Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    23/11/2023, 14:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    785KB

  • MD5

    4ed704febaafefe33af1d3b4b994ec46

  • SHA1

    488b034dbdda0197f0fa95ebfbb3eb9ff9652ecb

  • SHA256

    7a73364757e45002142e0cd2ae8a5541caf371027239afadae565e852f0bb026

  • SHA512

    120c180bfcd2072613bf6bfb285468b6e7c887fab3ad81b7fd5b2a98303cd4c7186cee931f22861a2e81f854622a93a4e64ed69f15dfaf4a8db8f781929b4f82

  • SSDEEP

    12288:MNGs/DUwn7d56lXCxOI5BzH4aBvBCwLuSdP2mkI/8fRKg5cDrDI0:WJnx2XsBjX4wLv3khQgaDrDI0

Score
10/10
djvudiscoverypersistenceransomware

Malware Config

Extracted

Family

djvu

C2

http://zexeq.com/test2/get.php

Attributes
  • extension

    .gyza

  • offline_id

    nN1rRlTxKTPo66pmJEAHwufZ2Dhz4MsNxIlOk6t1

  • payload_url

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-CDZ4hMgp2X Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0828ASdw

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 14 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\dcec5419-edc5-46b2-8f2a-0909620862d0" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:2780
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        "C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Users\Admin\AppData\Local\Temp\file.exe
          "C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    1KB

    MD5

    36728e1925c0a1928fa3ea5c40325e29

    SHA1

    f0543c10ff3acda3ce66173b568192d2a1ffa5dd

    SHA256

    489f417a4d7b3ca1858467653ad369ca66fd2b5ba54838d6d9f588bfb693e4b9

    SHA512

    dcc673c754bdfc8377af1d90131318682d05267c62b5a4d9ca0dcc8f8b21ce2666967f88e3027f46ada012bbc671372d97527c813e6dcd5f242322d5ed036a0a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
    Filesize

    724B

    MD5

    8202a1cd02e7d69597995cabbe881a12

    SHA1

    8858d9d934b7aa9330ee73de6c476acf19929ff6

    SHA256

    58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

    SHA512

    97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    410B

    MD5

    79c7775490431d4107d08a1ce4352cbe

    SHA1

    c8a4eef239bcbaa838cea1986d941ba9492295cb

    SHA256

    93b5b962ee7f98f6354fc72e04d7fb35246826529d33d83385b80b05d87dc94e

    SHA512

    44dfc9c980809513d9f136cb325dd38bb012066ca3594896c0baf55c06efd645b8794edf9afde451b16393c3ca3af84521aeba305d1f8f84e1cff882b454df5e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    e1468bcc5f3d327c689ad2c368be340b

    SHA1

    a258d8356496e9883fd9d5937c9e9df15bfb37d0

    SHA256

    4bb42e5b6b1173b0bfdc68c0841dc41f56c096740eb93984b560bd5fb49974aa

    SHA512

    7861bdf8cb0b0f071cb56501824a29a43e72618355bd5725d0300a41d24a3f4d631139d12db8a8abc6221c52858761740c3d7dfe5a39a85d0475001fd7375d06

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
    Filesize

    392B

    MD5

    c8b96c1cd5d6d883e40ed5151f649669

    SHA1

    e8877a1b9bb5f3b0ecbeb5cc79e486c09d6b0dfe

    SHA256

    b3c6d37d342e537f431eea6657d46da7eddfcd490fa383f8908edd9a091d4ffd

    SHA512

    879d4ef4943e1367378a7e021ea944815460c6f52441f03b47199c63eb2e49cdb5440480f45f4017d98ac2daaa8b2ad9dadf28e441fb8ea4977f08cc179b2116

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab80E3.tmp
    Filesize

    61KB

    MD5

    f3441b8572aae8801c04f3060b550443

    SHA1

    4ef0a35436125d6821831ef36c28ffaf196cda15

    SHA256

    6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

    SHA512

    5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

    Download Submit

  • C:\Users\Admin\AppData\Local\dcec5419-edc5-46b2-8f2a-0909620862d0\file.exe
    Filesize

    785KB

    MD5

    4ed704febaafefe33af1d3b4b994ec46

    SHA1

    488b034dbdda0197f0fa95ebfbb3eb9ff9652ecb

    SHA256

    7a73364757e45002142e0cd2ae8a5541caf371027239afadae565e852f0bb026

    SHA512

    120c180bfcd2072613bf6bfb285468b6e7c887fab3ad81b7fd5b2a98303cd4c7186cee931f22861a2e81f854622a93a4e64ed69f15dfaf4a8db8f781929b4f82

    Download Submit

  • memory/2192-8-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2192-26-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2192-5-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2192-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2192-7-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2528-35-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2528-56-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2528-34-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2528-59-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2528-58-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2528-57-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2528-54-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2528-50-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2528-48-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2872-28-0x0000000000220000-0x00000000002B2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2872-29-0x0000000000220000-0x00000000002B2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2968-1-0x00000000002D0000-0x0000000000362000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2968-0-0x00000000002D0000-0x0000000000362000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2968-3-0x00000000009F0000-0x0000000000B0B000-memory.dmp

    Filesize

    1.1MB

    Download