Analysis
-
max time kernel
294s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
15/01/2024, 05:00
Static task
static1
Behavioral task
behavioral1
Sample
fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
Resource
win10-20231215-en
General
-
Target
fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
-
Size
832KB
-
MD5
7e0c3507ccd7fa02823e5158f26b9fea
-
SHA1
308ce97fd7585c6623346a5c5623c5b441f79b62
-
SHA256
fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581
-
SHA512
80f90eb5451c0d79f13d7db44683bcb349b0daa604b8ee280833d84acd1f99e3b17dde3ff68617c48fe2032040bba2fefff0e3c69b540542fc9600da7d3f894c
-
SSDEEP
12288:zBOvaA3lBcw8byxsNCESC58EFt7laSdyf6jiwGbF8lpKeAJMOib4MJ:QH36vAS53lh0yjitJ3eAJ/iMO
Malware Config
Extracted
djvu
http://zexeq.com/test1/get.php
-
extension
.cdwe
-
offline_id
dSwr1XNNi5cIitB5eDPbMANcusB1dWGDB8ToUnt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-e21iz7dS58 Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0842ASdw
Signatures
-
Detected Djvu ransomware 14 IoCs
resource yara_rule behavioral1/memory/1992-8-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1992-7-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1888-6-0x0000000001DA0000-0x0000000001EBB000-memory.dmp family_djvu behavioral1/memory/1992-3-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1992-26-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2724-36-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2724-35-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2724-50-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2724-49-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2724-51-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2724-57-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2724-56-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2724-54-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2724-58-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2676 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b54d97d1-676a-4426-92a6-fafb184e0c36\\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe\" --AutoStart" fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.2ip.ua 4 api.2ip.ua 9 api.2ip.ua -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1888 set thread context of 1992 1888 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 19 PID 2784 set thread context of 2724 2784 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1992 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 1992 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 2724 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 2724 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1888 wrote to memory of 1992 1888 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 19 PID 1888 wrote to memory of 1992 1888 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 19 PID 1888 wrote to memory of 1992 1888 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 19 PID 1888 wrote to memory of 1992 1888 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 19 PID 1888 wrote to memory of 1992 1888 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 19 PID 1888 wrote to memory of 1992 1888 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 19 PID 1888 wrote to memory of 1992 1888 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 19 PID 1888 wrote to memory of 1992 1888 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 19 PID 1888 wrote to memory of 1992 1888 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 19 PID 1888 wrote to memory of 1992 1888 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 19 PID 1888 wrote to memory of 1992 1888 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 19 PID 1992 wrote to memory of 2676 1992 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 28 PID 1992 wrote to memory of 2676 1992 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 28 PID 1992 wrote to memory of 2676 1992 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 28 PID 1992 wrote to memory of 2676 1992 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 28 PID 1992 wrote to memory of 2784 1992 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 29 PID 1992 wrote to memory of 2784 1992 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 29 PID 1992 wrote to memory of 2784 1992 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 29 PID 1992 wrote to memory of 2784 1992 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 29 PID 2784 wrote to memory of 2724 2784 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 30 PID 2784 wrote to memory of 2724 2784 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 30 PID 2784 wrote to memory of 2724 2784 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 30 PID 2784 wrote to memory of 2724 2784 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 30 PID 2784 wrote to memory of 2724 2784 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 30 PID 2784 wrote to memory of 2724 2784 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 30 PID 2784 wrote to memory of 2724 2784 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 30 PID 2784 wrote to memory of 2724 2784 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 30 PID 2784 wrote to memory of 2724 2784 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 30 PID 2784 wrote to memory of 2724 2784 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 30 PID 2784 wrote to memory of 2724 2784 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe"C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe"C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\b54d97d1-676a-4426-92a6-fafb184e0c36" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe"C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe"C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2724
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA5124da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5437d1a402b4122055542b07ccfb3d97c
SHA1c4e8b2b613619f530b03c5cce2c58e00eea1f67c
SHA2568ec08720e53c93965d9c2ba48b505e16218b6e0fc4dab544dfda3b119c55137c
SHA512485a6bf7a0de2d1deeed64d9fdec02209d410a5991b2d2522be3c3d2d62649a7b1b7b57e87bc0588099a42cfe72affe5aaabf25104ebbdc1b34a06ba7dc7ae0b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51e40ef7ac7b65a13dcda932dc803a497
SHA18068d60cf79b3d63a5a8c69e59a019e7cecadd7e
SHA2569db0c0029fce81b798402b00d62557af5df52505f3426077a10e8695a8bb969e
SHA512801788312242832079def7999cd1f19a86eef5f76ac7911eacb3ea42aa613e552d1e66b9d55544e5cbb8cf611e3881977ff14a19c3da3726cc7db6452af0fd39
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD58746f11e4cf6a7e5b3b9833b4439da12
SHA13f2a64922f41325d34ee34dcf969e4eb7d5728f4
SHA25629eb9d8f366602a1879ca986fad4fffa3954b28a19580b3a6d27a20a543e3d35
SHA512f19066b4542b4c8c982fc336df1164c21f2c304b248ef4458ef3f625a06d051945e66972ff2823a11cd147ed4e3eaf59198449f8543908ddd281cacfcf424f57
-
Filesize
38KB
MD52912bdef520e7fc7ae80f4acb3d3330f
SHA134cc39fe6994f3f562663ec2eef5e7c39b833827
SHA2567508c5d1834f752074ec8cc63783468914b82595c25e9c7a61eca45ca0a030ec
SHA5121e074916137f50e3fdc3f316726d71ee6767af316df9197af1bf6a7ef7e975cbe049e47c000544816c53d19f0951b917b0b9fe3a660ac9bf3083c50428d8acd4
-
C:\Users\Admin\AppData\Local\b54d97d1-676a-4426-92a6-fafb184e0c36\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
Filesize26KB
MD5571bf691b597dc10811db287e2bb3048
SHA1ecb334238098a80c3b1fb36c496510db30a13218
SHA256daf909e59171558f7f73cc7f2809c967e587420872c8399ebe1593d8b0bf60dc
SHA51206079da9552ec1d477589ed01db6182e7db82ec36273938f7dc09b6661412148467dfca5bea5fa8a4834d2ec3c9c28287e99835644d26154e60deaf1ee8158cc