djvu | 0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2022, 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe
Size

785KB
MD5

25ed15fcc47baf5aacf482884d304f0d
SHA1

71520f3b8681165de02889df82d118f7fb8160f2
SHA256

0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1
SHA512

74109fdcf701b9b782488aa3b5c11e8385472e51bb71ae114f6bce36c8f5c04c581a1f9fe55843ffe6ade062999ae7215e5edc23757b00b8fd6d82f174e0edf8
SSDEEP

24576:T1q0Ql12Tp3tvshlTJfZ5rcTXLB2FzP4mOTryip:9puRJfZ4cFBCDp

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

http://acacaca.org/test3/get.php

Attributes

extension
.eemv
offline_id
5IVlpkccZlJz0AZ5atgGWVKe9CGAnXjohDf40mt1
payload_url
http://rgyui.top/dl/build2.exe

http://acacaca.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-0e5rCKsYCc Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0560Jhyjd

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 10 IoCs

resource	yara_rule
behavioral1/memory/1704-133-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1704-134-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3404-137-0x0000000000BD0000-0x0000000000CEB000-memory.dmp	family_djvu
behavioral1/memory/1704-136-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1704-140-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1704-142-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3404-143-0x0000000000BD0000-0x0000000000CEB000-memory.dmp	family_djvu
behavioral1/memory/4944-147-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4944-148-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4944-154-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1792	build2.exe
4456	build3.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3444	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1c7974d8-0243-4d6e-99a8-ee5934aa6db9\\0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe\" --AutoStart"	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
59	api.2ip.ua
52	api.2ip.ua
53	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3404 set thread context of 1704	3404	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	98
PID 3468 set thread context of 4944	3468	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1704	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe
1704	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe
4944	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe
4944	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 1704	3404	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	98
PID 3404 wrote to memory of 1704	3404	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	98
PID 3404 wrote to memory of 1704	3404	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	98
PID 3404 wrote to memory of 1704	3404	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	98
PID 3404 wrote to memory of 1704	3404	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	98
PID 3404 wrote to memory of 1704	3404	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	98
PID 3404 wrote to memory of 1704	3404	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	98
PID 3404 wrote to memory of 1704	3404	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	98
PID 3404 wrote to memory of 1704	3404	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	98
PID 3404 wrote to memory of 1704	3404	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	98
PID 1704 wrote to memory of 3444	1704	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	99
PID 1704 wrote to memory of 3444	1704	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	99
PID 1704 wrote to memory of 3444	1704	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	99
PID 1704 wrote to memory of 3468	1704	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	101
PID 1704 wrote to memory of 3468	1704	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	101
PID 1704 wrote to memory of 3468	1704	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	101
PID 3468 wrote to memory of 4944	3468	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	103
PID 3468 wrote to memory of 4944	3468	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	103
PID 3468 wrote to memory of 4944	3468	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	103
PID 3468 wrote to memory of 4944	3468	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	103
PID 3468 wrote to memory of 4944	3468	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	103
PID 3468 wrote to memory of 4944	3468	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	103
PID 3468 wrote to memory of 4944	3468	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	103
PID 3468 wrote to memory of 4944	3468	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	103
PID 3468 wrote to memory of 4944	3468	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	103
PID 3468 wrote to memory of 4944	3468	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	103
PID 4944 wrote to memory of 1792	4944	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	104
PID 4944 wrote to memory of 1792	4944	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	104
PID 4944 wrote to memory of 1792	4944	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	104
PID 4944 wrote to memory of 4456	4944	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	105
PID 4944 wrote to memory of 4456	4944	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	105
PID 4944 wrote to memory of 4456	4944	0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe	105

C:\Users\Admin\AppData\Local\Temp\0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe
"C:\Users\Admin\AppData\Local\Temp\0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Local\Temp\0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe
  "C:\Users\Admin\AppData\Local\Temp\0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\1c7974d8-0243-4d6e-99a8-ee5934aa6db9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:3444
- - C:\Users\Admin\AppData\Local\Temp\0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe
    "C:\Users\Admin\AppData\Local\Temp\0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3468
  - - C:\Users\Admin\AppData\Local\Temp\0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe
      "C:\Users\Admin\AppData\Local\Temp\0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4944
    - - C:\Users\Admin\AppData\Local\c0a9131a-83fa-4cfb-ba43-750e8502f58b\build2.exe
        
        "C:\Users\Admin\AppData\Local\c0a9131a-83fa-4cfb-ba43-750e8502f58b\build2.exe"
        5⤵
        Executes dropped EXE
        
        PID:1792
    - - C:\Users\Admin\AppData\Local\c0a9131a-83fa-4cfb-ba43-750e8502f58b\build3.exe
        
        "C:\Users\Admin\AppData\Local\c0a9131a-83fa-4cfb-ba43-750e8502f58b\build3.exe"
        5⤵
        Executes dropped EXE
        
        PID:4456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
910603594425299d07a9bf561ef588c6

SHA1
59ed14f0d20edc91d8a6567fe1bb1ec7e96c8831

SHA256
a7dfa311595fe59da0adf05ee1ff0fea64551b6b5217bd7fe4eafd2fc8c6bc47

SHA512
784c28c4f0f4f849f22e32fb61c7ead9941689f65febce67b13b20af39c241e5c05ac54a0afa5a95d69a346ad2edd5bfc646cdb4d3977fbc1944f546b8eb0f81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
f191076258311b1fe5066e03e7b13dbf

SHA1
2ac063d314cbdf6e79a3e24fa8e86b1ae508082e

SHA256
925f02dbd174d57f92ad195bde3d98bd352c63a06371c647186be61c1b14634d

SHA512
a0193b57481ff0338a86659bd9268b3f9886439ff91df0757fccbe1e87cc25428b8ecc9da49504ec1d23472615449c37610b8e0c4f0750eb1d386394a5c48ed1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
fee907594618ddcd4dc96e09caa529a9

SHA1
8eb87cdc400354e248151efa21e2132ff78dbf09

SHA256
b1eaf7538dd86e5aa8be96a28683069f910a97a91fc3b6b87866d2a7052c482a

SHA512
09212f372fbf622e1e38478891ad5458bc629f8507bad7352febec13ac9b698499c6c9249ae89484110d138b8d5d26f0e96e3f455bc2e07587c72f8b26bf62ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
becde3fc37a8297541ad6feee369769c

SHA1
51ff2b45fe8bddea7fd201699bdb982bae031b27

SHA256
66f38937350fb784132c5f652b85dbcce1ec9ba541414059033925bb33442e7e

SHA512
2c9a79f4bfd90a09e39ab216628fa364d96be2f83eb5e8afe70755506e705a3fad0cf893119146ae9acad3a9b7d111717b39be56faf4a266249ead6fcf62ca7e

Download Submit
C:\Users\Admin\AppData\Local\1c7974d8-0243-4d6e-99a8-ee5934aa6db9\0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1.exe

Filesize
785KB

MD5
25ed15fcc47baf5aacf482884d304f0d

SHA1
71520f3b8681165de02889df82d118f7fb8160f2

SHA256
0c2a775a23136ad1d8203337eaaa4f1735291bbb52ca9cadbfff3c38aef503b1

SHA512
74109fdcf701b9b782488aa3b5c11e8385472e51bb71ae114f6bce36c8f5c04c581a1f9fe55843ffe6ade062999ae7215e5edc23757b00b8fd6d82f174e0edf8

Download Submit
C:\Users\Admin\AppData\Local\c0a9131a-83fa-4cfb-ba43-750e8502f58b\build2.exe

Filesize
376KB

MD5
8b01bb02b7aeb097ba96dc7628575ca0

SHA1
11046fb024f695b1dc7a3a0be9167cb4e85548c6

SHA256
7abb4b2423a93fa4b7a2cd19bcc854cc96d2e9ed20c13b86c39f49fe7cb80e4a

SHA512
64cd772d4e319255e32909577ac137966cd47bd295aa3a61a76e52d651d80d313a3cfee7ea88d703bb293931a91558161184de2b76f8e5d9a2358a065c5c5f35

Download Submit
C:\Users\Admin\AppData\Local\c0a9131a-83fa-4cfb-ba43-750e8502f58b\build2.exe

Filesize
376KB

MD5
8b01bb02b7aeb097ba96dc7628575ca0

SHA1
11046fb024f695b1dc7a3a0be9167cb4e85548c6

SHA256
7abb4b2423a93fa4b7a2cd19bcc854cc96d2e9ed20c13b86c39f49fe7cb80e4a

SHA512
64cd772d4e319255e32909577ac137966cd47bd295aa3a61a76e52d651d80d313a3cfee7ea88d703bb293931a91558161184de2b76f8e5d9a2358a065c5c5f35

Download Submit
C:\Users\Admin\AppData\Local\c0a9131a-83fa-4cfb-ba43-750e8502f58b\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Local\c0a9131a-83fa-4cfb-ba43-750e8502f58b\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
memory/1704-140-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1704-142-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1704-136-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1704-134-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1704-133-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3404-143-0x0000000000BD0000-0x0000000000CEB000-memory.dmp

Filesize
1.1MB

Download
memory/3404-137-0x0000000000BD0000-0x0000000000CEB000-memory.dmp

Filesize
1.1MB

Download
memory/3404-135-0x0000000000A00000-0x0000000000A91000-memory.dmp

Filesize
580KB

Download
memory/3468-146-0x00000000008F0000-0x0000000000981000-memory.dmp

Filesize
580KB

Download
memory/4944-154-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4944-148-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4944-147-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download