djvu | 56529b359e4c4695a3e290752d61c59ad3327a16574da95ca69a214552241a63

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

749KB
MD5

87ba288f14fbf826d4cf061d9f8e72ed
SHA1

ec1f877e40b5e8917953e54eb51834a15335aa6e
SHA256

56529b359e4c4695a3e290752d61c59ad3327a16574da95ca69a214552241a63
SHA512

200457f3c9f1120c6c97df354d7e9898e0a3dfecb6fb771985f9e28adaab29841e03e37e1100b759ae7baf89072859082aa3ddc340a8501396426441f8391f95
SSDEEP

12288:lL++FQkxaH3tr2VBEMuw6mQVSql6SoP0bSJg5J8m5ubKrD4Akb5i2yj5+:U+FQkxI2E5oPI0Kp5ubKX4S+

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

http://habrafa.com/test2/get.php

Attributes

extension
.cdxx
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0847ASdw

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 12 IoCs

resource	yara_rule
behavioral1/memory/1944-1-0x0000000002EA0000-0x0000000002FBB000-memory.dmp	family_djvu
behavioral1/memory/1976-3-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1976-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1976-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1976-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2836-31-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2836-44-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2836-46-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2836-50-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2836-52-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2836-53-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2836-54-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2656	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3816547c-c290-4ce9-95dd-2ab46e2022fa\\file.exe\" --AutoStart"	file.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.2ip.ua
4	api.2ip.ua
9	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1944 set thread context of 1976	1944	file.exe	28
PID 2564 set thread context of 2836	2564	file.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1976	file.exe
2836	file.exe
2836	file.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1976	1944	file.exe	28
PID 1944 wrote to memory of 1976	1944	file.exe	28
PID 1944 wrote to memory of 1976	1944	file.exe	28
PID 1944 wrote to memory of 1976	1944	file.exe	28
PID 1944 wrote to memory of 1976	1944	file.exe	28
PID 1944 wrote to memory of 1976	1944	file.exe	28
PID 1944 wrote to memory of 1976	1944	file.exe	28
PID 1944 wrote to memory of 1976	1944	file.exe	28
PID 1944 wrote to memory of 1976	1944	file.exe	28
PID 1944 wrote to memory of 1976	1944	file.exe	28
PID 1944 wrote to memory of 1976	1944	file.exe	28
PID 1976 wrote to memory of 2656	1976	file.exe	29
PID 1976 wrote to memory of 2656	1976	file.exe	29
PID 1976 wrote to memory of 2656	1976	file.exe	29
PID 1976 wrote to memory of 2656	1976	file.exe	29
PID 1976 wrote to memory of 2564	1976	file.exe	31
PID 1976 wrote to memory of 2564	1976	file.exe	31
PID 1976 wrote to memory of 2564	1976	file.exe	31
PID 1976 wrote to memory of 2564	1976	file.exe	31
PID 2564 wrote to memory of 2836	2564	file.exe	30
PID 2564 wrote to memory of 2836	2564	file.exe	30
PID 2564 wrote to memory of 2836	2564	file.exe	30
PID 2564 wrote to memory of 2836	2564	file.exe	30
PID 2564 wrote to memory of 2836	2564	file.exe	30
PID 2564 wrote to memory of 2836	2564	file.exe	30
PID 2564 wrote to memory of 2836	2564	file.exe	30
PID 2564 wrote to memory of 2836	2564	file.exe	30
PID 2564 wrote to memory of 2836	2564	file.exe	30
PID 2564 wrote to memory of 2836	2564	file.exe	30
PID 2564 wrote to memory of 2836	2564	file.exe	30

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\3816547c-c290-4ce9-95dd-2ab46e2022fa" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2656
- - C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2564

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
73ce21ff1fb2989f6350ace9274ae9b5

SHA1
7db6c387eb8351f3e8e361d10224711c3477821e

SHA256
d7005273bab949c42fcc73eac7820c4c5f08df1e9095020cdb0e17fc9e282d50

SHA512
a43767a55a559a8bf51d5dcb9bc378167f63e15f571b6be35903048570d036fed2a3f6a37c91f469ee9808d245cdd875b9dad38556e6bf97258a82c7071aeab3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
8b71b08458d4711bd5095522149daed6

SHA1
47b0b9b28758dcc0cd6ec17c09dd8b0cf02c237b

SHA256
398458a1b47587cb2acd1438c57ceda8e91ed410f2849d98b4b60cbd2bc7b185

SHA512
8a8b338a84aed77cdf7876c50903ae2ac85bc8999a6b4b02b20735801ee1bebd3ed7c93697ed99ee125890c5471428aaaceab5a8b8d71031972bd95d9ecb9355

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5249dcb223df551f0d103538cfb37cca

SHA1
5b5c121f010edd7eaf55c0d4cbc7d6fc037663f4

SHA256
3a6409f74a6311a0769e5622d99f86547891891e896f9a4c5e904a735e813081

SHA512
8078210aadcd1120c89aa325a252a45cdab745f2eda0fd91ce8a9efd22fd2aaac516bcd2d6adbaa9fd91b9471be2c0f5206020d0f94c1113dde93290fb5a8b6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
5de30e07670c0137b0477210ff768420

SHA1
48bc11a4c001d99ce3e07fee74115a93bcca4306

SHA256
04620098d25c2750e61a34791766c41fa1261cfeffa80e5654ebaac1d80ce2e4

SHA512
ba6d5ebe023415ebea5d3b7389a39b9d648f52a2d64ab8f8257858c27ab570a35aedb0fe25d1f1ee5c9319319413b2b73fdc0b53672c9a992e0f5df6c856c018

Download Submit
C:\Users\Admin\AppData\Local\3816547c-c290-4ce9-95dd-2ab46e2022fa\file.exe

Filesize
749KB

MD5
87ba288f14fbf826d4cf061d9f8e72ed

SHA1
ec1f877e40b5e8917953e54eb51834a15335aa6e

SHA256
56529b359e4c4695a3e290752d61c59ad3327a16574da95ca69a214552241a63

SHA512
200457f3c9f1120c6c97df354d7e9898e0a3dfecb6fb771985f9e28adaab29841e03e37e1100b759ae7baf89072859082aa3ddc340a8501396426441f8391f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab24FE.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
memory/1944-1-0x0000000002EA0000-0x0000000002FBB000-memory.dmp

Filesize
1.1MB

Download
memory/1976-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1976-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1976-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1976-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1976-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2836-31-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2836-44-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2836-46-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2836-50-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2836-52-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2836-53-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2836-54-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download