Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/01/2024, 08:55
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20231222-en
General
-
Target
file.exe
-
Size
749KB
-
MD5
87ba288f14fbf826d4cf061d9f8e72ed
-
SHA1
ec1f877e40b5e8917953e54eb51834a15335aa6e
-
SHA256
56529b359e4c4695a3e290752d61c59ad3327a16574da95ca69a214552241a63
-
SHA512
200457f3c9f1120c6c97df354d7e9898e0a3dfecb6fb771985f9e28adaab29841e03e37e1100b759ae7baf89072859082aa3ddc340a8501396426441f8391f95
-
SSDEEP
12288:lL++FQkxaH3tr2VBEMuw6mQVSql6SoP0bSJg5J8m5ubKrD4Akb5i2yj5+:U+FQkxI2E5oPI0Kp5ubKX4S+
Malware Config
Extracted
djvu
http://habrafa.com/test2/get.php
-
extension
.cdxx
-
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
- payload_url
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0847ASdw
Signatures
-
Detected Djvu ransomware 12 IoCs
resource yara_rule behavioral1/memory/1944-1-0x0000000002EA0000-0x0000000002FBB000-memory.dmp family_djvu behavioral1/memory/1976-3-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1976-5-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1976-6-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1976-24-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2836-31-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2836-44-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2836-46-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2836-50-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2836-52-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2836-53-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2836-54-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2656 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3816547c-c290-4ce9-95dd-2ab46e2022fa\\file.exe\" --AutoStart" file.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.2ip.ua 4 api.2ip.ua 9 api.2ip.ua -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1944 set thread context of 1976 1944 file.exe 28 PID 2564 set thread context of 2836 2564 file.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1976 file.exe 2836 file.exe 2836 file.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1944 wrote to memory of 1976 1944 file.exe 28 PID 1944 wrote to memory of 1976 1944 file.exe 28 PID 1944 wrote to memory of 1976 1944 file.exe 28 PID 1944 wrote to memory of 1976 1944 file.exe 28 PID 1944 wrote to memory of 1976 1944 file.exe 28 PID 1944 wrote to memory of 1976 1944 file.exe 28 PID 1944 wrote to memory of 1976 1944 file.exe 28 PID 1944 wrote to memory of 1976 1944 file.exe 28 PID 1944 wrote to memory of 1976 1944 file.exe 28 PID 1944 wrote to memory of 1976 1944 file.exe 28 PID 1944 wrote to memory of 1976 1944 file.exe 28 PID 1976 wrote to memory of 2656 1976 file.exe 29 PID 1976 wrote to memory of 2656 1976 file.exe 29 PID 1976 wrote to memory of 2656 1976 file.exe 29 PID 1976 wrote to memory of 2656 1976 file.exe 29 PID 1976 wrote to memory of 2564 1976 file.exe 31 PID 1976 wrote to memory of 2564 1976 file.exe 31 PID 1976 wrote to memory of 2564 1976 file.exe 31 PID 1976 wrote to memory of 2564 1976 file.exe 31 PID 2564 wrote to memory of 2836 2564 file.exe 30 PID 2564 wrote to memory of 2836 2564 file.exe 30 PID 2564 wrote to memory of 2836 2564 file.exe 30 PID 2564 wrote to memory of 2836 2564 file.exe 30 PID 2564 wrote to memory of 2836 2564 file.exe 30 PID 2564 wrote to memory of 2836 2564 file.exe 30 PID 2564 wrote to memory of 2836 2564 file.exe 30 PID 2564 wrote to memory of 2836 2564 file.exe 30 PID 2564 wrote to memory of 2836 2564 file.exe 30 PID 2564 wrote to memory of 2836 2564 file.exe 30 PID 2564 wrote to memory of 2836 2564 file.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\3816547c-c290-4ce9-95dd-2ab46e2022fa" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:2656
-
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2564
-
-
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD573ce21ff1fb2989f6350ace9274ae9b5
SHA17db6c387eb8351f3e8e361d10224711c3477821e
SHA256d7005273bab949c42fcc73eac7820c4c5f08df1e9095020cdb0e17fc9e282d50
SHA512a43767a55a559a8bf51d5dcb9bc378167f63e15f571b6be35903048570d036fed2a3f6a37c91f469ee9808d245cdd875b9dad38556e6bf97258a82c7071aeab3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD58b71b08458d4711bd5095522149daed6
SHA147b0b9b28758dcc0cd6ec17c09dd8b0cf02c237b
SHA256398458a1b47587cb2acd1438c57ceda8e91ed410f2849d98b4b60cbd2bc7b185
SHA5128a8b338a84aed77cdf7876c50903ae2ac85bc8999a6b4b02b20735801ee1bebd3ed7c93697ed99ee125890c5471428aaaceab5a8b8d71031972bd95d9ecb9355
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55249dcb223df551f0d103538cfb37cca
SHA15b5c121f010edd7eaf55c0d4cbc7d6fc037663f4
SHA2563a6409f74a6311a0769e5622d99f86547891891e896f9a4c5e904a735e813081
SHA5128078210aadcd1120c89aa325a252a45cdab745f2eda0fd91ce8a9efd22fd2aaac516bcd2d6adbaa9fd91b9471be2c0f5206020d0f94c1113dde93290fb5a8b6b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD55de30e07670c0137b0477210ff768420
SHA148bc11a4c001d99ce3e07fee74115a93bcca4306
SHA25604620098d25c2750e61a34791766c41fa1261cfeffa80e5654ebaac1d80ce2e4
SHA512ba6d5ebe023415ebea5d3b7389a39b9d648f52a2d64ab8f8257858c27ab570a35aedb0fe25d1f1ee5c9319319413b2b73fdc0b53672c9a992e0f5df6c856c018
-
Filesize
749KB
MD587ba288f14fbf826d4cf061d9f8e72ed
SHA1ec1f877e40b5e8917953e54eb51834a15335aa6e
SHA25656529b359e4c4695a3e290752d61c59ad3327a16574da95ca69a214552241a63
SHA512200457f3c9f1120c6c97df354d7e9898e0a3dfecb6fb771985f9e28adaab29841e03e37e1100b759ae7baf89072859082aa3ddc340a8501396426441f8391f95
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d