djvu | a706c1d0d748f3847de78ea63f7b3b6a6336f5750c84241e6b7fd0d45cd43765

Resubmissions

06/11/2023, 12:32

231106-pqk42sba4s 10

06/11/2023, 12:23

231106-pksxpsce94 10

03/11/2023, 20:59

231103-zsp6wscd45 10

Analysis

max time kernel
144s
max time network
128s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

758KB
MD5

147f66a4ab5d877e9cd347e9c16fcd72
SHA1

37e9024c5d64d51d01a1b1c9b3f1b5758693cedb
SHA256

a706c1d0d748f3847de78ea63f7b3b6a6336f5750c84241e6b7fd0d45cd43765
SHA512

20ccb69ce1ced51fec5b87abfaa7418321700e28c2e8f23251564276662ba000479ea6d387f66e45325bae79fec078f5664b3ba925f90f1041213a097c783357
SSDEEP

12288:uA8auX4Zp7MC2bkWKvkfsIvkjAvh1rJyjvQe4XcIVvfdquBAsbDG:uZXcV7kkkfsI2qXF8vQe4XcILAs+

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

http://zexeq.com/test2/get.php

Attributes

extension
.yzqe
offline_id
x2zqmFxw8ydx3wkiEeNayQ64Eyg2U5MS31sTegt1
payload_url
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://go.wetransfer.com/t-Z4jZBpJ1EK Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0819ASdw

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 14 IoCs

resource	yara_rule
behavioral1/memory/1320-2-0x00000000021D0000-0x00000000022EB000-memory.dmp	family_djvu
behavioral1/memory/2044-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2044-8-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2044-9-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2044-27-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2044-28-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2744-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2744-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2744-50-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2744-52-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2744-56-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2744-58-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2744-59-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2744-60-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2792	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\db40e033-005b-4bbd-b160-02c3b71a5cc7\\file.exe\" --AutoStart"	file.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.2ip.ua
9	api.2ip.ua
3	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1320 set thread context of 2044	1320	file.exe	28
PID 2608 set thread context of 2744	2608	file.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2044	file.exe
2744	file.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2044	1320	file.exe	28
PID 1320 wrote to memory of 2044	1320	file.exe	28
PID 1320 wrote to memory of 2044	1320	file.exe	28
PID 1320 wrote to memory of 2044	1320	file.exe	28
PID 1320 wrote to memory of 2044	1320	file.exe	28
PID 1320 wrote to memory of 2044	1320	file.exe	28
PID 1320 wrote to memory of 2044	1320	file.exe	28
PID 1320 wrote to memory of 2044	1320	file.exe	28
PID 1320 wrote to memory of 2044	1320	file.exe	28
PID 1320 wrote to memory of 2044	1320	file.exe	28
PID 1320 wrote to memory of 2044	1320	file.exe	28
PID 2044 wrote to memory of 2792	2044	file.exe	29
PID 2044 wrote to memory of 2792	2044	file.exe	29
PID 2044 wrote to memory of 2792	2044	file.exe	29
PID 2044 wrote to memory of 2792	2044	file.exe	29
PID 2044 wrote to memory of 2608	2044	file.exe	31
PID 2044 wrote to memory of 2608	2044	file.exe	31
PID 2044 wrote to memory of 2608	2044	file.exe	31
PID 2044 wrote to memory of 2608	2044	file.exe	31
PID 2608 wrote to memory of 2744	2608	file.exe	32
PID 2608 wrote to memory of 2744	2608	file.exe	32
PID 2608 wrote to memory of 2744	2608	file.exe	32
PID 2608 wrote to memory of 2744	2608	file.exe	32
PID 2608 wrote to memory of 2744	2608	file.exe	32
PID 2608 wrote to memory of 2744	2608	file.exe	32
PID 2608 wrote to memory of 2744	2608	file.exe	32
PID 2608 wrote to memory of 2744	2608	file.exe	32
PID 2608 wrote to memory of 2744	2608	file.exe	32
PID 2608 wrote to memory of 2744	2608	file.exe	32
PID 2608 wrote to memory of 2744	2608	file.exe	32

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\db40e033-005b-4bbd-b160-02c3b71a5cc7" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2792
- - C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
dd8bf8a07618fb07de0b2f7d3df6140b

SHA1
32391f29b30d7c027da06edbdfbdff1b04ad06bc

SHA256
82c6497bce5ea5ee9e0a2752965d97d2cf9796baaaca0bb07e9753208e3df4a7

SHA512
cf494852e76ecb5813b0ad5b6c303e5a3f5a2a686457dd0abeed2f766269ceff17f91220f4cb5413922d4089a40cf7762ad20195a8b9c48639f803317c0b7be2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
1224b2ce5383e190781888c01523e0f7

SHA1
e24a7173623c784c581f5dfecae25b9eddd54fb0

SHA256
cb4d8add3fe42e214e449e3d37b4868342673dc76c41101f090445d6a71150ea

SHA512
d81823174a858d3ab96466f13fce04c01e5b42035ca91a6d071d8424e8f2c8f74fe142aa9aaf07536fdc28b70a0f1fefe9c29013f1269c80bbf1d8c6c2d19e04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e8660966ddac91891f529e19760a5068

SHA1
babdfa6c3c3626ed183eac09615a836e0d2dbaf7

SHA256
13aaa4a540e74c2c668e141479b70235b4d99f3f9d639f655b886d3f1e99feb7

SHA512
f4c907864889bbee15c251ba0d847ead782f64eb0aaf1debcdb0e16996e8cb59f83b1acdfa0809f19ccb04060a8af26e12beca2f0a0e3bd5e8b0b7343f367e2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
1d1fa4dde61692ce0f1c62bc79244aaa

SHA1
8a60613aa909481fe82c53d58f7ba53679fdf816

SHA256
af76afa3d7e25337368df0e0ca507b733986b4bd888bb768b09958e5667106f3

SHA512
10f32e171e6b8d1e881d081cba7f3c369444e98a10f32bc179080b37095c8204cbed8cd064f5e38d7d8b06b42bc393fab73d89972665b7084d4eecdbd095fe8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA5B1.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\db40e033-005b-4bbd-b160-02c3b71a5cc7\file.exe

Filesize
758KB

MD5
147f66a4ab5d877e9cd347e9c16fcd72

SHA1
37e9024c5d64d51d01a1b1c9b3f1b5758693cedb

SHA256
a706c1d0d748f3847de78ea63f7b3b6a6336f5750c84241e6b7fd0d45cd43765

SHA512
20ccb69ce1ced51fec5b87abfaa7418321700e28c2e8f23251564276662ba000479ea6d387f66e45325bae79fec078f5664b3ba925f90f1041213a097c783357

Download Submit
memory/1320-1-0x0000000000850000-0x00000000008E2000-memory.dmp

Filesize
584KB

Download
memory/1320-2-0x00000000021D0000-0x00000000022EB000-memory.dmp

Filesize
1.1MB

Download
memory/1320-7-0x0000000000850000-0x00000000008E2000-memory.dmp

Filesize
584KB

Download
memory/1320-0-0x0000000000850000-0x00000000008E2000-memory.dmp

Filesize
584KB

Download
memory/2044-8-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2044-27-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2044-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2044-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2044-9-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2044-28-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2608-30-0x00000000008C0000-0x0000000000952000-memory.dmp

Filesize
584KB

Download
memory/2608-31-0x00000000008C0000-0x0000000000952000-memory.dmp

Filesize
584KB

Download
memory/2744-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2744-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2744-50-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2744-52-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2744-56-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2744-58-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2744-59-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2744-60-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download