djvu | c041c2a6e4803095086cc704bb84f9c7b377c6c4720bc45f76fc93fb53beb1fd

Analysis

max time kernel
148s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2023 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

750KB
MD5

03483bad9b960538fe39ff5aab1a907a
SHA1

444d08535d4d700a4259f27a056275d5b0a4610d
SHA256

c041c2a6e4803095086cc704bb84f9c7b377c6c4720bc45f76fc93fb53beb1fd
SHA512

91474555982ac716f407367b5f91e3544a1a877c1f436c1fbeeb24e1fbb5d822588b9d2da767d0179a180313469051cb8cd8169c9df44a0645084cffdc6a2774
SSDEEP

12288:T5fbu5mbzSITzDOR3TgKOl1XHcaeS+lQS4qEuqLMUmLjpLfP+b0:T5fdnSWOXcHBeS+W/qEdMUmRL3+

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

http://zexeq.com/test1/get.php

Attributes

extension
.nerz
offline_id
0vTA6MA1m5nzrdffOCJC7YmAa4Lp6YNN8lOJ4mt1
payload_url
http://colisumy.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-vc50LyB2yb Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0722JOsie

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 17 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1292-134-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1292-135-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1292-137-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3676-136-0x0000000004A60000-0x0000000004B7B000-memory.dmp	family_djvu
behavioral2/memory/1292-138-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1292-149-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3944-153-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3944-154-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3944-155-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3944-162-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3944-163-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3944-167-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3944-169-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3944-170-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3944-171-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3944-172-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3944-183-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file.exefile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	file.exe

Executes dropped EXE 2 IoCs

Processes:

build3.exemstsca.exe

pid process

4232 build3.exe
1672 mstsca.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1528 icacls.exe

pid	process
4232	build3.exe
1672	mstsca.exe

pid	process
1528	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a7ff7e6b-6178-49f9-b2a7-b64f342ca114\\file.exe\" --AutoStart"	file.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 api.2ip.ua
10 api.2ip.ua
25 api.2ip.ua
Suspicious use of SetThreadContext 2 IoCs

Processes:

file.exefile.exe

description pid process target process

PID 3676 set thread context of 1292 3676 file.exe file.exe
PID 4328 set thread context of 3944 4328 file.exe file.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4980 schtasks.exe
1712 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

file.exefile.exe

pid process

1292 file.exe
1292 file.exe
3944 file.exe
3944 file.exe

flow	ioc
9	api.2ip.ua
10	api.2ip.ua
25	api.2ip.ua

description	pid	process	target process
PID 3676 set thread context of 1292	3676	file.exe	file.exe
PID 4328 set thread context of 3944	4328	file.exe	file.exe

pid	process
4980	schtasks.exe
1712	schtasks.exe

pid	process
1292	file.exe
1292	file.exe
3944	file.exe
3944	file.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

file.exefile.exefile.exefile.exebuild3.exemstsca.exe

description	pid	process	target process
PID 3676 wrote to memory of 1292	3676	file.exe	file.exe
PID 3676 wrote to memory of 1292	3676	file.exe	file.exe
PID 3676 wrote to memory of 1292	3676	file.exe	file.exe
PID 3676 wrote to memory of 1292	3676	file.exe	file.exe
PID 3676 wrote to memory of 1292	3676	file.exe	file.exe
PID 3676 wrote to memory of 1292	3676	file.exe	file.exe
PID 3676 wrote to memory of 1292	3676	file.exe	file.exe
PID 3676 wrote to memory of 1292	3676	file.exe	file.exe
PID 3676 wrote to memory of 1292	3676	file.exe	file.exe
PID 3676 wrote to memory of 1292	3676	file.exe	file.exe
PID 1292 wrote to memory of 1528	1292	file.exe	icacls.exe
PID 1292 wrote to memory of 1528	1292	file.exe	icacls.exe
PID 1292 wrote to memory of 1528	1292	file.exe	icacls.exe
PID 1292 wrote to memory of 4328	1292	file.exe	file.exe
PID 1292 wrote to memory of 4328	1292	file.exe	file.exe
PID 1292 wrote to memory of 4328	1292	file.exe	file.exe
PID 4328 wrote to memory of 3944	4328	file.exe	file.exe
PID 4328 wrote to memory of 3944	4328	file.exe	file.exe
PID 4328 wrote to memory of 3944	4328	file.exe	file.exe
PID 4328 wrote to memory of 3944	4328	file.exe	file.exe
PID 4328 wrote to memory of 3944	4328	file.exe	file.exe
PID 4328 wrote to memory of 3944	4328	file.exe	file.exe
PID 4328 wrote to memory of 3944	4328	file.exe	file.exe
PID 4328 wrote to memory of 3944	4328	file.exe	file.exe
PID 4328 wrote to memory of 3944	4328	file.exe	file.exe
PID 4328 wrote to memory of 3944	4328	file.exe	file.exe
PID 3944 wrote to memory of 4232	3944	file.exe	build3.exe
PID 3944 wrote to memory of 4232	3944	file.exe	build3.exe
PID 3944 wrote to memory of 4232	3944	file.exe	build3.exe
PID 4232 wrote to memory of 4980	4232	build3.exe	schtasks.exe
PID 4232 wrote to memory of 4980	4232	build3.exe	schtasks.exe
PID 4232 wrote to memory of 4980	4232	build3.exe	schtasks.exe
PID 1672 wrote to memory of 1712	1672	mstsca.exe	schtasks.exe
PID 1672 wrote to memory of 1712	1672	mstsca.exe	schtasks.exe
PID 1672 wrote to memory of 1712	1672	mstsca.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3676

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\a7ff7e6b-6178-49f9-b2a7-b64f342ca114" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1528

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4328

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Local\8287ace7-842f-4e8c-b03a-9d87edf5087b\build3.exe
"C:\Users\Admin\AppData\Local\8287ace7-842f-4e8c-b03a-9d87edf5087b\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- Creates scheduled task(s)
PID:4980

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:1712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
72cce08db064d193dd1c8db96e30a0e7

SHA1
a76ef6bbfb2cadde26e7d713e9a71a8818d68991

SHA256
e904584bfbd2b92b1b9063f660abbe337c58e623ca78df5107f036d272d66c38

SHA512
e1d719a6a5d446c2b3348930cfcea61f85cff76adc38948dfb144aa7f95eac5453d7787706bca70ce75de931724cff7e6e146f9b662e34eb36d948995fbca1f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
e5ef4e3f5fd7934cb9c76b42b58ea45c

SHA1
c76f9fad9a12335d281771454f657036efc5881a

SHA256
3b247db7937565d22f6455fb744771e14de3380d133192e00a8f5fadf6492bdb

SHA512
1f18d5a9aead87cf00682a6fccdfc2896d29a92f808491fb0c1a97a86941734d9c6f1dee6786a9151eba488916d84c220c6ae78a93c1246301de73c2d034373f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
8e6928897c2535c71b929f89345cb11e

SHA1
8b289b5a4c7fa12a84fa8f76aae322601d21acb6

SHA256
bcd9b954f1eba7d72176bce55fd4986457830d6f4afe0186767714004ba5e902

SHA512
1a7cf222ea186178ed23cfc99e301b3ecc9e0591132071dfd8aaa7f1d01991b48115d64ab964d0825e03d43d5cfc971e30b6a32c6b6f1cc688f7648ddc420123

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
4dc2043a2f50f62a60b4a9001e86fca9

SHA1
baf05e9627dbe1b15760b7f9d8236a66317018a5

SHA256
dfca2a52c375727c5ded0b613060ea8ef0597f283f11769b374563ead3bdca76

SHA512
5daa16aa793bc4e3eaf6af96d7753d5afde079c34f84f389c5bbc18f993aedd59db5df8981aa48d51d918fc6a91ec85d4d8210376d4fd4b55a3591273208ecba

Download Submit
C:\Users\Admin\AppData\Local\8287ace7-842f-4e8c-b03a-9d87edf5087b\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\8287ace7-842f-4e8c-b03a-9d87edf5087b\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\8287ace7-842f-4e8c-b03a-9d87edf5087b\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\a7ff7e6b-6178-49f9-b2a7-b64f342ca114\file.exe
Filesize
750KB

MD5
03483bad9b960538fe39ff5aab1a907a

SHA1
444d08535d4d700a4259f27a056275d5b0a4610d

SHA256
c041c2a6e4803095086cc704bb84f9c7b377c6c4720bc45f76fc93fb53beb1fd

SHA512
91474555982ac716f407367b5f91e3544a1a877c1f436c1fbeeb24e1fbb5d822588b9d2da767d0179a180313469051cb8cd8169c9df44a0645084cffdc6a2774

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
memory/1292-149-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1292-134-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1292-135-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1292-137-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1292-138-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3676-136-0x0000000004A60000-0x0000000004B7B000-memory.dmp

Filesize
1.1MB

Download
memory/3944-163-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3944-169-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3944-170-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3944-171-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3944-172-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3944-167-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3944-183-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3944-155-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3944-162-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3944-153-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3944-154-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download