djvu | 3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e

General

Target

file.exe
Size

686KB
MD5

c2767cbb246f2981a0274905cac01ac6
SHA1

0efd7f110e2c371fcbc8ca9d5684fb5f02b368c7
SHA256

3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e
SHA512

a0ce55a505f9ed294ab8e5fb1943ae031fc05fce1aec2003c54b4517ee17a3b350af592aba1cfb29741febdb63d8f1e6b9f420ab4155e650752217e1eee3b650
SSDEEP

12288:OSvOgTvqHJ2CHnp7ktz58uV/EsKPRydkpjvlamfDB7AyMkkOaTKXjxFrhNk1ZL:OSfKJj+z581XRyijvla1/oVFrh6Z

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

C2

http://zexeq.com/test2/get.php

Attributes

extension
.ppvw
offline_id
phJtdHo970vyx7vwlYG00OakDR75RuJz7NXDArt1
payload_url
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-eyUsqpKbFl Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0816JOsie

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 9 IoCs

resource	yara_rule
behavioral2/memory/4424-2-0x0000000002700000-0x000000000281B000-memory.dmp	family_djvu
behavioral2/memory/1436-3-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1436-4-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1436-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1436-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1436-15-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4976-20-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4976-21-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4976-23-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	file.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
660	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e8313bc4-f3fc-4b28-8e0d-fe576fb38bf1\\file.exe\" --AutoStart"	file.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	api.2ip.ua
28	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4424 set thread context of 1436	4424	file.exe	92
PID 4252 set thread context of 4976	4252	file.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2364	4976	WerFault.exe	96

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1436	file.exe
1436	file.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 1436	4424	file.exe	92
PID 4424 wrote to memory of 1436	4424	file.exe	92
PID 4424 wrote to memory of 1436	4424	file.exe	92
PID 4424 wrote to memory of 1436	4424	file.exe	92
PID 4424 wrote to memory of 1436	4424	file.exe	92
PID 4424 wrote to memory of 1436	4424	file.exe	92
PID 4424 wrote to memory of 1436	4424	file.exe	92
PID 4424 wrote to memory of 1436	4424	file.exe	92
PID 4424 wrote to memory of 1436	4424	file.exe	92
PID 4424 wrote to memory of 1436	4424	file.exe	92
PID 1436 wrote to memory of 660	1436	file.exe	93
PID 1436 wrote to memory of 660	1436	file.exe	93
PID 1436 wrote to memory of 660	1436	file.exe	93
PID 1436 wrote to memory of 4252	1436	file.exe	94
PID 1436 wrote to memory of 4252	1436	file.exe	94
PID 1436 wrote to memory of 4252	1436	file.exe	94
PID 4252 wrote to memory of 4976	4252	file.exe	96
PID 4252 wrote to memory of 4976	4252	file.exe	96
PID 4252 wrote to memory of 4976	4252	file.exe	96
PID 4252 wrote to memory of 4976	4252	file.exe	96
PID 4252 wrote to memory of 4976	4252	file.exe	96
PID 4252 wrote to memory of 4976	4252	file.exe	96
PID 4252 wrote to memory of 4976	4252	file.exe	96
PID 4252 wrote to memory of 4976	4252	file.exe	96
PID 4252 wrote to memory of 4976	4252	file.exe	96
PID 4252 wrote to memory of 4976	4252	file.exe	96

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\e8313bc4-f3fc-4b28-8e0d-fe576fb38bf1" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:660
- - C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:4976
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 568
        5⤵
        Program crash
        
        PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4976 -ip 4976
1⤵
PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\e8313bc4-f3fc-4b28-8e0d-fe576fb38bf1\file.exe

Filesize
686KB

MD5
c2767cbb246f2981a0274905cac01ac6

SHA1
0efd7f110e2c371fcbc8ca9d5684fb5f02b368c7

SHA256
3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e

SHA512
a0ce55a505f9ed294ab8e5fb1943ae031fc05fce1aec2003c54b4517ee17a3b350af592aba1cfb29741febdb63d8f1e6b9f420ab4155e650752217e1eee3b650

Download Submit
memory/1436-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1436-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1436-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1436-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1436-15-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4252-18-0x00000000023A0000-0x000000000243E000-memory.dmp

Filesize
632KB

Download
memory/4424-1-0x0000000002600000-0x0000000002699000-memory.dmp

Filesize
612KB

Download
memory/4424-2-0x0000000002700000-0x000000000281B000-memory.dmp

Filesize
1.1MB

Download
memory/4976-20-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4976-21-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4976-23-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads