djvu | b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205

General

Target

b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
Size

664KB
MD5

40c98ab2e03214236874f51fc6571454
SHA1

96c06cd603aeb2cc27f67fbd9f733944c34e869b
SHA256

b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205
SHA512

144226e5e097433ce416344423f7581d5b8527493a59bd59919bdc07be21357882b20344b2d1181ce2d98a00f1dd05ea1538a589a328eb57130608ea6a8db60d
SSDEEP

12288:8phAA02Mm1cCJ+Isp/vYn9pM+SmgmdfljPVloxqCD/eVZI2bLZ:8p+AHfFQpnSbSyfl8z/eVZf

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

C2

http://fresherlights.com/test1/get.php

Attributes

extension
.uyro
offline_id
HtkmULXEgJoZa495hFUJlvKCD0OwnxklbkoITjt1
payload_url
http://uaery.top/dl/build2.exe
http://fresherlights.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-5UcwRdS3ED Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@fishmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0609djfsieE

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2428-133-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2428-134-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4752-136-0x0000000002220000-0x000000000233B000-memory.dmp	family_djvu
behavioral1/memory/2428-137-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2428-138-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2428-142-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3588-146-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3588-147-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3588-153-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3588-154-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1704 icacls.exe

pid	process
1704	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\49d20917-665c-43d1-9bf5-987258f69f8d\\b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe\" --AutoStart"	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

47 api.2ip.ua
49 api.2ip.ua
75 api.2ip.ua

flow	ioc
47	api.2ip.ua
49	api.2ip.ua
75	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

Processes:

b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exeb5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe

description	pid	process	target process
PID 4752 set thread context of 2428	4752	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
PID 748 set thread context of 3588	748	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exeb5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe

pid	process
2428	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
2428	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
3588	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
3588	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exeb5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exeb5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe

C:\Users\Admin\AppData\Local\Temp\b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
"C:\Users\Admin\AppData\Local\Temp\b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4752

C:\Users\Admin\AppData\Local\Temp\b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
"C:\Users\Admin\AppData\Local\Temp\b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\49d20917-665c-43d1-9bf5-987258f69f8d" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1704

C:\Users\Admin\AppData\Local\Temp\b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
"C:\Users\Admin\AppData\Local\Temp\b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Local\Temp\b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
"C:\Users\Admin\AppData\Local\Temp\b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
76e7d5bf61b2e80d159f88aa9798ce91

SHA1
32a46de50c9c02b068e39cf49b78c7e2d5ace20d

SHA256
280fd6ae3ad21323199759814c4dd82329eb8f9847ed1fa2be145e83b4c88bf3

SHA512
5efd8c64ac40ae006d2ce4509eb9e5f1448fb1156e914d303e8bc4dcfe1d94c57c7eae216b362877e7b644876656cc9e5c4cebfc905bab3f8b09cb1a051d69c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
916c512d221c683beeea9d5cb311b0b0

SHA1
bf0db4b1c4566275b629efb095b6ff8857b5748e

SHA256
64a36c1637d0a111152002a2c0385b0df9dd81b616b3f2073fbbe3f2975aa4d8

SHA512
af32cffea722438e9b17b08062dc2e209edc5417418964ead0b392bd502e1a647a8456b2ee2ea59faf69f93d0c6ea6f15949b6c30924db7da65b91cb18e8dc6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
889ab22a7760a78fab2c271eca7bfd46

SHA1
ae78c17528b8412af88029fdbaa9b09a884942e1

SHA256
ea1d253f827dbfb0bf192fd5ea8ed32c0f71d7aa8988803119324efea8db4e6e

SHA512
a1fa11d57ec6ae8e756424dc54fb6ca01e4d70b0f4ee8d0903ae80dc8df27fcba6be4ef97dfec001882be3256cf9c5a310fc22923b248367c4789960e988e9f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
1fcc662d4fe5554d1d8da44c7ab5bf3f

SHA1
1ea03e111a18ac83baa5dfa17087da5ff3ec32e1

SHA256
b8e4e45571f60b359a5cba5bbb785a19078db41255a8ffcfd475ad632cc404aa

SHA512
05c7b51517d08f3cb010591523e398b8b9cca935698f182e326c6979df29c48764caddee6bb0ffcd84488390a975445691fef599f8000d5a2db9faa4f1a9ee1c

Download Submit
C:\Users\Admin\AppData\Local\49d20917-665c-43d1-9bf5-987258f69f8d\b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
Filesize
664KB

MD5
40c98ab2e03214236874f51fc6571454

SHA1
96c06cd603aeb2cc27f67fbd9f733944c34e869b

SHA256
b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205

SHA512
144226e5e097433ce416344423f7581d5b8527493a59bd59919bdc07be21357882b20344b2d1181ce2d98a00f1dd05ea1538a589a328eb57130608ea6a8db60d

Download Submit
memory/748-145-0x0000000002195000-0x0000000002226000-memory.dmp

Filesize
580KB

Download
memory/748-141-0x0000000000000000-mapping.dmp

Download
memory/1704-139-0x0000000000000000-mapping.dmp

Download
memory/2428-137-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2428-138-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2428-142-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2428-132-0x0000000000000000-mapping.dmp

Download
memory/2428-134-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2428-133-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3588-143-0x0000000000000000-mapping.dmp

Download
memory/3588-146-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3588-147-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3588-153-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3588-154-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4752-136-0x0000000002220000-0x000000000233B000-memory.dmp

Filesize
1.1MB

Download
memory/4752-135-0x0000000002125000-0x00000000021B6000-memory.dmp

Filesize
580KB

Download

description	pid	process	target process
PID 4752 wrote to memory of 2428	4752	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
PID 4752 wrote to memory of 2428	4752	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
PID 4752 wrote to memory of 2428	4752	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
PID 4752 wrote to memory of 2428	4752	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
PID 4752 wrote to memory of 2428	4752	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
PID 4752 wrote to memory of 2428	4752	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
PID 4752 wrote to memory of 2428	4752	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
PID 4752 wrote to memory of 2428	4752	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
PID 4752 wrote to memory of 2428	4752	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
PID 4752 wrote to memory of 2428	4752	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
PID 2428 wrote to memory of 1704	2428	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	icacls.exe
PID 2428 wrote to memory of 1704	2428	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	icacls.exe
PID 2428 wrote to memory of 1704	2428	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	icacls.exe
PID 2428 wrote to memory of 748	2428	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
PID 2428 wrote to memory of 748	2428	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
PID 2428 wrote to memory of 748	2428	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
PID 748 wrote to memory of 3588	748	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
PID 748 wrote to memory of 3588	748	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
PID 748 wrote to memory of 3588	748	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
PID 748 wrote to memory of 3588	748	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
PID 748 wrote to memory of 3588	748	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
PID 748 wrote to memory of 3588	748	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
PID 748 wrote to memory of 3588	748	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
PID 748 wrote to memory of 3588	748	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
PID 748 wrote to memory of 3588	748	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe
PID 748 wrote to memory of 3588	748	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe	b5fb821bb2025921e31a173fed31654d07703dca8066fd115ec3093c94ebe205.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads