djvu | 7086ce481a116a0ea426906f72355763fdb9ca158a230ed498a2302cceee36a4

General

Target

file.exe
Size

807KB
MD5

bfccab428f007b6e859dec945beefb36
SHA1

9ac7cc6f12ba8f6c1a5945f62a6eb55672db1cd8
SHA256

7086ce481a116a0ea426906f72355763fdb9ca158a230ed498a2302cceee36a4
SHA512

01b21e60596737868572ce24f80dac487d98513d03fc33504d686697df266e40f8c20245360d2e32705b632477bda568a1ab46d64c654178ca2f3b7de7fcdd58
SSDEEP

24576:Hk1WfgP+v7D52HfCS20OwYhsqhOVXDx9aVldLI0ozClw:Egm052/720OwYhsqEVXF9aV3/xlw

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

C2

http://fresherlights.com/test1/get.php

Attributes

extension
.tcvp
offline_id
JBPpFMvWlKMsKlJRmPJl5e09RSnYrRJya1oX8xt1
payload_url
http://uaery.top/dl/build2.exe

http://fresherlights.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-bpYXr2m3kI Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0604Jhyjd

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/112-133-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2992-136-0x00000000021F0000-0x000000000230B000-memory.dmp	family_djvu
behavioral2/memory/112-134-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/112-137-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/112-138-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/112-143-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1692-146-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1692-147-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1692-148-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

file.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation file.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2384 icacls.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	file.exe

pid	process
2384	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3c6b172f-bb1a-40da-8d6f-22419149c0ba\\file.exe\" --AutoStart"	file.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 api.2ip.ua
Suspicious use of SetThreadContext 2 IoCs

Processes:

file.exefile.exe

description pid process target process

PID 2992 set thread context of 112 2992 file.exe file.exe
PID 1100 set thread context of 1692 1100 file.exe file.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

file.exefile.exe

pid process

112 file.exe
112 file.exe
1692 file.exe
1692 file.exe

flow	ioc
28	api.2ip.ua

description	pid	process	target process
PID 2992 set thread context of 112	2992	file.exe	file.exe
PID 1100 set thread context of 1692	1100	file.exe	file.exe

pid	process
112	file.exe
112	file.exe
1692	file.exe
1692	file.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

file.exefile.exefile.exe

description	pid	process	target process
PID 2992 wrote to memory of 112	2992	file.exe	file.exe
PID 2992 wrote to memory of 112	2992	file.exe	file.exe
PID 2992 wrote to memory of 112	2992	file.exe	file.exe
PID 2992 wrote to memory of 112	2992	file.exe	file.exe
PID 2992 wrote to memory of 112	2992	file.exe	file.exe
PID 2992 wrote to memory of 112	2992	file.exe	file.exe
PID 2992 wrote to memory of 112	2992	file.exe	file.exe
PID 2992 wrote to memory of 112	2992	file.exe	file.exe
PID 2992 wrote to memory of 112	2992	file.exe	file.exe
PID 2992 wrote to memory of 112	2992	file.exe	file.exe
PID 112 wrote to memory of 2384	112	file.exe	icacls.exe
PID 112 wrote to memory of 2384	112	file.exe	icacls.exe
PID 112 wrote to memory of 2384	112	file.exe	icacls.exe
PID 112 wrote to memory of 1100	112	file.exe	file.exe
PID 112 wrote to memory of 1100	112	file.exe	file.exe
PID 112 wrote to memory of 1100	112	file.exe	file.exe
PID 1100 wrote to memory of 1692	1100	file.exe	file.exe
PID 1100 wrote to memory of 1692	1100	file.exe	file.exe
PID 1100 wrote to memory of 1692	1100	file.exe	file.exe
PID 1100 wrote to memory of 1692	1100	file.exe	file.exe
PID 1100 wrote to memory of 1692	1100	file.exe	file.exe
PID 1100 wrote to memory of 1692	1100	file.exe	file.exe
PID 1100 wrote to memory of 1692	1100	file.exe	file.exe
PID 1100 wrote to memory of 1692	1100	file.exe	file.exe
PID 1100 wrote to memory of 1692	1100	file.exe	file.exe
PID 1100 wrote to memory of 1692	1100	file.exe	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2992

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\3c6b172f-bb1a-40da-8d6f-22419149c0ba" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2384

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3c6b172f-bb1a-40da-8d6f-22419149c0ba\file.exe

Filesize
807KB

MD5
bfccab428f007b6e859dec945beefb36

SHA1
9ac7cc6f12ba8f6c1a5945f62a6eb55672db1cd8

SHA256
7086ce481a116a0ea426906f72355763fdb9ca158a230ed498a2302cceee36a4

SHA512
01b21e60596737868572ce24f80dac487d98513d03fc33504d686697df266e40f8c20245360d2e32705b632477bda568a1ab46d64c654178ca2f3b7de7fcdd58

Download Submit
memory/112-134-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/112-143-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/112-133-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/112-132-0x0000000000000000-mapping.dmp

Download
memory/112-137-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/112-138-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1100-141-0x0000000000000000-mapping.dmp

Download
memory/1100-142-0x000000000213D000-0x00000000021CF000-memory.dmp

Filesize
584KB

Download
memory/1692-144-0x0000000000000000-mapping.dmp

Download
memory/1692-146-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1692-147-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1692-148-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2384-139-0x0000000000000000-mapping.dmp

Download
memory/2992-135-0x000000000215A000-0x00000000021EC000-memory.dmp

Filesize
584KB

Download
memory/2992-136-0x00000000021F0000-0x000000000230B000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads