Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    13s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231130-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2023, 17:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    778KB

  • MD5

    3d3158bde3e31d3b7b9c1e1e2398ddd5

  • SHA1

    f1d1ff15a739eb1fc5460c3dff7b2ad78ca53788

  • SHA256

    347c3b434e770b38ce06819cad853f93cb139fb4304e40a78933d92f56749d12

  • SHA512

    5b7016ac1d24913b28447980e51f0a7ebd9cd6fe370772409f402c04ea009384656913527a1c3e63c215bcda19b63080c636c3516cd21ee1f477479081e94a7d

  • SSDEEP

    12288:U/2nq6Bx5H+0g3zSKAPIOLTGEuSzbgQX6D3V6YzN4188r6McBg7bO0RtrEhXM:UGqmeXSKnKRsc7CKjrABg766ri

Score
10/10
djvudiscoverypersistenceransomware

Malware Config

Extracted

Family

djvu

C2

http://zexeq.com/test2/get.php

Attributes
  • extension

    .nbwr

  • offline_id

    csCsb6cUvy0iMa6NgGCGH0hSfXQlGjZVEmFVkgt1

  • payload_url

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-8dGJ2tqlOd Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0833ASdw

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 11 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4700
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3172
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\71fc2f58-93ba-43e0-8500-5fd99ed4bf29" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:4672
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        "C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
          PID:4444
          • C:\Users\Admin\AppData\Local\Temp\file.exe
            "C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask
            4⤵
              PID:1704

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\71fc2f58-93ba-43e0-8500-5fd99ed4bf29\file.exe
        Filesize

        778KB

        MD5

        3d3158bde3e31d3b7b9c1e1e2398ddd5

        SHA1

        f1d1ff15a739eb1fc5460c3dff7b2ad78ca53788

        SHA256

        347c3b434e770b38ce06819cad853f93cb139fb4304e40a78933d92f56749d12

        SHA512

        5b7016ac1d24913b28447980e51f0a7ebd9cd6fe370772409f402c04ea009384656913527a1c3e63c215bcda19b63080c636c3516cd21ee1f477479081e94a7d

        Download Submit

      • memory/1704-30-0x0000000000400000-0x0000000000537000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1704-20-0x0000000000400000-0x0000000000537000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1704-31-0x0000000000400000-0x0000000000537000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1704-15-0x0000000000400000-0x0000000000537000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1704-28-0x0000000000400000-0x0000000000537000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1704-33-0x0000000000400000-0x0000000000537000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1704-32-0x0000000000400000-0x0000000000537000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1704-17-0x0000000000400000-0x0000000000537000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1704-22-0x0000000000400000-0x0000000000537000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1704-16-0x0000000000400000-0x0000000000537000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1704-19-0x0000000000400000-0x0000000000537000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3172-6-0x0000000000400000-0x0000000000537000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3172-5-0x0000000000400000-0x0000000000537000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3172-4-0x0000000000400000-0x0000000000537000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3172-10-0x0000000000400000-0x0000000000537000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3172-3-0x0000000000400000-0x0000000000537000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4444-13-0x00000000027B0000-0x0000000002844000-memory.dmp

        Filesize

        592KB

        Download

      • memory/4700-2-0x0000000002A60000-0x0000000002B7B000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4700-1-0x00000000029C0000-0x0000000002A57000-memory.dmp

        Filesize

        604KB

        Download