Resubmissions
06/11/2023, 12:32
231106-pqk42sba4s 1006/11/2023, 12:23
231106-pksxpsce94 1003/11/2023, 20:59
231103-zsp6wscd45 10Analysis
-
max time kernel
144s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
03/11/2023, 20:59
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20231023-en
General
-
Target
file.exe
-
Size
758KB
-
MD5
147f66a4ab5d877e9cd347e9c16fcd72
-
SHA1
37e9024c5d64d51d01a1b1c9b3f1b5758693cedb
-
SHA256
a706c1d0d748f3847de78ea63f7b3b6a6336f5750c84241e6b7fd0d45cd43765
-
SHA512
20ccb69ce1ced51fec5b87abfaa7418321700e28c2e8f23251564276662ba000479ea6d387f66e45325bae79fec078f5664b3ba925f90f1041213a097c783357
-
SSDEEP
12288:uA8auX4Zp7MC2bkWKvkfsIvkjAvh1rJyjvQe4XcIVvfdquBAsbDG:uZXcV7kkkfsI2qXF8vQe4XcILAs+
Malware Config
Extracted
djvu
http://zexeq.com/test2/get.php
-
extension
.yzqe
-
offline_id
x2zqmFxw8ydx3wkiEeNayQ64Eyg2U5MS31sTegt1
- payload_url
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://go.wetransfer.com/t-Z4jZBpJ1EK Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0819ASdw
Signatures
-
Detected Djvu ransomware 14 IoCs
resource yara_rule behavioral1/memory/1320-2-0x00000000021D0000-0x00000000022EB000-memory.dmp family_djvu behavioral1/memory/2044-5-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2044-8-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2044-9-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2044-27-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2044-28-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2744-36-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2744-37-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2744-50-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2744-52-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2744-56-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2744-58-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2744-59-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2744-60-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2792 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\db40e033-005b-4bbd-b160-02c3b71a5cc7\\file.exe\" --AutoStart" file.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.2ip.ua 9 api.2ip.ua 3 api.2ip.ua -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1320 set thread context of 2044 1320 file.exe 28 PID 2608 set thread context of 2744 2608 file.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2044 file.exe 2744 file.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1320 wrote to memory of 2044 1320 file.exe 28 PID 1320 wrote to memory of 2044 1320 file.exe 28 PID 1320 wrote to memory of 2044 1320 file.exe 28 PID 1320 wrote to memory of 2044 1320 file.exe 28 PID 1320 wrote to memory of 2044 1320 file.exe 28 PID 1320 wrote to memory of 2044 1320 file.exe 28 PID 1320 wrote to memory of 2044 1320 file.exe 28 PID 1320 wrote to memory of 2044 1320 file.exe 28 PID 1320 wrote to memory of 2044 1320 file.exe 28 PID 1320 wrote to memory of 2044 1320 file.exe 28 PID 1320 wrote to memory of 2044 1320 file.exe 28 PID 2044 wrote to memory of 2792 2044 file.exe 29 PID 2044 wrote to memory of 2792 2044 file.exe 29 PID 2044 wrote to memory of 2792 2044 file.exe 29 PID 2044 wrote to memory of 2792 2044 file.exe 29 PID 2044 wrote to memory of 2608 2044 file.exe 31 PID 2044 wrote to memory of 2608 2044 file.exe 31 PID 2044 wrote to memory of 2608 2044 file.exe 31 PID 2044 wrote to memory of 2608 2044 file.exe 31 PID 2608 wrote to memory of 2744 2608 file.exe 32 PID 2608 wrote to memory of 2744 2608 file.exe 32 PID 2608 wrote to memory of 2744 2608 file.exe 32 PID 2608 wrote to memory of 2744 2608 file.exe 32 PID 2608 wrote to memory of 2744 2608 file.exe 32 PID 2608 wrote to memory of 2744 2608 file.exe 32 PID 2608 wrote to memory of 2744 2608 file.exe 32 PID 2608 wrote to memory of 2744 2608 file.exe 32 PID 2608 wrote to memory of 2744 2608 file.exe 32 PID 2608 wrote to memory of 2744 2608 file.exe 32 PID 2608 wrote to memory of 2744 2608 file.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\db40e033-005b-4bbd-b160-02c3b71a5cc7" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:2792
-
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2744
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5dd8bf8a07618fb07de0b2f7d3df6140b
SHA132391f29b30d7c027da06edbdfbdff1b04ad06bc
SHA25682c6497bce5ea5ee9e0a2752965d97d2cf9796baaaca0bb07e9753208e3df4a7
SHA512cf494852e76ecb5813b0ad5b6c303e5a3f5a2a686457dd0abeed2f766269ceff17f91220f4cb5413922d4089a40cf7762ad20195a8b9c48639f803317c0b7be2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD51224b2ce5383e190781888c01523e0f7
SHA1e24a7173623c784c581f5dfecae25b9eddd54fb0
SHA256cb4d8add3fe42e214e449e3d37b4868342673dc76c41101f090445d6a71150ea
SHA512d81823174a858d3ab96466f13fce04c01e5b42035ca91a6d071d8424e8f2c8f74fe142aa9aaf07536fdc28b70a0f1fefe9c29013f1269c80bbf1d8c6c2d19e04
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e8660966ddac91891f529e19760a5068
SHA1babdfa6c3c3626ed183eac09615a836e0d2dbaf7
SHA25613aaa4a540e74c2c668e141479b70235b4d99f3f9d639f655b886d3f1e99feb7
SHA512f4c907864889bbee15c251ba0d847ead782f64eb0aaf1debcdb0e16996e8cb59f83b1acdfa0809f19ccb04060a8af26e12beca2f0a0e3bd5e8b0b7343f367e2e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD51d1fa4dde61692ce0f1c62bc79244aaa
SHA18a60613aa909481fe82c53d58f7ba53679fdf816
SHA256af76afa3d7e25337368df0e0ca507b733986b4bd888bb768b09958e5667106f3
SHA51210f32e171e6b8d1e881d081cba7f3c369444e98a10f32bc179080b37095c8204cbed8cd064f5e38d7d8b06b42bc393fab73d89972665b7084d4eecdbd095fe8f
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
758KB
MD5147f66a4ab5d877e9cd347e9c16fcd72
SHA137e9024c5d64d51d01a1b1c9b3f1b5758693cedb
SHA256a706c1d0d748f3847de78ea63f7b3b6a6336f5750c84241e6b7fd0d45cd43765
SHA51220ccb69ce1ced51fec5b87abfaa7418321700e28c2e8f23251564276662ba000479ea6d387f66e45325bae79fec078f5664b3ba925f90f1041213a097c783357