Analysis
-
max time kernel
145s -
max time network
144s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
02/04/2024, 19:01
General
-
Target
be7fdfefa6dac04e9183e54a76fdca06fb8bf501381ce0d0fe9a227f452a20fc.exe
-
Size
719KB
-
MD5
14d420d8a346ae5e59617598540e607d
-
SHA1
5f3667055fd5db1b7a26e349447c10de88fa697e
-
SHA256
be7fdfefa6dac04e9183e54a76fdca06fb8bf501381ce0d0fe9a227f452a20fc
-
SHA512
18ff9a47dd7a004531e59fb6d35b974a6a61e499fca3258b5d370d943f3dc81c8c85c9fb8ec120d87faadad1c9628c34d0fce6f20c00b843ef7a57bc38a010ed
-
SSDEEP
12288:d1Wu6AuFD1zL/5IBDHeFjaqpB9VuLIs08bYB14wwVwBQPKGx5HDW/r0w3QD:bWndLuh+RaqNV3sBqwVwBxGx5CD0w3Q
Malware Config
Extracted
djvu
http://sajdfue.com/raud/get.php
-
extension
.kaaa
-
offline_id
RYwGAer1qFhOx8AGvEwPaJsJ2FKa8ifjKW9FVet1
- payload_url
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/df01994dd8d37c2c33469922f8e7155a20240402134014/fd95b0 Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0862PsawqS
Signatures
-
Detected Djvu ransomware 24 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Renames multiple (155) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 4 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\be7fdfefa6dac04e9183e54a76fdca06fb8bf501381ce0d0fe9a227f452a20fc.exe"C:\Users\Admin\AppData\Local\Temp\be7fdfefa6dac04e9183e54a76fdca06fb8bf501381ce0d0fe9a227f452a20fc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\be7fdfefa6dac04e9183e54a76fdca06fb8bf501381ce0d0fe9a227f452a20fc.exe"C:\Users\Admin\AppData\Local\Temp\be7fdfefa6dac04e9183e54a76fdca06fb8bf501381ce0d0fe9a227f452a20fc.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\18610dce-6c9e-4eba-afee-7459096ff5cf" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\be7fdfefa6dac04e9183e54a76fdca06fb8bf501381ce0d0fe9a227f452a20fc.exe"C:\Users\Admin\AppData\Local\Temp\be7fdfefa6dac04e9183e54a76fdca06fb8bf501381ce0d0fe9a227f452a20fc.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\be7fdfefa6dac04e9183e54a76fdca06fb8bf501381ce0d0fe9a227f452a20fc.exe"C:\Users\Admin\AppData\Local\Temp\be7fdfefa6dac04e9183e54a76fdca06fb8bf501381ce0d0fe9a227f452a20fc.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Users\Admin\AppData\Local\18610dce-6c9e-4eba-afee-7459096ff5cf\be7fdfefa6dac04e9183e54a76fdca06fb8bf501381ce0d0fe9a227f452a20fc.exeC:\Users\Admin\AppData\Local\18610dce-6c9e-4eba-afee-7459096ff5cf\be7fdfefa6dac04e9183e54a76fdca06fb8bf501381ce0d0fe9a227f452a20fc.exe --Task1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\18610dce-6c9e-4eba-afee-7459096ff5cf\be7fdfefa6dac04e9183e54a76fdca06fb8bf501381ce0d0fe9a227f452a20fc.exeC:\Users\Admin\AppData\Local\18610dce-6c9e-4eba-afee-7459096ff5cf\be7fdfefa6dac04e9183e54a76fdca06fb8bf501381ce0d0fe9a227f452a20fc.exe --Task2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\18610dce-6c9e-4eba-afee-7459096ff5cf\be7fdfefa6dac04e9183e54a76fdca06fb8bf501381ce0d0fe9a227f452a20fc.exeC:\Users\Admin\AppData\Local\18610dce-6c9e-4eba-afee-7459096ff5cf\be7fdfefa6dac04e9183e54a76fdca06fb8bf501381ce0d0fe9a227f452a20fc.exe --Task1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\18610dce-6c9e-4eba-afee-7459096ff5cf\be7fdfefa6dac04e9183e54a76fdca06fb8bf501381ce0d0fe9a227f452a20fc.exeC:\Users\Admin\AppData\Local\18610dce-6c9e-4eba-afee-7459096ff5cf\be7fdfefa6dac04e9183e54a76fdca06fb8bf501381ce0d0fe9a227f452a20fc.exe --Task2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59b6db1ab38d6a6d2da6a243f6c535959
SHA15ad7f03d79e9f8da3027d634cdb987bd7ad83643
SHA256f8ab0227091978f14c8ef610aecaff032714787ebce7f213171116cadf14ba15
SHA5122718d224fbe706724bfe59a34cdfa6d657a3014a779a4c602419dc8d63cf1856608d3087d68d5ff6983c76a5633d2c35310278b49dc3f914166ff448a52c509b
-
Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
Filesize
410B
MD50141160eebef1d23b2d8ed88cd47f6db
SHA141bc8468130d529a8f0117c4a601bb08d0641828
SHA256f5ca162e23c36187254f7dfcbc16223323e67dbf5ad9cfc75a960c44fd5ced50
SHA512b400d4c66f4d982dd8a7c036c1f2167dcd89b97a15d7d0e33bae1f933d2ad57262a23c62008135421383de01aebb76617be1a0e8aa1ad66f8afeeef8e802e334
-
Filesize
392B
MD5c067615b24f9c5861cff7cc43ee09f7c
SHA14335aff80fb8bfab306984836210a6ba0d09c6e3
SHA2562d32e75fad96efed854a8cba69e35a04fc89bc38abcde8e45dbfa56f0cba5d19
SHA512349c31133dc677308a344019cb3be90ae1c4f5ab6d56ffe61764b16fcc5a736a06dfbfc23336d2fbd8cece9c54452d06886bdb749e10d74ad24305740069f5a9
-
Filesize
719KB
MD514d420d8a346ae5e59617598540e607d
SHA15f3667055fd5db1b7a26e349447c10de88fa697e
SHA256be7fdfefa6dac04e9183e54a76fdca06fb8bf501381ce0d0fe9a227f452a20fc
SHA51218ff9a47dd7a004531e59fb6d35b974a6a61e499fca3258b5d370d943f3dc81c8c85c9fb8ec120d87faadad1c9628c34d0fce6f20c00b843ef7a57bc38a010ed
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
620KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
640KB
-
Filesize
1.1MB
-
Filesize
636KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
644KB