Analysis

  • max time kernel
    146s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/01/2024, 18:40

General

  • Target

    753a72923bbbcde52682c31fcc134124.exe

  • Size

    786KB

  • MD5

    753a72923bbbcde52682c31fcc134124

  • SHA1

    7a7a4ef36dc84994c250b32d03d8398c5116e091

  • SHA256

    25a605a5eb395c355f464bdec7a391985069ce226ce75675e0df281ccb98c7d5

  • SHA512

    303ae0cc51e7d41321c0f44ebcd0f5d8284cd16e79f3529102628cb99e637cea6a0aa4d2bf17bc8491ef2d62ceb8cd87ae3b2b87a8e6e6fc3bd64e564160075d

  • SSDEEP

    24576:HFlyvPt1Jo8yszpsy9k6I5q55DUsdBPA:l4vPt1K8yksyeqBI

Malware Config

Extracted

Family

djvu

C2

http://astdg.top/nddddhsspen6/get.php

Attributes
  • extension

    .moqs

  • offline_id

    CatwRkqdYh2Jomn6DqwFoGgcSbDsle1xlE1NPtt1

  • payload_url

    http://securebiz.org/dl/build2.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-N3p42CffoV Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0318ewgfDd

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 15 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

  • Modifies file permissions 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
    "C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
      "C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\c836a456-77bf-4228-be4d-8ab3517ba2c4" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:2808
      • C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
        "C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe
          "C:\Users\Admin\AppData\Local\Temp\753a72923bbbcde52682c31fcc134124.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2092

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

          Filesize

          1KB

          MD5

          d00cc6d25614c515b6e2d64d90033d15

          SHA1

          449ca823652db2a579cbd6b06284ff061147f6ba

          SHA256

          ab0d18e7b28375f2cc703c9b7c899fb9ea9429783709f358a47e42fe850ed53d

          SHA512

          80e6454003cd85122a068c3353defe50ddb97ece70204ebd7c7172093df1ac506e4f023e4b991b4673407ed619d4932439675ba6893d0436ecc927d54f3c9f96

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

          Filesize

          724B

          MD5

          8202a1cd02e7d69597995cabbe881a12

          SHA1

          8858d9d934b7aa9330ee73de6c476acf19929ff6

          SHA256

          58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

          SHA512

          97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

          Filesize

          410B

          MD5

          678800a3e57bf8e58c6c0029c6eb59a4

          SHA1

          915c2153065cb020bca51bc728d2adb669edfd4f

          SHA256

          fb408821fe73f1922f999ed728af154b47259b5e2fdd8242ac12db54d23294f0

          SHA512

          19da85e00c19a27b88e9ba62af645d0c50a81ab542edbf11c74863ebdd39c9b75bb983967d3a412aa32df4b82206041260b5a867bfe77e498bd480d8d56ebea1

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          904382f280cc9726bb2de9689bc102dc

          SHA1

          50f334269a02ac100a0f5bdc4026cbdece181208

          SHA256

          04414f5dd6ae8130ece8b6ef8db7c61fb1a9adace42965c922dc2eb479646c8d

          SHA512

          9bbd076b4792a2738504913e4d1f0a1915b975474e0e9726380222792618932c1bfdd494f09791a2569a2e493d748ff080292da175debe64b1eb67942f36f9c6

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

          Filesize

          392B

          MD5

          73a64388fdce3ed14d962171d115ecfc

          SHA1

          f6492dc95aac06984082b99862e26a23f2cea006

          SHA256

          4a601877f3aef0a40468c3ce5a84cac1f4f0afdf32c89d5530420bcc283c705a

          SHA512

          27d18ee1d139e04b43c92db20c6fef5d7a9fe7b602432472d7313e3367df48a987c1fddec9cd46eee30ce097968e83cf280fd0d4b5f3ab2f7736004bdd2a342e

        • C:\Users\Admin\AppData\Local\Temp\Cab780D.tmp

          Filesize

          64KB

          MD5

          d71dff97ca86ca16c3db8bdb5285fb35

          SHA1

          271c01246897497d069b81ed37af296cf6c1e498

          SHA256

          4a19255504acfbd49c4e1aed722c7e62b50b5742b860eedabc5f46160f8aefac

          SHA512

          1fed2a183296b563e35d803927e539d28169895f6ca5b522a1c714f222a2d3e578b1e167b19568b5ad4800b898f7ac041c7bd8f6bb02d1361b32cbdcfb0f682a

        • C:\Users\Admin\AppData\Local\c836a456-77bf-4228-be4d-8ab3517ba2c4\753a72923bbbcde52682c31fcc134124.exe

          Filesize

          786KB

          MD5

          753a72923bbbcde52682c31fcc134124

          SHA1

          7a7a4ef36dc84994c250b32d03d8398c5116e091

          SHA256

          25a605a5eb395c355f464bdec7a391985069ce226ce75675e0df281ccb98c7d5

          SHA512

          303ae0cc51e7d41321c0f44ebcd0f5d8284cd16e79f3529102628cb99e637cea6a0aa4d2bf17bc8491ef2d62ceb8cd87ae3b2b87a8e6e6fc3bd64e564160075d

        • memory/1308-0-0x0000000000220000-0x00000000002B1000-memory.dmp

          Filesize

          580KB

        • memory/1308-2-0x0000000000220000-0x00000000002B1000-memory.dmp

          Filesize

          580KB

        • memory/1308-4-0x0000000002180000-0x000000000229B000-memory.dmp

          Filesize

          1.1MB

        • memory/2092-35-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2092-56-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2092-58-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2092-57-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2092-55-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2092-34-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2092-53-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2092-50-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2092-48-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2092-49-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2780-28-0x00000000020C0000-0x0000000002151000-memory.dmp

          Filesize

          580KB

        • memory/2780-29-0x00000000020C0000-0x0000000002151000-memory.dmp

          Filesize

          580KB

        • memory/2848-5-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2848-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2848-7-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2848-8-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2848-26-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB