517413b702f6a7e5db0f479e31a
SHA25616b96325c2dbd241387842c4d464d1098827cbd97abd940647e7893a12243fea
SHA5125650e2c7e80debdd930c016c674390e2fa5c6d7bbdade707785708f4dddecf5a0650bb0c2a52e1015f3c32e510901a70da9fc0e99898b97a6ed945bdb31e1c3b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3538626A1FCCCA43C7E18F220BDD9B02Filesize
274B
MD57e1489d58ae123ab87ce1aa58580f24c
SHA1443dada8cf876107fed1ac606a338f5dced185a2
SHA2562719bf9bc73fa7115e706e7d9680fe8a3d4e4ec621ccd78a4a85ccde554bd267
SHA5128f355dc37d85ae100dbad476369b0ee499bc9686a2db18c00f9e9f43869067e6b9ddd2df34f502b8d703e4ff92d4cd5b081a39a3eeb76eb6d60072479b4aca14
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
396B
MD5440d21f8e0b2f2ec6afa53e926eeb7d7
SHA1e55ddef032acc163b7622d9a945960150228353a
SHA25606e50f0491edfdb8121a25bfd4e47033b4f92f16b6053fd3f660b6832a82176e
SHA51208e5f352cde5f3629449e4280759601d41a5efed07f99ce6346aca9a768611f779e8611e8f07624f5779928048157f7e2f466b00fe9998a4acc5588424bde783
-
C:\Users\Admin\AppData\Local\88d9e43b-38e9-4284-b019-467547e83545\7b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3.exeFilesize
740KB
MD55aad3088c1ccdb8ce85b137074fa9bd6
SHA1b964df4fe2ae3ab72e54a8e5e362ea8d15305270
SHA2567b3eb4e7cad673ac4e9d3894466a15dedd45621d116e0222209b3ab98b6677c3
SHA51226f8cc1b776ccd43073f72f3cd1466744a4437d851234b950ecd84d3c48595584ccb2ccad2e6f086e652e1d54b4735465b70cbdd659a0ca48ae76008b25eb0b1
-
memory/1968-136-0x0000000000000000-mapping.dmp
-
memory/1968-141-0x0000000000D8F000-0x0000000000E20000-memory.dmpFilesize
580KB
-
memory/1968-142-0x0000000000400000-0x0000000000C56000-memory.dmpFilesize
8.3MB
-
memory/1968-143-0x0000000000400000-0x0000000000C56000-memory.dmpFilesize
8.3MB
-
memory/3488-130-0x000000000113B000-0x00000000011CC000-memory.dmpFilesize
580KB
-
memory/3488-133-0x0000000001290000-0x00000000013AA000-memory.dmpFilesize
1.1MB
-
memory/3488-132-0x0000000000400000-0x0000000000C56000-memory.dmpFilesize
8.3MB
-
memory/3488-131-0x0000000001290000-0x00000000013AA000-memory.dmpFilesize
1.1MB
-
memory/3488-144-0x0000000000400000-0x0000000000C56000-memory.dmpFilesize
8.3MB
-
memory/4584-134-0x0000000000000000-mapping.dmp