Analysis
-
max time kernel
203s -
max time network
200s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2024, 05:26
Static task
static1
Behavioral task
behavioral1
Sample
build.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
build.exe
Resource
win10v2004-20231215-en
General
-
Target
build.exe
-
Size
673KB
-
MD5
d1aa460d429d1a3a7354252293cb487f
-
SHA1
99f429ea0e47ddd7cf2956b5d88f78c0633a3fbf
-
SHA256
98ac763be5d695eff229e1ef2ac3cec8298e0023885fdd69fb15ac8da7adcbf7
-
SHA512
dfb81e8d389437859b752ce1f170eb22a9acc528e38ccc166e81d0f981c44aabb49b12d6930d97245aa78b758898e41eaa3eb7a6c56d2b08f931434a2d7e0e5a
-
SSDEEP
12288:PKAYVJp24o4W5COcenZchPtvMat4NitS04TTd/sTfpYonp6opFtlE:HYf2TDsOdchlku46/qTAfpYongopP
Malware Config
Extracted
djvu
http://habrafa.com/test2/get.php
-
extension
.cdxx
-
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
- payload_url
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0847ASdw
Signatures
-
Detected Djvu ransomware 16 IoCs
resource yara_rule behavioral2/memory/1416-2-0x00000000048C0000-0x00000000049DB000-memory.dmp family_djvu behavioral2/memory/2360-3-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2360-4-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2360-5-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2360-6-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2360-18-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1956-22-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1956-23-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1956-24-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1956-29-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1956-31-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1956-35-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1956-37-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1956-38-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1956-39-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1956-41-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation build.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2384 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\74277d27-d64e-4c36-b71b-9c16c9baa79f\\build.exe\" --AutoStart" build.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 api.2ip.ua 7 api.2ip.ua 8 api.2ip.ua -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1416 set thread context of 2360 1416 build.exe 42 PID 3524 set thread context of 1956 3524 build.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2360 build.exe 2360 build.exe 1956 build.exe 1956 build.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1416 wrote to memory of 2360 1416 build.exe 42 PID 1416 wrote to memory of 2360 1416 build.exe 42 PID 1416 wrote to memory of 2360 1416 build.exe 42 PID 1416 wrote to memory of 2360 1416 build.exe 42 PID 1416 wrote to memory of 2360 1416 build.exe 42 PID 1416 wrote to memory of 2360 1416 build.exe 42 PID 1416 wrote to memory of 2360 1416 build.exe 42 PID 1416 wrote to memory of 2360 1416 build.exe 42 PID 1416 wrote to memory of 2360 1416 build.exe 42 PID 1416 wrote to memory of 2360 1416 build.exe 42 PID 2360 wrote to memory of 2384 2360 build.exe 89 PID 2360 wrote to memory of 2384 2360 build.exe 89 PID 2360 wrote to memory of 2384 2360 build.exe 89 PID 2360 wrote to memory of 3524 2360 build.exe 90 PID 2360 wrote to memory of 3524 2360 build.exe 90 PID 2360 wrote to memory of 3524 2360 build.exe 90 PID 3524 wrote to memory of 1956 3524 build.exe 92 PID 3524 wrote to memory of 1956 3524 build.exe 92 PID 3524 wrote to memory of 1956 3524 build.exe 92 PID 3524 wrote to memory of 1956 3524 build.exe 92 PID 3524 wrote to memory of 1956 3524 build.exe 92 PID 3524 wrote to memory of 1956 3524 build.exe 92 PID 3524 wrote to memory of 1956 3524 build.exe 92 PID 3524 wrote to memory of 1956 3524 build.exe 92 PID 3524 wrote to memory of 1956 3524 build.exe 92 PID 3524 wrote to memory of 1956 3524 build.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\74277d27-d64e-4c36-b71b-9c16c9baa79f" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:2384
-
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1956
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5b40baee421e93a6145908f67787a291a
SHA1311874de97781222e06810a295e2f78a67b84f81
SHA25625d9d82b04a8a02ccdf9e5980ff2749edcae335faf854d05e24a4a42b35bfa17
SHA51277ceb1d112977f51b89484cbf29c7e299b9e44ba8e8f3daba20cfc71782b2cb1de99c58aaeae4f9741cb13a7389743863927cec42036666e3acf980be2cfd935
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD52b8b20b766bda4518d07dd3ca498416f
SHA17cbedabc5d3ad8102e5504326cc2196f915cf9b0
SHA25635316d7e7398169d0f4ede19a56fc4845f241738db8b55ae46effd0a99fb656b
SHA51247103ff597531cbd4d397182a9dc44cdeafc1d5c0fbd235bc3d2561b0304f93f56878b638c2c1fe2eb8b42e03e65413924594b81cf314ddbeda53e6c4c73ff11
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD5054ce26a0444218528010818664ff8be
SHA162de3e0f1f134b9d553f4fc778e45e2ef557fb80
SHA256975d598cebf03cf9684e30380019f18ef1996e46329b20857f52a719fb0b1df8
SHA5121d1f298bbfe779f099930382ced65fe4bd814c7091bad668d0f93be8b8ac52de8b36f312416ed1e3b095553f22c0fb3f4d0ffa60013b75f7012cf4b4775b9425
-
Filesize
673KB
MD5d1aa460d429d1a3a7354252293cb487f
SHA199f429ea0e47ddd7cf2956b5d88f78c0633a3fbf
SHA25698ac763be5d695eff229e1ef2ac3cec8298e0023885fdd69fb15ac8da7adcbf7
SHA512dfb81e8d389437859b752ce1f170eb22a9acc528e38ccc166e81d0f981c44aabb49b12d6930d97245aa78b758898e41eaa3eb7a6c56d2b08f931434a2d7e0e5a