djvu | a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a

General

Target

a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe
Size

777KB
MD5

20f2afd8da63e9a7c46c6ac70abfe9bc
SHA1

0a95131b75f6554950010efd7443b080495b5369
SHA256

a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a
SHA512

5f6caebdcefd378b320261e0750d157b4efd42b723dd0fc4fe13fb7987d1a1eed2721992ef717a380ff7dacb711a30f3f88ce4062ad9de10de7bd708c799eb28
SSDEEP

24576:ouXXgnnnWiA41Kw9kYWHXle6+jhqFlc9vKFQ/fdtT:ouEbN1YnHX9+NqU3/fLT

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

C2

http://acacaca.org/test1/get.php

Attributes

extension
.mmpu
offline_id
yd6oYv6aBN90yFzTWdZ34sXSXtXiauzOLXZyWht1
payload_url
http://rgyui.top/dl/build2.exe

http://acacaca.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-xuPJqoyzQE Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0554Jhyjd

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 9 IoCs

resource	yara_rule
behavioral1/memory/2148-133-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2148-134-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3932-136-0x0000000000AD0000-0x0000000000BEB000-memory.dmp	family_djvu
behavioral1/memory/2148-137-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2148-140-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2148-142-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4704-145-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4704-147-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4704-153-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3588	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\9e4a3527-6bfd-4bdb-b910-49b1a73d0070\\a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe\" --AutoStart"	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	api.2ip.ua
33	api.2ip.ua
38	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3932 set thread context of 2148	3932	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	88
PID 1496 set thread context of 4704	1496	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2148	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe
2148	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe
4704	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe
4704	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 2148	3932	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	88
PID 3932 wrote to memory of 2148	3932	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	88
PID 3932 wrote to memory of 2148	3932	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	88
PID 3932 wrote to memory of 2148	3932	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	88
PID 3932 wrote to memory of 2148	3932	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	88
PID 3932 wrote to memory of 2148	3932	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	88
PID 3932 wrote to memory of 2148	3932	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	88
PID 3932 wrote to memory of 2148	3932	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	88
PID 3932 wrote to memory of 2148	3932	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	88
PID 3932 wrote to memory of 2148	3932	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	88
PID 2148 wrote to memory of 3588	2148	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	89
PID 2148 wrote to memory of 3588	2148	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	89
PID 2148 wrote to memory of 3588	2148	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	89
PID 2148 wrote to memory of 1496	2148	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	90
PID 2148 wrote to memory of 1496	2148	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	90
PID 2148 wrote to memory of 1496	2148	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	90
PID 1496 wrote to memory of 4704	1496	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	92
PID 1496 wrote to memory of 4704	1496	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	92
PID 1496 wrote to memory of 4704	1496	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	92
PID 1496 wrote to memory of 4704	1496	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	92
PID 1496 wrote to memory of 4704	1496	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	92
PID 1496 wrote to memory of 4704	1496	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	92
PID 1496 wrote to memory of 4704	1496	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	92
PID 1496 wrote to memory of 4704	1496	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	92
PID 1496 wrote to memory of 4704	1496	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	92
PID 1496 wrote to memory of 4704	1496	a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe	92

C:\Users\Admin\AppData\Local\Temp\a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe
"C:\Users\Admin\AppData\Local\Temp\a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Users\Admin\AppData\Local\Temp\a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe
  "C:\Users\Admin\AppData\Local\Temp\a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\9e4a3527-6bfd-4bdb-b910-49b1a73d0070" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:3588
- - C:\Users\Admin\AppData\Local\Temp\a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe
    "C:\Users\Admin\AppData\Local\Temp\a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe
      "C:\Users\Admin\AppData\Local\Temp\a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
9cd19ed49787d5bf969ac81a2dbf7ce9

SHA1
4ff7b3372f9778f210014bdd7989d6f9442caa37

SHA256
5e317a2565c34c5d13efedd5a58537a9f255df17457a567e5fcc061962475b22

SHA512
589a98c719b6f67e875cc05438d4801d8025e8661bc30d51351df864314f0f4e5f35aa27422954a43eddd9ca04903043b46a47335311586f709e8eeae87cf7b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
7c27ffae0cbd6d55b86f387667635294

SHA1
6df10a537a970852086711da85ae84f7355bff72

SHA256
b6a9400010fea1af51104c2b48fdd4383d8b7a81bd62a22c188db3cdb7413503

SHA512
140752fd448ed5cd01c5463d67b7dd2c5c111fd4256d3686b792bc0ff788bed49fdfe901402fdb080b9a6c0789725dda6256280120fadc5aca1f127a552e13d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
3b42d0c5ae1827fc0345b08a2941b727

SHA1
7c722355285918e5c67e9f6705ffcd922c5920fe

SHA256
a495a729047a31254e7869f10f963327a009e9905ddb1780a1746d6c8dae57d3

SHA512
7eab4c2641cc4996731ec6cf65454f790c192a5e46df9ea1c46cd223bbbf0dbea2412abe5e952208ab836c60b56f9b3df56b894b09f9585b8ba4a4054bea3511

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
6c9b64bc966dfe7725273ae6644572f9

SHA1
fce1f9c3e7f5a2b31f02d90c83f4ed8e8ceddbff

SHA256
e291a0be5aaf882589b8b763faaf449ac580369ca07f644d3273430b9a6d4daf

SHA512
174b2cc7636cc304dcbc708e809107c3a82d8e45b79cd1b6265627c466a77a647bc2c89e44474be10ddf0bb95842546942ce032b5fde72973bd6c33241c2d3f8

Download Submit
C:\Users\Admin\AppData\Local\9e4a3527-6bfd-4bdb-b910-49b1a73d0070\a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a.exe

Filesize
777KB

MD5
20f2afd8da63e9a7c46c6ac70abfe9bc

SHA1
0a95131b75f6554950010efd7443b080495b5369

SHA256
a571b2b859fd9733b05819f410957ea9e64393e1423ea971c1c7da329fb1797a

SHA512
5f6caebdcefd378b320261e0750d157b4efd42b723dd0fc4fe13fb7987d1a1eed2721992ef717a380ff7dacb711a30f3f88ce4062ad9de10de7bd708c799eb28

Download Submit
memory/1496-146-0x0000000002392000-0x0000000002423000-memory.dmp

Filesize
580KB

Download
memory/2148-137-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2148-140-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2148-142-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2148-134-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2148-133-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3932-136-0x0000000000AD0000-0x0000000000BEB000-memory.dmp

Filesize
1.1MB

Download
memory/3932-135-0x000000000260F000-0x00000000026A0000-memory.dmp

Filesize
580KB

Download
memory/4704-145-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4704-147-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4704-153-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing