Submit Reports Overview overview 10 Static static 3 09b4b7b46a...b9.exe windows7-x64 10 09b4b7b46a...b9.exe windows10-2004-x64 10 Sharing Copy URL Twitter E-mail General Target 09b4b7b46aaa241b8e31419b9.exe Size 695KB Sample 230705-qqgx3acf53 MD5 9b728ef6f74c527002e752b3bc8259a4 SHA1 ed2b4d35bf42d50c0cd8c93210493820ea5053df SHA256 09b4b7b46aaa241b8e31419b9d71e0b9b1c70991cb1dd544cfb55150ebcb7a72 SHA512 6621a0ec0f856d2fd9d7f20ea51a092e4dc2342ff41611ee09b29c34c4adb1be8ba365a39cb47eeb5879c3139b2f99c91cfd05165468783756fe0128c94df2cf SSDEEP 12288:P7ZXw3vt0DYeb80htjwNHTqQQtLDHNN49bUpmfhe/B3eauyS3+xlD+NdDe0v:PtA3izTtjwwrtHj4NUQf8hYOboeo Score 10 /10 djvudiscoverypersistenceransomware Static task static1 1 signatures Behavioral task behavioral1 Sample 09b4b7b46aaa241b8e31419b9.exe Resource win7-20230703-en djvudiscoverypersistenceransomware windows7-x64 10 signatures 150 seconds Behavioral task behavioral2 Sample 09b4b7b46aaa241b8e31419b9.exe Resource win10v2004-20230703-en djvudiscoverypersistenceransomware windows10-2004-x64 13 signatures 150 seconds Malware Config Family djvu C2 http://budf.top/ydtftysdtyftysdfsdpen3/get.php Attributes extension .mado offline_id 8TaHEsq5r7cNJKbYdWseLEB2pW1FuZKoKjKg5tt1 payload_url http://budf.top/files/penelop/updatewin1.exe http://budf.top/files/penelop/updatewin2.exe http://budf.top/files/penelop/updatewin.exe http://budf.top/files/penelop/3.exe http://budf.top/files/penelop/4.exe http://budf.top/files/penelop/5.exe ransomnote ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-PHJh5SU4jT Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0217OIWojlj48 rsa_pubkey.plain Targets Target 09b4b7b46aaa241b8e31419b9.exe Size 695KB MD5 9b728ef6f74c527002e752b3bc8259a4 SHA1 ed2b4d35bf42d50c0cd8c93210493820ea5053df SHA256 09b4b7b46aaa241b8e31419b9d71e0b9b1c70991cb1dd544cfb55150ebcb7a72 SHA512 6621a0ec0f856d2fd9d7f20ea51a092e4dc2342ff41611ee09b29c34c4adb1be8ba365a39cb47eeb5879c3139b2f99c91cfd05165468783756fe0128c94df2cf SSDEEP 12288:P7ZXw3vt0DYeb80htjwNHTqQQtLDHNN49bUpmfhe/B3eauyS3+xlD+NdDe0v:PtA3izTtjwwrtHj4NUQf8hYOboeo Score 10 /10 djvudiscoverypersistenceransomware Detected Djvu ransomware Djvu Ransomware Ransomware which is a variant of the STOP family. ransomwaredjvu Renames multiple (161) files with added filename extension This suggests ransomware activity of encrypting all the files on the system. ransomware Modifies extensions of user files Ransomware generally changes the extension on encrypted files. ransomware Checks computer location settings Looks up country code configured in the registry, likely geofence. Executes dropped EXE Modifies file permissions discovery Adds Run key to start application persistence Looks up external IP address via web service Uses a legitimate IP lookup service to find the infected system's external IP. behavioral1behavioral2 MITRE ATT&CK Matrix ATT&CK v6 Initial Access Execution Persistence Registry Run Keys / Startup Folder 1 T1060 Privilege Escalation Defense Evasion File Permissions Modification 1 T1222 Modify Registry 2 T1112 Install Root Certificate 1 T1130 Credential Access Discovery Query Registry 1 T1012 System Information Discovery 2 T1082 Lateral Movement Collection Exfiltration Command and Control Impact Tasks Score 3 /10 djvu discovery persistence ransomware Score 10 /10 djvu discovery persistence ransomware Score 10 /10 © 2018-2024 Terms | Privacy window.ttp_lookup["T1060"] ={"id":"T1060","name":"Registry Run Keys / Startup Folder","tactics":["TA0003"],"reference":"https://attack.mitre.org/techniques/T1060","parent":"","Uses":1}; window.ttp_lookup["T1222"] ={"id":"T1222","name":"File Permissions Modification","tactics":["TA0005"],"reference":"https://attack.mitre.org/techniques/T1222","parent":"","Uses":1}; window.ttp_lookup["T1112"] ={"id":"T1112","name":"Modify Registry","tactics":["TA0005"],"reference":"https://attack.mitre.org/techniques/T1112","parent":"","Uses":2}; window.ttp_lookup["T1130"] ={"id":"T1130","name":"Install Root Certificate","tactics":["TA0005"],"reference":"https://attack.mitre.org/techniques/T1130","parent":"","Uses":1}; window.ttp_lookup["T1012"] ={"id":"T1012","name":"Query Registry","tactics":["TA0007"],"reference":"https://attack.mitre.org/techniques/T1012","parent":"","Uses":1}; window.ttp_lookup["T1082"] ={"id":"T1082","name":"System Information Discovery","tactics":["TA0007"],"reference":"https://attack.mitre.org/techniques/T1082","parent":"","Uses":2};