Analysis
-
max time kernel
146s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/01/2024, 18:40
Static task
static1
Behavioral task
behavioral1
Sample
753a72923bbbcde52682c31fcc134124.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
753a72923bbbcde52682c31fcc134124.exe
Resource
win10v2004-20231222-en
General
-
Target
753a72923bbbcde52682c31fcc134124.exe
-
Size
786KB
-
MD5
753a72923bbbcde52682c31fcc134124
-
SHA1
7a7a4ef36dc84994c250b32d03d8398c5116e091
-
SHA256
25a605a5eb395c355f464bdec7a391985069ce226ce75675e0df281ccb98c7d5
-
SHA512
303ae0cc51e7d41321c0f44ebcd0f5d8284cd16e79f3529102628cb99e637cea6a0aa4d2bf17bc8491ef2d62ceb8cd87ae3b2b87a8e6e6fc3bd64e564160075d
-
SSDEEP
24576:HFlyvPt1Jo8yszpsy9k6I5q55DUsdBPA:l4vPt1K8yksyeqBI
Malware Config
Extracted
djvu
http://astdg.top/nddddhsspen6/get.php
-
extension
.moqs
-
offline_id
CatwRkqdYh2Jomn6DqwFoGgcSbDsle1xlE1NPtt1
-
payload_url
http://securebiz.org/dl/build2.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-N3p42CffoV Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0318ewgfDd
Signatures
-
Detected Djvu ransomware 15 IoCs
resource yara_rule behavioral1/memory/2848-5-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1308-4-0x0000000002180000-0x000000000229B000-memory.dmp family_djvu behavioral1/memory/2848-7-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2848-8-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2848-26-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2092-34-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2092-35-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2092-49-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2092-48-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2092-50-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2092-53-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2092-56-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2092-55-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2092-57-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2092-58-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2808 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c836a456-77bf-4228-be4d-8ab3517ba2c4\\753a72923bbbcde52682c31fcc134124.exe\" --AutoStart" 753a72923bbbcde52682c31fcc134124.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.2ip.ua 4 api.2ip.ua 9 api.2ip.ua -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1308 set thread context of 2848 1308 753a72923bbbcde52682c31fcc134124.exe 28 PID 2780 set thread context of 2092 2780 753a72923bbbcde52682c31fcc134124.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2848 753a72923bbbcde52682c31fcc134124.exe 2092 753a72923bbbcde52682c31fcc134124.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1308 wrote to memory of 2848 1308 753a72923bbbcde52682c31fcc134124.exe 28 PID 1308 wrote to memory of 2848 1308 753a72923bbbcde52682c31fcc134124.exe 28 PID 1308 wrote to memory of 2848 1308 753a72923bbbcde52682c31fcc134124.exe 28 PID 1308 wrote to memory of 2848 1308 753a72923bbbcde52682c31fcc134124.exe 28 PID 1308 wrote to memory of 2848 1308 753a72923bbbcde52682c31fcc134124.exe 28 PID 1308 wrote to memory of 2848 1308 753a72923bbbcde52682c31fcc134124.exe 28 PID 1308 wrote to memory of 2848 1308 753a72923bbbcde52682c31fcc134124.exe 28 PID 1308 wrote to memory of 2848 1308 753a72923bbbcde52682c31fcc134124.exe 28 PID 1308 wrote to memory of 2848 1308 753a72923bbbcde52682c31fcc134124.exe 28 PID 1308 wrote to memory of 2848 1308 753a72923bbbcde52682c31fcc134124.exe 28 PID 1308 wrote to memory of 2848 1308 753a72923bbbcde52682c31fcc134124.exe 28 PID 2848 wrote to memory of 2808 2848 753a72923bbbcde52682c31fcc134124.exe 29 PID 2848 wrote to memory of 2808 2848 753a72923bbbcde52682c31fcc134124.exe 29 PID 2848 wrote to memory of 2808 2848 753a72923bbbcde52682c31fcc134124.exe 29 PID 2848 wrote to memory of 2808 2848 753a72923bbbcde52682c31fcc134124.exe 29 PID 2848 wrote to memory of 2780 2848 753a72923bbbcde52682c31fcc134124.exe 30 PID 2848 wrote to memory of 2780 2848 753a72923bbbcde52682c31fcc134124.exe 30 PID 2848 wrote to memory of 2780 2848 753a72923bbbcde52682c31fcc134124.exe 30 PID 2848 wrote to memory of 2780 2848 753a72923bbbcde52682c31fcc134124.exe 30 PID 2780 wrote to memory of 2092 2780 753a72923bbbcde52682c31fcc134124.exe 31 PID 2780 wrote to memory of 2092 2780 753a72923bbbcde52682c31fcc134124.exe 31 PID 2780 wrote to memory of 2092 2780 753a72923bbbcde52682c31fcc134124.exe 31 PID 2780 wrote to memory of 2092 2780 753a72923bbbcde52682c31fcc134124.exe 31 PID 2780 wrote to memory of 2092 2780 753a72923bbbcde52682c31fcc134124.exe 31 PID 2780 wrote to memory of 2092 2780 753a72923bbbcde52682c31fcc134124.exe 31 PID 2780 wrote to memory of 2092 2780 753a72923bbbcde52682c31fcc134124.exe 31 PID 2780 wrote to memory of 2092 2780 753a72923bbbcde52682c31fcc134124.exe 31 PID 2780 wrote to memory of 2092 2780 753a72923bbbcde52682c31fcc134124.exe 31 PID 2780 wrote to memory of 2092 2780 753a72923bbbcde52682c31fcc134124.exe 31 PID 2780 wrote to memory of 2092 2780 753a72923bbbcde52682c31fcc134124.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe"C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe"C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\c836a456-77bf-4228-be4d-8ab3517ba2c4" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe"C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe"C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2092
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5d00cc6d25614c515b6e2d64d90033d15
SHA1449ca823652db2a579cbd6b06284ff061147f6ba
SHA256ab0d18e7b28375f2cc703c9b7c899fb9ea9429783709f358a47e42fe850ed53d
SHA51280e6454003cd85122a068c3353defe50ddb97ece70204ebd7c7172093df1ac506e4f023e4b991b4673407ed619d4932439675ba6893d0436ecc927d54f3c9f96
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5678800a3e57bf8e58c6c0029c6eb59a4
SHA1915c2153065cb020bca51bc728d2adb669edfd4f
SHA256fb408821fe73f1922f999ed728af154b47259b5e2fdd8242ac12db54d23294f0
SHA51219da85e00c19a27b88e9ba62af645d0c50a81ab542edbf11c74863ebdd39c9b75bb983967d3a412aa32df4b82206041260b5a867bfe77e498bd480d8d56ebea1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5904382f280cc9726bb2de9689bc102dc
SHA150f334269a02ac100a0f5bdc4026cbdece181208
SHA25604414f5dd6ae8130ece8b6ef8db7c61fb1a9adace42965c922dc2eb479646c8d
SHA5129bbd076b4792a2738504913e4d1f0a1915b975474e0e9726380222792618932c1bfdd494f09791a2569a2e493d748ff080292da175debe64b1eb67942f36f9c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD573a64388fdce3ed14d962171d115ecfc
SHA1f6492dc95aac06984082b99862e26a23f2cea006
SHA2564a601877f3aef0a40468c3ce5a84cac1f4f0afdf32c89d5530420bcc283c705a
SHA51227d18ee1d139e04b43c92db20c6fef5d7a9fe7b602432472d7313e3367df48a987c1fddec9cd46eee30ce097968e83cf280fd0d4b5f3ab2f7736004bdd2a342e
-
Filesize
64KB
MD5d71dff97ca86ca16c3db8bdb5285fb35
SHA1271c01246897497d069b81ed37af296cf6c1e498
SHA2564a19255504acfbd49c4e1aed722c7e62b50b5742b860eedabc5f46160f8aefac
SHA5121fed2a183296b563e35d803927e539d28169895f6ca5b522a1c714f222a2d3e578b1e167b19568b5ad4800b898f7ac041c7bd8f6bb02d1361b32cbdcfb0f682a
-
C:\Users\Admin\AppData\Local\c836a456-77bf-4228-be4d-8ab3517ba2c4\753a72923bbbcde52682c31fcc134124.exe
Filesize786KB
MD5753a72923bbbcde52682c31fcc134124
SHA17a7a4ef36dc84994c250b32d03d8398c5116e091
SHA25625a605a5eb395c355f464bdec7a391985069ce226ce75675e0df281ccb98c7d5
SHA512303ae0cc51e7d41321c0f44ebcd0f5d8284cd16e79f3529102628cb99e637cea6a0aa4d2bf17bc8491ef2d62ceb8cd87ae3b2b87a8e6e6fc3bd64e564160075d