Analysis
-
max time kernel
167s -
max time network
177s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
15-03-2024 02:29
General
-
Target
ca4120301ffc74c815e99aba3ad78655.exe
-
Size
838KB
-
MD5
ca4120301ffc74c815e99aba3ad78655
-
SHA1
fb5f9b45d563d86028259a4a5df45d2d1a991ef7
-
SHA256
45733f732df30c20bdc95a802a30d1c1653661fbe6442c229f4a39cc0465ada4
-
SHA512
281962ebe1e95a9001d6241cfda4b529b3d4204679ba7bc0ca3dcaf36074cd3e2d8e1d9225cb109f03fd0caed10f68592e2aa638c6db7d40bd1d319355751290
-
SSDEEP
12288:nQVHXDy9U1nKUglcTNLL2pgVHEbksRWDST5FZFWbbLnQjXg7RDD1XpSUa2+Isbya:QZzy9+hLLnrifZg8jXCDmUlob9z
Malware Config
Extracted
djvu
http://astdg.top/fhsgtsspen6/get.php
-
extension
.reqg
-
offline_id
ioYmb0jtMMtue7xjmkS3WQWGWLR8FTQhb2giQtt1
-
payload_url
http://securebiz.org/dl/build2.exe
http://astdg.top/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-jTbSQT8ApY Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0324gDrgo
Extracted
mylobot
pqrqtaz.ru:9879
pickcas.ru:6464
quwkbin.ru:3496
rkbupij.ru:6653
pcqmayq.ru:3629
mmuliwe.ru:3541
stoizji.ru:5189
sfdfrhh.ru:3511
ynciazz.ru:4127
mkglhnw.ru:1946
njeeili.ru:9987
dldzeoo.ru:7525
tkbiqjq.ru:5145
uenosbl.ru:2935
faayshc.ru:9865
nttfazc.ru:6761
nfwsyog.ru:7172
uyfusxm.ru:7372
hxkclwx.ru:1294
zgoysam.ru:2338
Signatures
-
Detected Djvu ransomware 17 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Mylobot
Botnet which first appeared in 2017 written in C++.
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca4120301ffc74c815e99aba3ad78655.exe"C:\Users\Admin\AppData\Local\Temp\ca4120301ffc74c815e99aba3ad78655.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ca4120301ffc74c815e99aba3ad78655.exe"C:\Users\Admin\AppData\Local\Temp\ca4120301ffc74c815e99aba3ad78655.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\ae87344c-fb73-4a5f-bf0a-0cc1e5b1cf9c" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\ca4120301ffc74c815e99aba3ad78655.exe"C:\Users\Admin\AppData\Local\Temp\ca4120301ffc74c815e99aba3ad78655.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ca4120301ffc74c815e99aba3ad78655.exe"C:\Users\Admin\AppData\Local\Temp\ca4120301ffc74c815e99aba3ad78655.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\8898f086-c364-4859-86ef-8fb5479d9602\build2.exe"C:\Users\Admin\AppData\Local\8898f086-c364-4859-86ef-8fb5479d9602\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\8898f086-c364-4859-86ef-8fb5479d9602\build2.exe"C:\Users\Admin\AppData\Local\8898f086-c364-4859-86ef-8fb5479d9602\build2.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"7⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {C754BA8C-42A4-4863-8122-DC25C392F40F} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\ae87344c-fb73-4a5f-bf0a-0cc1e5b1cf9c\ca4120301ffc74c815e99aba3ad78655.exeC:\Users\Admin\AppData\Local\ae87344c-fb73-4a5f-bf0a-0cc1e5b1cf9c\ca4120301ffc74c815e99aba3ad78655.exe --Task2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\ae87344c-fb73-4a5f-bf0a-0cc1e5b1cf9c\ca4120301ffc74c815e99aba3ad78655.exeC:\Users\Admin\AppData\Local\ae87344c-fb73-4a5f-bf0a-0cc1e5b1cf9c\ca4120301ffc74c815e99aba3ad78655.exe --Task3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d67fa48cf6cf5f1818b732ea24db1d6e
SHA144858909775b98c384307149a53b231f084427f6
SHA2561dd5acc0e95a7e0a6eea0ce7e4ab2665c928db84a241f4006a06791343b84d27
SHA512c89132c4ac4a3e34e37ba33d98347af7c6a0394eceafb043cfd99e5d41d68575287cc537831a3f42924c975f7716aa0c531c6f619fac2df1c17daca658b926a6
-
Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
Filesize
410B
MD5c01e72d7de6492f609b574f1f9bb4bb1
SHA1015d22cb04aba746895b50c686cdcf7966fb8b1a
SHA2561cbd530e463405fb545e184eabecbb4e6a8346c40c368fb384c7d8a772e49dd0
SHA512bd94312bd17719957b97bb7a6296d137234270328deaf6c3a3b28fcd5972e267095a1ad195be6f13b3d188de6b1f548a75ab32b50f6f54b34a5d1cea1f6d01b1
-
Filesize
344B
MD55c82fe598a5934078512235b20fefbee
SHA132a037648e8110b012b93c494c6efb50a9ec593f
SHA2566f2fc36eb01a4fe7972ab5076297da8c5277efa7e490645c7ece5ba94bd504b0
SHA5129c42d31825a5d208263f640b8ed5d0997b32541e3ad6310cf4b8c51d4b14c1f380793cdaa8a64401b287240d8240efbb5e2246ac54b8a74af9ef3c32bf281d69
-
Filesize
392B
MD5a0ee836fca7ac5bf5c7451da4f0a8994
SHA1937f13152a0770ec3c9cfc21e912224f846e7cfa
SHA2567c5ecbad4e7a744cbf8b654205b4aec382b5a916953e9bdf41e87123ec5ea6f3
SHA5128b980600e10e67dfe5240ae78b1edb229c4cd522d4607626c70e4e069b0408c33ce0354381a24d6a42443a13a3c7d329bde351cc9974f04926dce50b89e8ae95
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
838KB
MD5ca4120301ffc74c815e99aba3ad78655
SHA1fb5f9b45d563d86028259a4a5df45d2d1a991ef7
SHA25645733f732df30c20bdc95a802a30d1c1653661fbe6442c229f4a39cc0465ada4
SHA512281962ebe1e95a9001d6241cfda4b529b3d4204679ba7bc0ca3dcaf36074cd3e2d8e1d9225cb109f03fd0caed10f68592e2aa638c6db7d40bd1d319355751290
-
Filesize
576KB
MD52e085fcd5f16febf51893d9054b4e565
SHA1a7af6e55904934b7813b1ca03278a6f00f6c9774
SHA2562226caaeaeb0d4c3cbae31480531a200d8119c174bcccdf9fb20d8006abc4298
SHA5127f633cd190286fa183d637572c0eab61a9498323d9f3716e9e0a59d28b7ab9cb83179c894409810b161f73c005d838eecb18d0cd672adaff628f83526cda8d09
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
4KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
576KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
584KB
-
Filesize
584KB
-
Filesize
1.1MB
-
Filesize
584KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
584KB
-
Filesize
584KB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB