Analysis
-
max time kernel
86s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/01/2024, 08:54
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20231215-en
General
-
Target
file.exe
-
Size
749KB
-
MD5
87ba288f14fbf826d4cf061d9f8e72ed
-
SHA1
ec1f877e40b5e8917953e54eb51834a15335aa6e
-
SHA256
56529b359e4c4695a3e290752d61c59ad3327a16574da95ca69a214552241a63
-
SHA512
200457f3c9f1120c6c97df354d7e9898e0a3dfecb6fb771985f9e28adaab29841e03e37e1100b759ae7baf89072859082aa3ddc340a8501396426441f8391f95
-
SSDEEP
12288:lL++FQkxaH3tr2VBEMuw6mQVSql6SoP0bSJg5J8m5ubKrD4Akb5i2yj5+:U+FQkxI2E5oPI0Kp5ubKX4S+
Malware Config
Extracted
djvu
http://habrafa.com/test2/get.php
-
extension
.cdxx
-
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
- payload_url
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0847ASdw
Signatures
-
Detected Djvu ransomware 9 IoCs
resource yara_rule behavioral2/memory/1320-0-0x0000000004A40000-0x0000000004B5B000-memory.dmp family_djvu behavioral2/memory/1068-1-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1068-2-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1068-3-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1068-4-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1068-15-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4720-18-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4720-19-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4720-21-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation file.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2392 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f0a74db3-6da6-44d6-b434-19346e459dc6\\file.exe\" --AutoStart" file.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 api.2ip.ua 1 api.2ip.ua -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1320 set thread context of 1068 1320 file.exe 83 PID 8 set thread context of 4720 8 file.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4356 4720 WerFault.exe 90 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1068 file.exe 1068 file.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1320 wrote to memory of 1068 1320 file.exe 83 PID 1320 wrote to memory of 1068 1320 file.exe 83 PID 1320 wrote to memory of 1068 1320 file.exe 83 PID 1320 wrote to memory of 1068 1320 file.exe 83 PID 1320 wrote to memory of 1068 1320 file.exe 83 PID 1320 wrote to memory of 1068 1320 file.exe 83 PID 1320 wrote to memory of 1068 1320 file.exe 83 PID 1320 wrote to memory of 1068 1320 file.exe 83 PID 1320 wrote to memory of 1068 1320 file.exe 83 PID 1320 wrote to memory of 1068 1320 file.exe 83 PID 1068 wrote to memory of 2392 1068 file.exe 87 PID 1068 wrote to memory of 2392 1068 file.exe 87 PID 1068 wrote to memory of 2392 1068 file.exe 87 PID 1068 wrote to memory of 8 1068 file.exe 88 PID 1068 wrote to memory of 8 1068 file.exe 88 PID 1068 wrote to memory of 8 1068 file.exe 88 PID 8 wrote to memory of 4720 8 file.exe 90 PID 8 wrote to memory of 4720 8 file.exe 90 PID 8 wrote to memory of 4720 8 file.exe 90 PID 8 wrote to memory of 4720 8 file.exe 90 PID 8 wrote to memory of 4720 8 file.exe 90 PID 8 wrote to memory of 4720 8 file.exe 90 PID 8 wrote to memory of 4720 8 file.exe 90 PID 8 wrote to memory of 4720 8 file.exe 90 PID 8 wrote to memory of 4720 8 file.exe 90 PID 8 wrote to memory of 4720 8 file.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\f0a74db3-6da6-44d6-b434-19346e459dc6" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:2392
-
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask4⤵PID:4720
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 5685⤵
- Program crash
PID:4356
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4720 -ip 47201⤵PID:4236
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
749KB
MD587ba288f14fbf826d4cf061d9f8e72ed
SHA1ec1f877e40b5e8917953e54eb51834a15335aa6e
SHA25656529b359e4c4695a3e290752d61c59ad3327a16574da95ca69a214552241a63
SHA512200457f3c9f1120c6c97df354d7e9898e0a3dfecb6fb771985f9e28adaab29841e03e37e1100b759ae7baf89072859082aa3ddc340a8501396426441f8391f95