General
-
Target
d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27
-
Size
670KB
-
Sample
230130-q6j3csaf45
-
MD5
d4119bd2e05d30c83481f9f2f8fa45d8
-
SHA1
ca9417ec27fd4b4fd94697642c3a0f5ab0e81934
-
SHA256
d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27
-
SHA512
22fad9880248c2a55a906bca74b6b264795a3be4bc4b9a0f7df053e43c83963ddf91e2cf3da3f97c54acb3bafa388ade890e8a4d227e6d87e7b6971195a3a8ab
-
SSDEEP
12288:FmNW9Bh+YibooLU/lvuyhQtMicow49EARpPw+8+mn0JyS+4rrPU00I2lz:sWfh9ibGuyhLib395RpPJmn0JN+Mr0Im
Static task
static1
Behavioral task
behavioral1
Sample
d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
C:\_readme.txt
djvu
support@freshmail.top
datarestorehelp@airmail.cc
https://we.tl/t-uZxWxoKbU5
Extracted
djvu
http://drampik.com/test1/get.php
-
extension
.mzqw
-
offline_id
ex4uvTKsM2vEkIcr3MjXi2C6v27h1mS682iUXGt1
-
payload_url
http://uaery.top/dl/build2.exe
http://drampik.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-uZxWxoKbU5 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0635JOsie
Extracted
vidar
2.2
19
https://t.me/litlebey
https://steamcommunity.com/profiles/76561199472399815
-
profile_id
19
Extracted
vidar
2.2
15
https://t.me/litlebey
https://steamcommunity.com/profiles/76561199472399815
-
profile_id
15
Targets
-
-
Target
d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27
-
Size
670KB
-
MD5
d4119bd2e05d30c83481f9f2f8fa45d8
-
SHA1
ca9417ec27fd4b4fd94697642c3a0f5ab0e81934
-
SHA256
d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27
-
SHA512
22fad9880248c2a55a906bca74b6b264795a3be4bc4b9a0f7df053e43c83963ddf91e2cf3da3f97c54acb3bafa388ade890e8a4d227e6d87e7b6971195a3a8ab
-
SSDEEP
12288:FmNW9Bh+YibooLU/lvuyhQtMicow49EARpPw+8+mn0JyS+4rrPU00I2lz:sWfh9ibGuyhLib395RpPJmn0JN+Mr0Im
-
Detected Djvu ransomware
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-