djvu | 7a73364757e45002142e0cd2ae8a5541caf371027239afadae565e852f0bb026

General

Target

file.exe
Size

785KB
MD5

4ed704febaafefe33af1d3b4b994ec46
SHA1

488b034dbdda0197f0fa95ebfbb3eb9ff9652ecb
SHA256

7a73364757e45002142e0cd2ae8a5541caf371027239afadae565e852f0bb026
SHA512

120c180bfcd2072613bf6bfb285468b6e7c887fab3ad81b7fd5b2a98303cd4c7186cee931f22861a2e81f854622a93a4e64ed69f15dfaf4a8db8f781929b4f82
SSDEEP

12288:MNGs/DUwn7d56lXCxOI5BzH4aBvBCwLuSdP2mkI/8fRKg5cDrDI0:WJnx2XsBjX4wLv3khQgaDrDI0

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

C2

http://zexeq.com/test2/get.php

Attributes

extension
.gyza
offline_id
nN1rRlTxKTPo66pmJEAHwufZ2Dhz4MsNxIlOk6t1
payload_url
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-CDZ4hMgp2X Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0828ASdw

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 9 IoCs

resource	yara_rule
behavioral2/memory/1756-2-0x0000000002720000-0x000000000283B000-memory.dmp	family_djvu
behavioral2/memory/2012-3-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2012-4-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2012-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2012-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2012-15-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2596-20-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2596-21-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2596-23-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	file.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3004	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\41d802c6-4751-4f3c-a8bb-a3ef91071569\\file.exe\" --AutoStart"	file.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	api.2ip.ua
15	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1756 set thread context of 2012	1756	file.exe	86
PID 3716 set thread context of 2596	3716	file.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4380	2596	WerFault.exe	95

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2012	file.exe
2012	file.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2012	1756	file.exe	86
PID 1756 wrote to memory of 2012	1756	file.exe	86
PID 1756 wrote to memory of 2012	1756	file.exe	86
PID 1756 wrote to memory of 2012	1756	file.exe	86
PID 1756 wrote to memory of 2012	1756	file.exe	86
PID 1756 wrote to memory of 2012	1756	file.exe	86
PID 1756 wrote to memory of 2012	1756	file.exe	86
PID 1756 wrote to memory of 2012	1756	file.exe	86
PID 1756 wrote to memory of 2012	1756	file.exe	86
PID 1756 wrote to memory of 2012	1756	file.exe	86
PID 2012 wrote to memory of 3004	2012	file.exe	87
PID 2012 wrote to memory of 3004	2012	file.exe	87
PID 2012 wrote to memory of 3004	2012	file.exe	87
PID 2012 wrote to memory of 3716	2012	file.exe	91
PID 2012 wrote to memory of 3716	2012	file.exe	91
PID 2012 wrote to memory of 3716	2012	file.exe	91
PID 3716 wrote to memory of 2596	3716	file.exe	95
PID 3716 wrote to memory of 2596	3716	file.exe	95
PID 3716 wrote to memory of 2596	3716	file.exe	95
PID 3716 wrote to memory of 2596	3716	file.exe	95
PID 3716 wrote to memory of 2596	3716	file.exe	95
PID 3716 wrote to memory of 2596	3716	file.exe	95
PID 3716 wrote to memory of 2596	3716	file.exe	95
PID 3716 wrote to memory of 2596	3716	file.exe	95
PID 3716 wrote to memory of 2596	3716	file.exe	95
PID 3716 wrote to memory of 2596	3716	file.exe	95

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\41d802c6-4751-4f3c-a8bb-a3ef91071569" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:3004
- - C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:2596
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 568
        5⤵
        Program crash
        
        PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2596 -ip 2596
1⤵
PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\41d802c6-4751-4f3c-a8bb-a3ef91071569\file.exe

Filesize
785KB

MD5
4ed704febaafefe33af1d3b4b994ec46

SHA1
488b034dbdda0197f0fa95ebfbb3eb9ff9652ecb

SHA256
7a73364757e45002142e0cd2ae8a5541caf371027239afadae565e852f0bb026

SHA512
120c180bfcd2072613bf6bfb285468b6e7c887fab3ad81b7fd5b2a98303cd4c7186cee931f22861a2e81f854622a93a4e64ed69f15dfaf4a8db8f781929b4f82

Download Submit
memory/1756-1-0x0000000002590000-0x0000000002627000-memory.dmp

Filesize
604KB

Download
memory/1756-2-0x0000000002720000-0x000000000283B000-memory.dmp

Filesize
1.1MB

Download
memory/2012-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2012-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2012-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2012-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2012-15-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2596-20-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2596-21-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2596-23-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3716-18-0x00000000024D0000-0x0000000002568000-memory.dmp

Filesize
608KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads