Overview

overview

10

Static

static

3

220127-wwjlqsgggl.exe

windows7-x64

10

220127-wwjlqsgggl.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-03-2024 03:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    220127-wwjlqsgggl.exe

  • Size

    737KB

  • MD5

    21af1ded26112901974640a7f8372340

  • SHA1

    c4a5642639b301fe79505eddbbbc4e8e327d189f

  • SHA256

    e13535e6a33373dbbe0a5215b917b57915090a534b3703732d03d65299736c31

  • SHA512

    ea6395db3a1dffd64e768007fbd6ab482650714b4c193d4cdc6a75476205309aabbd43f7f27b79cbff054f95bfd0960f306d2a4fae43f9846e0cadd1337ec868

  • SSDEEP

    12288:ELWySHpi6zCxuJQjz/RXWZkuAYLbGPgPRmgScOZ6uu+/em3WLP9aCI7M6R4GP461:EL4JiQ5Qj7RXWZkuAYnGwRnFO0uuoWL+

Score
10/10
djvumylobotbotnetdiscoverypersistenceransomware

Malware Config

Extracted

Family

djvu

C2

http://tzgl.org/fhsgtsspen6/get.php

Attributes
  • extension

    .yoqs

  • offline_id

    Gy1ekaHyw11ZDr43dKFxYo9wA3NxFYOUEc6Pwvt1

  • payload_url

    http://lencu.top/dl/build2.exe

    http://tzgl.org/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-veBR09KNyi Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0380UIhfSd

rsa_pubkey.plain

Extracted

Family

mylobot

C2

pqrqtaz.ru:9879

pickcas.ru:6464

quwkbin.ru:3496

rkbupij.ru:6653

pcqmayq.ru:3629

mmuliwe.ru:3541

stoizji.ru:5189

sfdfrhh.ru:3511

ynciazz.ru:4127

mkglhnw.ru:1946

njeeili.ru:9987

dldzeoo.ru:7525

tkbiqjq.ru:5145

uenosbl.ru:2935

faayshc.ru:9865

nttfazc.ru:6761

nfwsyog.ru:7172

uyfusxm.ru:7372

hxkclwx.ru:1294

zgoysam.ru:2338

Signatures

  • Detected Djvu ransomware 19 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Mylobot

    Botnet which first appeared in 2017 written in C++.

    botnetmylobot
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 2 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\220127-wwjlqsgggl.exe
    "C:\Users\Admin\AppData\Local\Temp\220127-wwjlqsgggl.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:224
    • C:\Users\Admin\AppData\Local\Temp\220127-wwjlqsgggl.exe
      "C:\Users\Admin\AppData\Local\Temp\220127-wwjlqsgggl.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3876
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\b8aec60a-c03a-415f-8b58-dca25fa811fb" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:3860
      • C:\Users\Admin\AppData\Local\Temp\220127-wwjlqsgggl.exe
        "C:\Users\Admin\AppData\Local\Temp\220127-wwjlqsgggl.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Users\Admin\AppData\Local\Temp\220127-wwjlqsgggl.exe
          "C:\Users\Admin\AppData\Local\Temp\220127-wwjlqsgggl.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Checks computer location settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2404
          • C:\Users\Admin\AppData\Local\6d72cb5b-2abb-47ba-a031-dce35fb83908\build3.exe
            "C:\Users\Admin\AppData\Local\6d72cb5b-2abb-47ba-a031-dce35fb83908\build3.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4404
            • C:\Users\Admin\AppData\Local\6d72cb5b-2abb-47ba-a031-dce35fb83908\build3.exe
              "C:\Users\Admin\AppData\Local\6d72cb5b-2abb-47ba-a031-dce35fb83908\build3.exe"
              6⤵
              • Executes dropped EXE
              • Checks SCSI registry key(s)
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:3060
              • C:\Windows\SysWOW64\svchost.exe
                "C:\Windows\system32\svchost.exe"
                7⤵
                • Adds Run key to start application
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:4592

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    1KB

    MD5

    dc83f7acaed8a3525bc9a91778a357af

    SHA1

    4c3e9df82f1c3d7ae06b7c8cb83c0d76245bfd1f

    SHA256

    bcba6e9a08beee95d60acea8c5b0646042759e4d125f2956ba3834fb84434970

    SHA512

    88c74e4c54f026c2501a69a925b39ac7833f3bed0d0f9b747b8d4546a9849fd51b971a5cbb540b44fa2ec8df163756040560ef3de75e43e24515427f4c8fb6f0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
    Filesize

    724B

    MD5

    8202a1cd02e7d69597995cabbe881a12

    SHA1

    8858d9d934b7aa9330ee73de6c476acf19929ff6

    SHA256

    58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

    SHA512

    97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    410B

    MD5

    03f0a016855d20f785ccf0c8056740fd

    SHA1

    6981f162632a27b72851c229c8f6ed4a6210f474

    SHA256

    040e3e8c56268e6dd48d9c66233ddb2b4b03c21d31aaf894f47864097ea9b723

    SHA512

    ea55b465282b4b0be72ecd6ba868162892d16d78e1ae61c7e9c56b08cee2938d91430a87eef5a2b093a4d4c5db4707231d9bf6b98ae020282206cb5fc4d6315f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
    Filesize

    392B

    MD5

    7e2e41cc2805fd277b5cca80d4c2bb26

    SHA1

    21696267cadb6f43ec6323b88efb50e82d365221

    SHA256

    c6897d71f0fa86b0b5bbf7f0bee3ec1f3b2ac2d4088c085aeda4340f20a4f4ee

    SHA512

    685c62f0d713076c156bcb74e8de87a0ed8e02f18a9f31ea2f5b4bcbb664a8c4e76eb710941e15f1d92d9b6ef7e198c3e84bd4f59dd40a378ce12b7bc859aa45

    Download Submit

  • C:\Users\Admin\AppData\Local\6d72cb5b-2abb-47ba-a031-dce35fb83908\build3.exe
    Filesize

    576KB

    MD5

    2e085fcd5f16febf51893d9054b4e565

    SHA1

    a7af6e55904934b7813b1ca03278a6f00f6c9774

    SHA256

    2226caaeaeb0d4c3cbae31480531a200d8119c174bcccdf9fb20d8006abc4298

    SHA512

    7f633cd190286fa183d637572c0eab61a9498323d9f3716e9e0a59d28b7ab9cb83179c894409810b161f73c005d838eecb18d0cd672adaff628f83526cda8d09

    Download Submit

  • C:\Users\Admin\AppData\Local\b8aec60a-c03a-415f-8b58-dca25fa811fb\220127-wwjlqsgggl.exe
    Filesize

    737KB

    MD5

    21af1ded26112901974640a7f8372340

    SHA1

    c4a5642639b301fe79505eddbbbc4e8e327d189f

    SHA256

    e13535e6a33373dbbe0a5215b917b57915090a534b3703732d03d65299736c31

    SHA512

    ea6395db3a1dffd64e768007fbd6ab482650714b4c193d4cdc6a75476205309aabbd43f7f27b79cbff054f95bfd0960f306d2a4fae43f9846e0cadd1337ec868

    Download Submit

  • C:\Users\Admin\AppData\Local\bowsakkdestx.txt
    Filesize

    1KB

    MD5

    3c024fb74d85e0f79aad150ca997fed5

    SHA1

    3bf944aeea717a3e5a63b7df07f74e2d78d476a0

    SHA256

    8f36f0b4d8abc28b10daa36f4c285bc911f91f1346801372e26518b41ffa0b73

    SHA512

    ec42da9e198576e0962b3dd3cbc24c473bcdce8945ccaf8b45d23a05a3b2fbb7a229e35b1ffc958a3b4a46898170329d272359bfb288af7649e093e0160d639e

    Download Submit

  • memory/224-2-0x0000000002370000-0x000000000248B000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/224-1-0x00000000022C0000-0x0000000002354000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2404-67-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2404-27-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2404-22-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2404-20-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2404-60-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2404-69-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2404-75-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2404-21-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2404-28-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2404-64-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2404-38-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2404-54-0x00000000031B0000-0x00000000031B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2404-70-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2404-71-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2680-18-0x00000000020C0000-0x0000000002152000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3060-46-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3060-45-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3060-44-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3060-42-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3060-53-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3876-15-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3876-6-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3876-5-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3876-4-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3876-3-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4404-41-0x00000000001D0000-0x00000000001D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4592-56-0x00000000003C0000-0x00000000003F6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4592-51-0x00000000003C0000-0x00000000003F6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4592-52-0x00000000003C0000-0x00000000003F6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4592-50-0x00000000003C0000-0x00000000003F6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4592-49-0x00000000003C0000-0x00000000003F6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4592-48-0x00000000003C0000-0x00000000003F6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4592-47-0x00000000003C0000-0x00000000003F6000-memory.dmp

    Filesize

    216KB

    Download