Overview

overview

10

Static

static

b7ea7d444d...dc.exe

windows7-x64

10

b7ea7d444d...dc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    64s
  • max time network
    113s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    05-08-2022 12:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b7ea7d444d1ed5677537a96796a496dc.exe

  • Size

    738KB

  • MD5

    b7ea7d444d1ed5677537a96796a496dc

  • SHA1

    738054720787a8f80e3a4f1bd92f08b3084190aa

  • SHA256

    0336cc8aff0e4974ede9e8901abeb10f836d50619cef1cb59aa41b447cea1ca5

  • SHA512

    6bfacd6fd078715661afc9e3657c625d8b941bfeeaf323ff798c7c7fb78c64f813c96c4a1cffeda08c2f820e8e315f0cc14944087a11d1502c4aeafaf068b2f0

Score
10/10
djvudiscoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Family

djvu

C2

http://acacaca.org/test2/get.php

Attributes
  • extension

    .vvyu

  • offline_id

    rE5LpDv2ftYRXAo7bC18EpzfRMTHSGjgfyIMfZt1

  • payload_url

    http://rgyui.top/dl/build2.exe

    http://acacaca.org/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-QsoSRIeAK6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0531Jhyjd

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 9 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 9 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7ea7d444d1ed5677537a96796a496dc.exe
    "C:\Users\Admin\AppData\Local\Temp\b7ea7d444d1ed5677537a96796a496dc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Users\Admin\AppData\Local\Temp\b7ea7d444d1ed5677537a96796a496dc.exe
      "C:\Users\Admin\AppData\Local\Temp\b7ea7d444d1ed5677537a96796a496dc.exe"
      2⤵
      • Adds Run key to start application
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1612
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\701caa9c-76e4-43c5-a903-f0dbb5adccd6" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:1776
      • C:\Users\Admin\AppData\Local\Temp\b7ea7d444d1ed5677537a96796a496dc.exe
        "C:\Users\Admin\AppData\Local\Temp\b7ea7d444d1ed5677537a96796a496dc.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:560
        • C:\Users\Admin\AppData\Local\Temp\b7ea7d444d1ed5677537a96796a496dc.exe
          "C:\Users\Admin\AppData\Local\Temp\b7ea7d444d1ed5677537a96796a496dc.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1588
          • C:\Users\Admin\AppData\Local\6ab63295-935f-4453-af5c-80fe4fa41420\build2.exe
            "C:\Users\Admin\AppData\Local\6ab63295-935f-4453-af5c-80fe4fa41420\build2.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1088
            • C:\Users\Admin\AppData\Local\6ab63295-935f-4453-af5c-80fe4fa41420\build2.exe
              "C:\Users\Admin\AppData\Local\6ab63295-935f-4453-af5c-80fe4fa41420\build2.exe"
              6⤵
              • Executes dropped EXE
              • Checks processor information in registry
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              PID:816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

1
T1222

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    340B

    MD5

    7cbc8d4d8ade607862b2102dfe7a5973

    SHA1

    6178fd07651d1a78db85a24594b0935a2479c73d

    SHA256

    76c10e1c2eb7cfedb803dba464f93f435d52c1bfe4f210e01c299c1709ceebaf

    SHA512

    a5ac20dcc16a41e18475ed497a7971126781c4ef5fd6464456cc9701abb20ffebc24a5d6f311cc8bc92de88bef9c230c8648f24dd1d307d519a05aa1c8e2e82a

    Download Submit
  • C:\Users\Admin\AppData\Local\6ab63295-935f-4453-af5c-80fe4fa41420\build2.exe
    Filesize

    438KB

    MD5

    2f3d0323ba962334ef87ed098ad02289

    SHA1

    5b4c70e331af83eaf384f45a01e322b094353375

    SHA256

    12a51367c5c85ff3c1dc73743cface2e01accecf2879a36adbddf566d52987b3

    SHA512

    1e33ace1068f614bfac35aa67733c2806328b586be273a611409df87be03c5edc9e312ab213004c8fab71453ef5e34e474d9273c4a97d95d135c18f440674ad3

    Download Submit
  • C:\Users\Admin\AppData\Local\6ab63295-935f-4453-af5c-80fe4fa41420\build2.exe
    Filesize

    438KB

    MD5

    2f3d0323ba962334ef87ed098ad02289

    SHA1

    5b4c70e331af83eaf384f45a01e322b094353375

    SHA256

    12a51367c5c85ff3c1dc73743cface2e01accecf2879a36adbddf566d52987b3

    SHA512

    1e33ace1068f614bfac35aa67733c2806328b586be273a611409df87be03c5edc9e312ab213004c8fab71453ef5e34e474d9273c4a97d95d135c18f440674ad3

    Download Submit
  • C:\Users\Admin\AppData\Local\6ab63295-935f-4453-af5c-80fe4fa41420\build2.exe
    Filesize

    438KB

    MD5

    2f3d0323ba962334ef87ed098ad02289

    SHA1

    5b4c70e331af83eaf384f45a01e322b094353375

    SHA256

    12a51367c5c85ff3c1dc73743cface2e01accecf2879a36adbddf566d52987b3

    SHA512

    1e33ace1068f614bfac35aa67733c2806328b586be273a611409df87be03c5edc9e312ab213004c8fab71453ef5e34e474d9273c4a97d95d135c18f440674ad3

    Download Submit
  • C:\Users\Admin\AppData\Local\701caa9c-76e4-43c5-a903-f0dbb5adccd6\b7ea7d444d1ed5677537a96796a496dc.exe
    Filesize

    738KB

    MD5

    b7ea7d444d1ed5677537a96796a496dc

    SHA1

    738054720787a8f80e3a4f1bd92f08b3084190aa

    SHA256

    0336cc8aff0e4974ede9e8901abeb10f836d50619cef1cb59aa41b447cea1ca5

    SHA512

    6bfacd6fd078715661afc9e3657c625d8b941bfeeaf323ff798c7c7fb78c64f813c96c4a1cffeda08c2f820e8e315f0cc14944087a11d1502c4aeafaf068b2f0

    Download Submit
  • \Users\Admin\AppData\Local\6ab63295-935f-4453-af5c-80fe4fa41420\build2.exe
    Filesize

    438KB

    MD5

    2f3d0323ba962334ef87ed098ad02289

    SHA1

    5b4c70e331af83eaf384f45a01e322b094353375

    SHA256

    12a51367c5c85ff3c1dc73743cface2e01accecf2879a36adbddf566d52987b3

    SHA512

    1e33ace1068f614bfac35aa67733c2806328b586be273a611409df87be03c5edc9e312ab213004c8fab71453ef5e34e474d9273c4a97d95d135c18f440674ad3

    Download Submit
  • \Users\Admin\AppData\Local\6ab63295-935f-4453-af5c-80fe4fa41420\build2.exe
    Filesize

    438KB

    MD5

    2f3d0323ba962334ef87ed098ad02289

    SHA1

    5b4c70e331af83eaf384f45a01e322b094353375

    SHA256

    12a51367c5c85ff3c1dc73743cface2e01accecf2879a36adbddf566d52987b3

    SHA512

    1e33ace1068f614bfac35aa67733c2806328b586be273a611409df87be03c5edc9e312ab213004c8fab71453ef5e34e474d9273c4a97d95d135c18f440674ad3

    Download Submit
  • memory/560-65-0x0000000000000000-mapping.dmp
    Download
  • memory/560-67-0x0000000000320000-0x00000000003B2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/560-71-0x0000000000320000-0x00000000003B2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/816-90-0x0000000060900000-0x0000000060992000-memory.dmp
    Filesize

    584KB

    Download
  • memory/816-86-0x0000000000400000-0x0000000000459000-memory.dmp
    Filesize

    356KB

    Download
  • memory/816-80-0x0000000000400000-0x0000000000459000-memory.dmp
    Filesize

    356KB

    Download
  • memory/816-109-0x0000000000400000-0x0000000000459000-memory.dmp
    Filesize

    356KB

    Download
  • memory/816-81-0x000000000041FE8C-mapping.dmp
    Download
  • memory/816-89-0x0000000000400000-0x0000000000459000-memory.dmp
    Filesize

    356KB

    Download
  • memory/1088-84-0x00000000005BB000-0x00000000005E4000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1088-77-0x0000000000000000-mapping.dmp
    Download
  • memory/1088-85-0x0000000000220000-0x0000000000266000-memory.dmp
    Filesize

    280KB

    Download
  • memory/1412-59-0x0000000003F20000-0x000000000403B000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1412-54-0x0000000002540000-0x00000000025D2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1412-58-0x0000000002540000-0x00000000025D2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1588-74-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1588-73-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1588-69-0x0000000000424141-mapping.dmp
    Download
  • memory/1612-66-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1612-62-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1612-61-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1612-60-0x0000000076291000-0x0000000076293000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1612-56-0x0000000000424141-mapping.dmp
    Download
  • memory/1612-55-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1776-63-0x0000000000000000-mapping.dmp
    Download