Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
25-04-2024 01:09
General
-
Target
200690de2b973c6f7a702d5129dea09aec57d548cab07e19f012e5a8e0c6ae64.exe
-
Size
780KB
-
MD5
4b2fb93459b4e03686148d0a1d3c1f00
-
SHA1
b16c9e43f7389ba51e1423f676cc61d9ec9d4354
-
SHA256
200690de2b973c6f7a702d5129dea09aec57d548cab07e19f012e5a8e0c6ae64
-
SHA512
31caad1014245fb375ecaefa11bdacdbf8e661acedf3411f75310e4e8dcf8f9ce8ec11ec17719677fe77afbb3036de07811c4309dbd9251c04edff017947e224
-
SSDEEP
12288:5O9ISzaeV1oie7CIXYEEsB7HBDGsqQuXpLyQVbDDzQBlFz+0Zdqbmw3q2MFC:5O7aezoB7/o5sBM/vRD8lFzzdeFtMFC
Malware Config
Extracted
djvu
http://cajgtus.com/test2/get.php
-
extension
.bgzq
-
offline_id
Z6iwSvCoAt8T8K2ROxecuXHPNHv7eDyWrc8Ks7t1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://cajgtus.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0864PsawqS
Signatures
-
Detected Djvu ransomware 14 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\200690de2b973c6f7a702d5129dea09aec57d548cab07e19f012e5a8e0c6ae64.exe"C:\Users\Admin\AppData\Local\Temp\200690de2b973c6f7a702d5129dea09aec57d548cab07e19f012e5a8e0c6ae64.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\200690de2b973c6f7a702d5129dea09aec57d548cab07e19f012e5a8e0c6ae64.exe"C:\Users\Admin\AppData\Local\Temp\200690de2b973c6f7a702d5129dea09aec57d548cab07e19f012e5a8e0c6ae64.exe"2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\b37effd2-bbe4-4252-8100-6947d0086bdb" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\200690de2b973c6f7a702d5129dea09aec57d548cab07e19f012e5a8e0c6ae64.exe"C:\Users\Admin\AppData\Local\Temp\200690de2b973c6f7a702d5129dea09aec57d548cab07e19f012e5a8e0c6ae64.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\200690de2b973c6f7a702d5129dea09aec57d548cab07e19f012e5a8e0c6ae64.exe"C:\Users\Admin\AppData\Local\Temp\200690de2b973c6f7a702d5129dea09aec57d548cab07e19f012e5a8e0c6ae64.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f8ed6292d6d2f9514668acec50849d17
SHA1482745d97c48b32fd986e488d169ac4eb7edd737
SHA256a7760866eaf849b079815652f9dce9eb9ec7c599199bc65c7030ca9e2ed91c26
SHA512ebc265c4a27c4a1d14ef783b28f3cb0de9ca4f28795078c3d80bf2ec6574c4e8f3f3c7c68197b1ea6f037cb88268cfab99817660f442696167120bc6275cad4f
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
Filesize
410B
MD564bad4c5424d0121ef1b57df45227b77
SHA11c60778cbae6fe4e548ca95f8b1bfecf070b4e4a
SHA2567ed6cf1aec5aa65853b60bc04e651786a45778d5b69ef44afa67aedfa99f4c7b
SHA512225cf3c922625d318c5ff18b3cb17a752ef371688bf03339cf7f37ab4fa4f214e19bd3894b31036885f548b7ddbac24e7401d5b98ffc1d90c1d4fc301ffff5e3
-
Filesize
344B
MD54dbc66d3a3c456901168caf582a1fae0
SHA129812d53f1378e2fff98364c363b9975dea96524
SHA2563d8c41e6df7a6c82e92e83757e46a220f64e503a46e4ac5614fe35cfbc8af5dd
SHA5129561398bcbbf26f12481b3bbbd2f201b4c53fa22fa0471300694b27f73962eee363e2c4554c36a2f037ceec7865305a3b46056bf0a5d61cf3950813272d3b59a
-
Filesize
392B
MD59d6cc7eec56fe375c61d62790ae91e8e
SHA19d308b722c2c267a1fe83fb8b217e4fead6708a6
SHA256df9a2f6a2020dbe80021447882b69c1ab023575c42ed572f93c1b136a4d1066d
SHA5123a10467e9aad227d3ed722ffa71610febbba994c0aa40f879cf33dbcaf7f6fbbf420f3cebeff901e7967fb29c9123b481813bdf82282387dd8133cf32eda5dbe
-
Filesize
242B
MD53b42de49876e2940f152673f248b24f2
SHA11ba34029eba393362256f6659c13c915a49a1ce1
SHA256169d6434598d1f73e35acfa2704fccf7318985cf2a9b503e895ad1eb49e5f3ce
SHA51213fdcef81fae72da2895fee59cfedad0c098141ce44b47fd813fcf720a5922bc6ac7e7457cc90c9102655e043cabbcc70f03d575faa86bc942abca3bbd5cc313
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
780KB
MD54b2fb93459b4e03686148d0a1d3c1f00
SHA1b16c9e43f7389ba51e1423f676cc61d9ec9d4354
SHA256200690de2b973c6f7a702d5129dea09aec57d548cab07e19f012e5a8e0c6ae64
SHA51231caad1014245fb375ecaefa11bdacdbf8e661acedf3411f75310e4e8dcf8f9ce8ec11ec17719677fe77afbb3036de07811c4309dbd9251c04edff017947e224
-
Filesize
584KB
-
Filesize
584KB
-
Filesize
1.1MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
584KB
-
Filesize
584KB