Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    26/01/2024, 09:49

General

  • Target

    770875a906b4931c20fc1abf90bd3728.exe

  • Size

    758KB

  • MD5

    770875a906b4931c20fc1abf90bd3728

  • SHA1

    ee3a2a7399459c55de025b9a20a1aef3e770cb83

  • SHA256

    187329e42948ef198658234eed2b95a769decf507415a6e4acc1a1eb4429e1db

  • SHA512

    4aad8881caa4d33bc018291d22d9cf7993f5eeade1e6fc7f19995e2dbfa4af4fe9e585a5a18d382fc07798a53c0aa3a8ca8e87b7443bf01548adee92266fd974

  • SSDEEP

    12288:ONr496jPTGSg8D+R6u0UbwvrI7TsDFHM0noXUzVFuAWE5yWzuyJpypD9ARwoOc:OFu6jPTGSLPvM7YRsliFuPiKD925

Malware Config

Extracted

Family

djvu

C2

http://astdg.top/fhsgtsspen6/get.php

Attributes
  • extension

    .nooa

  • offline_id

    PLtnD1U6oAmgxgJ2nJik1mY9SwUQg07CiN0zSet1

  • payload_url

    http://securebiz.org/dl/build2.exe

    http://astdg.top/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-CnI3tI6Ktv Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0322gDrgo

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 15 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

  • Modifies file permissions 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
    "C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
      "C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe"
      2⤵
      • Adds Run key to start application
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\129974e8-c8ae-4ffd-8fce-216f904b6674" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:2624
      • C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
        "C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2732
        • C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
          "C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          PID:2480

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

          Filesize

          1KB

          MD5

          73ce21ff1fb2989f6350ace9274ae9b5

          SHA1

          7db6c387eb8351f3e8e361d10224711c3477821e

          SHA256

          d7005273bab949c42fcc73eac7820c4c5f08df1e9095020cdb0e17fc9e282d50

          SHA512

          a43767a55a559a8bf51d5dcb9bc378167f63e15f571b6be35903048570d036fed2a3f6a37c91f469ee9808d245cdd875b9dad38556e6bf97258a82c7071aeab3

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

          Filesize

          11KB

          MD5

          c69fff85040487e6f2b7a4fc215e7383

          SHA1

          3d0261812a3981c80aee74cfe2025aa02980c77b

          SHA256

          4ae2ba25a3ef3dfb2721f959f1336a64569b109d2b7958f013706985cd3373f6

          SHA512

          02b60d3ff203a090bad852e92283b38ed959f5c4d397e1a3f2a4100b44217c745572f7104827fdb80a64da97a3222901a500a1a99d026ec959fca65669c44f45

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

          Filesize

          724B

          MD5

          8202a1cd02e7d69597995cabbe881a12

          SHA1

          8858d9d934b7aa9330ee73de6c476acf19929ff6

          SHA256

          58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

          SHA512

          97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

          Filesize

          1KB

          MD5

          a266bb7dcc38a562631361bbf61dd11b

          SHA1

          3b1efd3a66ea28b16697394703a72ca340a05bd5

          SHA256

          df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

          SHA512

          0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

          Filesize

          410B

          MD5

          afc45000db2195c40325a4796a79eeed

          SHA1

          bf220910902d40e7cc7e8c185953ec0b2d785695

          SHA256

          6075ccc8c61124e65f6813e13660da7a891b720a91e2e64e9eab418ad841a4be

          SHA512

          439236c65919cfd9fafb2815ac3c9bccab067197158830aea67329009c78ee548ff9b6bbf6daca1a29b3464a356ff67ee781bbe90ce9bc956157601ef1900eee

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          1db6a422fca811a50950953a4d058157

          SHA1

          867e1ad5d6a6916b89f0d44f130bc6328fd1eaf1

          SHA256

          cd9c36956f374c20d61f38d3cc26917ccf9a7175c90c636cf4a4d7ab0706d1a0

          SHA512

          55ad8e0b9f181379111675ac96daa63007eeb74022d9417f27d553da1bf822a9ef5a9016ef95c969ee2292432bf9a455f8154521be76c12255247cfc5b2a3ddf

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

          Filesize

          392B

          MD5

          e6d736a9701f89e36e8d045854b5585f

          SHA1

          9d6bff35f14772b6360ac9a7cd7ea23143351e16

          SHA256

          2cb0f8ac96bf3ade23d22b643eb2a0112cf638d88d74f511439ad5509986e5e3

          SHA512

          4153deeacb3daafd39183abbaaed81f7a70029cf007fc3abd64e63219d0d48734667e884a21f728044d1acb894c360d0b00fb24d260acecc4acf17d315ee30d3

        • C:\Users\Admin\AppData\Local\129974e8-c8ae-4ffd-8fce-216f904b6674\770875a906b4931c20fc1abf90bd3728.exe

          Filesize

          592KB

          MD5

          bdc68d4cda77cd67a4c9c4b344500141

          SHA1

          348924210479b5e2f2b391611a5437d35b7cd55d

          SHA256

          7104117bfd16b1e6bd9f61af2f36f74e8f49b14ad019d20983ab70a0b7bb8d25

          SHA512

          c55688b39178a918d0bb9843f946b5c16372fca12b2ddbfb0992479916e4a5704b9d52a3dfb7274635a9dc6fab74ff658cfbf8bc361e7742f0fea4818dc2aea2

        • C:\Users\Admin\AppData\Local\Temp\Tar2B94.tmp

          Filesize

          25KB

          MD5

          61f643c153b42808c5c992e59e34cfd9

          SHA1

          b71c9a2791d9abfd4ebc7a8c7bb6cf6f8580e832

          SHA256

          e3e19feaddaa1db409f03df3b913790eb8ad06afb906e7d1f5860e43d3d59902

          SHA512

          62ea2c5a5a7490968c60d602c7e1eaf49cff7051f1009e980fd9dbf60bcd76f507a553d1f5298cd21dfa3728a0098e8969904eaf67f4c9a6feabe6ca72c3d774

        • memory/1388-2-0x00000000002D0000-0x0000000000361000-memory.dmp

          Filesize

          580KB

        • memory/1388-0-0x00000000002D0000-0x0000000000361000-memory.dmp

          Filesize

          580KB

        • memory/1388-4-0x0000000004600000-0x000000000471B000-memory.dmp

          Filesize

          1.1MB

        • memory/2480-78-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2480-54-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2480-80-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2480-79-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2480-75-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2480-77-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2480-53-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2480-71-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2480-70-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2480-72-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2732-45-0x0000000000300000-0x0000000000391000-memory.dmp

          Filesize

          580KB

        • memory/2732-47-0x0000000000300000-0x0000000000391000-memory.dmp

          Filesize

          580KB

        • memory/2732-52-0x0000000000300000-0x0000000000391000-memory.dmp

          Filesize

          580KB

        • memory/2876-44-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2876-7-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2876-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2876-5-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2876-8-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB