Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
17/04/2024, 10:40
Static task
static1
Behavioral task
behavioral1
Sample
294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe
Resource
win11-20240412-en
General
-
Target
294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe
-
Size
804KB
-
MD5
f1cfe760eb1c2a1b4c59558871649106
-
SHA1
e073e09713891f07988b3f1292df22e41753c412
-
SHA256
294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b
-
SHA512
7821f46cdf3b514365ea195051d3788cfd8e95c493528b5073a4eae2c5bbe37c79b1d30db99eab95f4331a3590fad7529926acf1f711fc3cf724d01a40ac9f9a
-
SSDEEP
12288:dVB9zimo85giLd/aCLQpbZjI5bMyyGb6hew00iQTI1kxOk1T39gyneL9:dTGod6wMyVb6Qw0EI1Fk3oh
Malware Config
Extracted
djvu
http://sajdfue.com/test2/get.php
-
extension
.uazq
-
offline_id
Jx0i3k2ogR5cKxX1evmz0Ex7TUxOUlnbh2dvnIt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/df01994dd8d37c2c33469922f8e7155a20240402134014/fd95b0 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0860PsawqS
Signatures
-
Detected Djvu ransomware 17 IoCs
resource yara_rule behavioral2/memory/3736-2-0x0000000004BA0000-0x0000000004CBB000-memory.dmp family_djvu behavioral2/memory/3516-3-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3516-4-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3516-5-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3516-6-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3516-17-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2916-22-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2916-23-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2916-24-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2916-29-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2916-30-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2916-31-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2916-34-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2916-36-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2916-37-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2916-38-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2916-39-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2712 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f6b6724e-3ec8-4032-a4e1-56c925fac715\\294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe\" --AutoStart" 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 api.2ip.ua 2 api.2ip.ua 7 api.2ip.ua -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3736 set thread context of 3516 3736 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 80 PID 1168 set thread context of 2916 1168 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 85 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3516 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 3516 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 2916 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 2916 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3736 wrote to memory of 3516 3736 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 80 PID 3736 wrote to memory of 3516 3736 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 80 PID 3736 wrote to memory of 3516 3736 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 80 PID 3736 wrote to memory of 3516 3736 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 80 PID 3736 wrote to memory of 3516 3736 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 80 PID 3736 wrote to memory of 3516 3736 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 80 PID 3736 wrote to memory of 3516 3736 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 80 PID 3736 wrote to memory of 3516 3736 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 80 PID 3736 wrote to memory of 3516 3736 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 80 PID 3736 wrote to memory of 3516 3736 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 80 PID 3516 wrote to memory of 2712 3516 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 81 PID 3516 wrote to memory of 2712 3516 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 81 PID 3516 wrote to memory of 2712 3516 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 81 PID 3516 wrote to memory of 1168 3516 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 82 PID 3516 wrote to memory of 1168 3516 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 82 PID 3516 wrote to memory of 1168 3516 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 82 PID 1168 wrote to memory of 2916 1168 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 85 PID 1168 wrote to memory of 2916 1168 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 85 PID 1168 wrote to memory of 2916 1168 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 85 PID 1168 wrote to memory of 2916 1168 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 85 PID 1168 wrote to memory of 2916 1168 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 85 PID 1168 wrote to memory of 2916 1168 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 85 PID 1168 wrote to memory of 2916 1168 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 85 PID 1168 wrote to memory of 2916 1168 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 85 PID 1168 wrote to memory of 2916 1168 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 85 PID 1168 wrote to memory of 2916 1168 294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe"C:\Users\Admin\AppData\Local\Temp\294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Users\Admin\AppData\Local\Temp\294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe"C:\Users\Admin\AppData\Local\Temp\294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\f6b6724e-3ec8-4032-a4e1-56c925fac715" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:2712
-
-
C:\Users\Admin\AppData\Local\Temp\294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe"C:\Users\Admin\AppData\Local\Temp\294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe"C:\Users\Admin\AppData\Local\Temp\294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2916
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD584cc91708c444c30647ef07922bac2f1
SHA197fec2794e5f14b4a9e54366d723d781161d7fb9
SHA2563e95b831913d3d7205a09c98cc185943fd810f6e2582607a54fa1e9cc30731aa
SHA512cc75685d2259bd362c076ce4941e9ce19d129801a9337e5d44f91de332d67f64f921d1a5870bf9ab5375ad2bc95a98398d7de91a8b72887767532e5933b3a175
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD50d93e70033faed62502680b3dc19d84a
SHA10f725c499bf535cc682ed0ae3bc07235b5e00c5b
SHA25619e7cca4d7247d0e6af96eb651e53e535f737e44da7f911e878eb298aeddf403
SHA512c0ca4d61b29a05629371e1186607b4f2e917391a45866ab73d7400d7867baae77e8edaac4452ca3f0963be5d8ddc46840ec8334e602b974c59b3c5b08a7987cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD53b588eca3af3a6762c981a74ca2a9d99
SHA1984fe9c1a0162c106c8c91189026a69a1fbb1bdc
SHA2566d92c9541d66892527ae8e1d75718c3bc972b542fe24b22e149516c082622eac
SHA5129f1e6a127526aa3e578e44d567daf6be23c64817950d5c73f278768baaffc4b90f1090af61f8140f55565eac7512a749b25f6b455063986a655dc6486cec6140
-
C:\Users\Admin\AppData\Local\f6b6724e-3ec8-4032-a4e1-56c925fac715\294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b.exe
Filesize804KB
MD5f1cfe760eb1c2a1b4c59558871649106
SHA1e073e09713891f07988b3f1292df22e41753c412
SHA256294ad75f41aedb3c48eaf9d6358fa780920d5270a9d45151ceda767b7ee9600b
SHA5127821f46cdf3b514365ea195051d3788cfd8e95c493528b5073a4eae2c5bbe37c79b1d30db99eab95f4331a3590fad7529926acf1f711fc3cf724d01a40ac9f9a