Overview

overview

10

Static

static

3

78E.tmp.exe

windows7-x64

10

Analysis

  • max time kernel
    27s
  • max time network
    108s
  • platform
    windows7_x64
  • resource
    win7-20240319-en
  • resource tags

    arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
  • submitted
    17/04/2024, 22:39

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    78E.tmp.exe

  • Size

    466KB

  • MD5

    246d6fa957bd9bd9bd444ba8a6c38457

  • SHA1

    fb90a2e9e3f3d4bf350a5c8d475c843f072bc1f5

  • SHA256

    9c17cc38feddc8aec42f4d7e84ff85260e0e5d955c38e42573a21c18836c7a59

  • SHA512

    95e3135f417fdfd91c8e57545c246c5a0f5efc40fe1e3ef745b8283c35b156d7814934be5983dd5532b7fb789a4032a3e1d619281d0e4e1b465b86f2a036e3bb

  • SSDEEP

    6144:agBl9KO2wSlnYlm8px3b3RY+F2q9QgW6jw5oJ48ph1nt2EuqAs00:aEKOZSlnbE3b3RiqW6jw5o6831/A

Score
10/10
djvudiscoverypersistenceransomware

Malware Config

Extracted

Family

djvu

C2

http://root.ug/Asjdhfiughdhhjbdfh45687husdfhipenelop8/Asdhuage7386/get.php

Attributes
  • extension

    .sarut

  • offline_id

    pQseAIqgTVhPujMMiqH1ILPNUg3soGVim0NAnkt1

  • payload_url

    http://pool.ug/tesptc/penelop/updatewin1.exe

    http://pool.ug/tesptc/penelop/updatewin2.exe

    http://pool.ug/tesptc/penelop/updatewin.exe

    http://pool.ug/tesptc/penelop/3.exe

    http://pool.ug/tesptc/penelop/4.exe

    http://pool.ug/tesptc/penelop/5.exe

  • ransomnote

    ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-1aTCryfzhK Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Our Telegram account: @datarestore Your personal ID: 078AKsudu438fyasfs

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 9 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\78E.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\78E.tmp.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    PID:1192
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\9ce9d5c2-0de5-4da3-a6eb-814beb75e57a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      2⤵
      • Modifies file permissions
      PID:1580
    • C:\Users\Admin\AppData\Local\Temp\78E.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\78E.tmp.exe" --Admin IsNotAutoStart IsNotTask
      2⤵
        PID:2336
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      1⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6529758,0x7fef6529768,0x7fef6529778
        2⤵
          PID:2540
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1272,i,2771480762283650113,11494373980713344061,131072 /prefetch:2
          2⤵
            PID:2532
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1536 --field-trial-handle=1272,i,2771480762283650113,11494373980713344061,131072 /prefetch:8
            2⤵
              PID:2444
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1272,i,2771480762283650113,11494373980713344061,131072 /prefetch:8
              2⤵
                PID:2396
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2164 --field-trial-handle=1272,i,2771480762283650113,11494373980713344061,131072 /prefetch:1
                2⤵
                  PID:764
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2172 --field-trial-handle=1272,i,2771480762283650113,11494373980713344061,131072 /prefetch:1
                  2⤵
                    PID:528
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1576 --field-trial-handle=1272,i,2771480762283650113,11494373980713344061,131072 /prefetch:2
                    2⤵
                      PID:2752
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1300 --field-trial-handle=1272,i,2771480762283650113,11494373980713344061,131072 /prefetch:1
                      2⤵
                        PID:2596
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3232 --field-trial-handle=1272,i,2771480762283650113,11494373980713344061,131072 /prefetch:8
                        2⤵
                          PID:1644
                      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                        1⤵
                          PID:1712
                        • C:\Windows\system32\taskmgr.exe
                          "C:\Windows\system32\taskmgr.exe" /4
                          1⤵
                            PID:1908
                          • C:\Windows\system32\taskeng.exe
                            taskeng.exe {A12F23BD-DD4B-409D-B2D0-98A4151A0509} S-1-5-21-2610426812-2871295383-373749122-1000:UEITMFAB\Admin:Interactive:[1]
                            1⤵
                              PID:2568
                              • C:\Users\Admin\AppData\Local\9ce9d5c2-0de5-4da3-a6eb-814beb75e57a\78E.tmp.exe
                                C:\Users\Admin\AppData\Local\9ce9d5c2-0de5-4da3-a6eb-814beb75e57a\78E.tmp.exe --Task
                                2⤵
                                  PID:1880
                              • C:\Users\Admin\AppData\Local\Temp\78E.tmp.exe
                                "C:\Users\Admin\AppData\Local\Temp\78E.tmp.exe"
                                1⤵
                                  PID:2584

                                Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\9ce9d5c2-0de5-4da3-a6eb-814beb75e57a\78E.tmp.exe
                                        Filesize

                                        466KB

                                        MD5

                                        246d6fa957bd9bd9bd444ba8a6c38457

                                        SHA1

                                        fb90a2e9e3f3d4bf350a5c8d475c843f072bc1f5

                                        SHA256

                                        9c17cc38feddc8aec42f4d7e84ff85260e0e5d955c38e42573a21c18836c7a59

                                        SHA512

                                        95e3135f417fdfd91c8e57545c246c5a0f5efc40fe1e3ef745b8283c35b156d7814934be5983dd5532b7fb789a4032a3e1d619281d0e4e1b465b86f2a036e3bb

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5361465a-3f89-4096-9bef-356c0f1f0b86.tmp
                                        Filesize

                                        264KB

                                        MD5

                                        2921a710159fcc80e1f4e933e9ae0462

                                        SHA1

                                        df68ce16f5bb76ff7f58eab16b33e309fa651fde

                                        SHA256

                                        15c92f09dab6b3902c6219b4047cdc2e7ba7b5d6281071a49c545a94832370b3

                                        SHA512

                                        a20f28cd8824f384ae633d2a9fc60f9beb8bb4134075cdf0bab87e19f3e2275bf3752bf70c804c29af6cf91371c13729a776e5b4debac62dc958be0b87443492

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
                                        Filesize

                                        264KB

                                        MD5

                                        f50f89a0a91564d0b8a211f8921aa7de

                                        SHA1

                                        112403a17dd69d5b9018b8cede023cb3b54eab7d

                                        SHA256

                                        b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                        SHA512

                                        bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                        Filesize

                                        4KB

                                        MD5

                                        4ac9e508777758aa1ee90bafa789d34b

                                        SHA1

                                        0b4efff98bbbfaed729191d631433c30c2eafeda

                                        SHA256

                                        6a910594a0d1f87d35f757ce5d7a04a6518b6988f7b8f5370a80242e2e062a34

                                        SHA512

                                        26ec484fc4e87cc484a2faeb4f8cc327883b635bcf670501bd978c9478f838e1263f1af3b613cd690046c74f8bd8c58a1d19adbbaf8ba8a6ee1a7e3ef215adea

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
                                        Filesize

                                        16B

                                        MD5

                                        18e723571b00fb1694a3bad6c78e4054

                                        SHA1

                                        afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                                        SHA256

                                        8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                                        SHA512

                                        43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                        Filesize

                                        264KB

                                        MD5

                                        bc0df8f043c2e758ea4077cb115de29f

                                        SHA1

                                        6e75be38f7eeaf607e31d86ac71ba004fed190bc

                                        SHA256

                                        ffee54341debd0d89e0a24798ae5d1b6a09d26b9c092deee827b0dd7bb899d9a

                                        SHA512

                                        b5bfbe8d42e72028633c6255a281419b8269174bd157c48bdbfa35557c294d915fc190215e0a483466788fa0fd46d29e84e92e6a96a1733463b196dba7ffcb72

                                        Download Submit

                                      • memory/1192-2-0x0000000000400000-0x00000000004BC000-memory.dmp

                                        Filesize

                                        752KB

                                        Download

                                      • memory/1192-53-0x0000000000640000-0x0000000000740000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download

                                      • memory/1192-54-0x0000000000400000-0x00000000004BC000-memory.dmp

                                        Filesize

                                        752KB

                                        Download

                                      • memory/1192-55-0x0000000000640000-0x0000000000740000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download

                                      • memory/1192-1-0x0000000000640000-0x0000000000740000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download

                                      • memory/1880-177-0x0000000000400000-0x00000000004BC000-memory.dmp

                                        Filesize

                                        752KB

                                        Download

                                      • memory/1880-168-0x0000000000250000-0x0000000000350000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download

                                      • memory/1880-178-0x0000000000250000-0x0000000000350000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download

                                      • memory/1880-169-0x0000000000400000-0x00000000004BC000-memory.dmp

                                        Filesize

                                        752KB

                                        Download

                                      • memory/1908-165-0x0000000140000000-0x00000001405E8000-memory.dmp

                                        Filesize

                                        5.9MB

                                        Download

                                      • memory/1908-176-0x0000000140000000-0x00000001405E8000-memory.dmp

                                        Filesize

                                        5.9MB

                                        Download

                                      • memory/1908-164-0x0000000140000000-0x00000001405E8000-memory.dmp

                                        Filesize

                                        5.9MB

                                        Download

                                      • memory/1908-184-0x0000000140000000-0x00000001405E8000-memory.dmp

                                        Filesize

                                        5.9MB

                                        Download

                                      • memory/1908-171-0x0000000002160000-0x0000000002170000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/1908-173-0x0000000140000000-0x00000001405E8000-memory.dmp

                                        Filesize

                                        5.9MB

                                        Download

                                      • memory/1908-174-0x0000000140000000-0x00000001405E8000-memory.dmp

                                        Filesize

                                        5.9MB

                                        Download

                                      • memory/1908-183-0x0000000140000000-0x00000001405E8000-memory.dmp

                                        Filesize

                                        5.9MB

                                        Download

                                      • memory/2336-62-0x0000000000550000-0x0000000000650000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download

                                      • memory/2336-77-0x0000000000550000-0x0000000000650000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download

                                      • memory/2336-82-0x0000000000400000-0x00000000004BC000-memory.dmp

                                        Filesize

                                        752KB

                                        Download

                                      • memory/2336-63-0x0000000000400000-0x00000000004BC000-memory.dmp

                                        Filesize

                                        752KB

                                        Download

                                      • memory/2584-180-0x0000000000570000-0x0000000000670000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download

                                      • memory/2584-182-0x0000000000400000-0x00000000004BC000-memory.dmp

                                        Filesize

                                        752KB

                                        Download

                                      • memory/2584-187-0x0000000000400000-0x00000000004BC000-memory.dmp

                                        Filesize

                                        752KB

                                        Download

                                      • memory/2584-188-0x0000000000570000-0x0000000000670000-memory.dmp

                                        Filesize

                                        1024KB

                                        Download