djvu | 9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28

Analysis

max time kernel
148s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
08/03/2023, 10:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe
Size

700KB
MD5

2cfcb21bd5b1513337f74222240a83e9
SHA1

c64a12aab3c9192d1969762c4d97dfe6947bebfa
SHA256

9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28
SHA512

690f5ae9b35ef81d8063038f044c6cb57077405c1415ca2440fe1aa6983dd068855073b651dbe081d867af6e538e281464a984af38b8dae7d35442a755d90a91
SSDEEP

12288:3xy5vxG1RBFc22IfHwOo6dz/0kvOhMFjy7bv/nE6nM1h53+zBn69Kv:3Q5kBFcjIfQ56uNCOnXnxcrud69A

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

http://zexeq.com/test2/get.php

Attributes

extension
.coaq
offline_id
fTU4hYOJ0niv7WAg9utRTzxXv2TcoEvGPJhzIot1
payload_url
http://uaery.top/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-hhA4nKfJBj Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0659JOsie

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 17 IoCs

resource	yara_rule
behavioral1/memory/3988-118-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3988-119-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3232-120-0x0000000002390000-0x00000000024AB000-memory.dmp	family_djvu
behavioral1/memory/3988-121-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3988-122-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3988-133-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1564-137-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1564-138-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1564-139-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1564-144-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1564-145-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1564-146-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1564-151-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1564-153-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1564-154-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1564-155-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1564-168-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1272	build3.exe
4208	mstsca.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4316	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4053c06d-db39-48d6-9110-e022bf200c45\\9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe\" --AutoStart"	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.2ip.ua
3	api.2ip.ua
14	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3232 set thread context of 3988	3232	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	66
PID 4312 set thread context of 1564	4312	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	70

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1408	schtasks.exe
3960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3988	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe
3988	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe
1564	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe
1564	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 3988	3232	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	66
PID 3232 wrote to memory of 3988	3232	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	66
PID 3232 wrote to memory of 3988	3232	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	66
PID 3232 wrote to memory of 3988	3232	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	66
PID 3232 wrote to memory of 3988	3232	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	66
PID 3232 wrote to memory of 3988	3232	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	66
PID 3232 wrote to memory of 3988	3232	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	66
PID 3232 wrote to memory of 3988	3232	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	66
PID 3232 wrote to memory of 3988	3232	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	66
PID 3232 wrote to memory of 3988	3232	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	66
PID 3988 wrote to memory of 4316	3988	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	67
PID 3988 wrote to memory of 4316	3988	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	67
PID 3988 wrote to memory of 4316	3988	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	67
PID 3988 wrote to memory of 4312	3988	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	68
PID 3988 wrote to memory of 4312	3988	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	68
PID 3988 wrote to memory of 4312	3988	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	68
PID 4312 wrote to memory of 1564	4312	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	70
PID 4312 wrote to memory of 1564	4312	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	70
PID 4312 wrote to memory of 1564	4312	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	70
PID 4312 wrote to memory of 1564	4312	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	70
PID 4312 wrote to memory of 1564	4312	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	70
PID 4312 wrote to memory of 1564	4312	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	70
PID 4312 wrote to memory of 1564	4312	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	70
PID 4312 wrote to memory of 1564	4312	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	70
PID 4312 wrote to memory of 1564	4312	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	70
PID 4312 wrote to memory of 1564	4312	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	70
PID 1564 wrote to memory of 1272	1564	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	71
PID 1564 wrote to memory of 1272	1564	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	71
PID 1564 wrote to memory of 1272	1564	9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe	71
PID 1272 wrote to memory of 1408	1272	build3.exe	72
PID 1272 wrote to memory of 1408	1272	build3.exe	72
PID 1272 wrote to memory of 1408	1272	build3.exe	72
PID 4208 wrote to memory of 3960	4208	mstsca.exe	75
PID 4208 wrote to memory of 3960	4208	mstsca.exe	75
PID 4208 wrote to memory of 3960	4208	mstsca.exe	75

C:\Users\Admin\AppData\Local\Temp\9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe
"C:\Users\Admin\AppData\Local\Temp\9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Users\Admin\AppData\Local\Temp\9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe
  "C:\Users\Admin\AppData\Local\Temp\9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\4053c06d-db39-48d6-9110-e022bf200c45" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:4316
- - C:\Users\Admin\AppData\Local\Temp\9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe
    "C:\Users\Admin\AppData\Local\Temp\9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe
      "C:\Users\Admin\AppData\Local\Temp\9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1564
    - - C:\Users\Admin\AppData\Local\323f5a23-8c98-4000-8020-256297490cc9\build3.exe
        
        "C:\Users\Admin\AppData\Local\323f5a23-8c98-4000-8020-256297490cc9\build3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1272
      - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:1408

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
  2⤵
  - Creates scheduled task(s)
  PID:3960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
5ebbd3148318b887eccd6d81bd608ec7

SHA1
ac423bb92c9d74450c668b8c69926774f2ae147b

SHA256
ed62e08399e483e87941ea69f03fec9ea48186b14c9d1fd54f238a97935dade5

SHA512
5c6e1c4df548d66ca68f0d169361c7d53ed104e916db2d2c6fd41de929b8bdc9cdb5f635657cda94e710c4c7ef44d457b5e3c13c6c20a758d1537bbdb1fadef8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
bf56fe61b0bda7a5625f77c70820d98a

SHA1
bc52c58737644c029bc68177da93f885e2efb505

SHA256
5e2a6b3fee5aee875bbb5e5bc8236de647c6a77ff4d024881c878dcaa5c4cf1e

SHA512
74e6db364d6f0718d1f8874532e58f6271c5988825223752226508e20b656e67a64b10a76167eb7749d156a58322212c4db8e83895779b5815f41256a8274649

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
15e3516826f02b0ff3b8cd7b4c2bce8f

SHA1
43e77d9a1fa534ad696fdd5bf2b22ae54a325c37

SHA256
82ef996d8cdddd2155d30d81aa65c1764316e5585157506f4f8f0d1c10cab7f2

SHA512
a756b93d92a862bb276df50e30c2761002219cf777767c7b3814eb0d9520acb6abbee17dbb2c3fca0756d223559456f10216f5dc4e7464d5b3631eb27951bc26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
6b4ca6bb857f873407954864e803e0c8

SHA1
bba1ced518d2113304b6227975bf94bf3198080a

SHA256
1b9a5bdf1c878cbc94d905839bced6af0c9c77a426c8a692cc78e7dd1c995425

SHA512
0a822292130877dd6ef4ad5ed6ab73a0bb55ba0067e063614c680a12ba9eebf8385f6a8255d24f9fa87710e59e083b4d46053889d56b40261dce32f80a91e49d

Download Submit
C:\Users\Admin\AppData\Local\323f5a23-8c98-4000-8020-256297490cc9\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\323f5a23-8c98-4000-8020-256297490cc9\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\4053c06d-db39-48d6-9110-e022bf200c45\9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28.exe

Filesize
700KB

MD5
2cfcb21bd5b1513337f74222240a83e9

SHA1
c64a12aab3c9192d1969762c4d97dfe6947bebfa

SHA256
9867bc59049c32632cacd10590fee31e4b8abc6f569c47739f6cb312f93ccb28

SHA512
690f5ae9b35ef81d8063038f044c6cb57077405c1415ca2440fe1aa6983dd068855073b651dbe081d867af6e538e281464a984af38b8dae7d35442a755d90a91

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
memory/1564-153-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1564-154-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1564-138-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1564-137-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1564-144-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1564-145-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1564-146-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1564-151-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1564-168-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1564-139-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1564-155-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3232-120-0x0000000002390000-0x00000000024AB000-memory.dmp

Filesize
1.1MB

Download
memory/3988-133-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3988-122-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3988-121-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3988-118-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3988-119-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download