djvu | 1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3

Analysis

max time kernel
295s
max time network
167s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 22:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe
Size

807KB
MD5

723aa64d603ccfb48104924995501a2a
SHA1

f9ecef27ab4601756647985070d5546e04ec0761
SHA256

1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3
SHA512

b1a0e4f526c0652307dfd645639e06b173ecc3c4131fbf1aa13a518ad232851d97febfacb0820abd4f5f97ebc3b4e1a37ec5525371ac83692c73c1b53330c457
SSDEEP

12288:oKzU2/9reIPrj1AUWEvVInb+ZS6krXoKWoBPRottaUtLtJxheBEUHlMEZDnnKikm:zFXJHe+46ixZP28UFtleBEUHfDKikm

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

http://cajgtus.com/test2/get.php

Attributes

extension
.qehu
offline_id
jgILOjDrBgyzY4JmT3B2jDSyBmDPBruKk8bKs6t1
payload_url
http://sdfjhuz.com/dl/build2.exe

http://cajgtus.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/665ddae3fc3cd10bbaaa4350408b196920240504141005/4cae7e Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0868PsawqS

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 13 IoCs

resource	yara_rule
behavioral1/memory/988-3-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/988-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2140-5-0x0000000003420000-0x000000000353B000-memory.dmp	family_djvu
behavioral1/memory/988-8-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/988-28-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2660-32-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2660-45-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2660-46-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2660-47-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2660-53-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2660-51-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2660-54-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2660-55-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
900	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b1e31178-260a-4364-b387-6cd76abe15af\\1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe\" --AutoStart"	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.2ip.ua
5	api.2ip.ua
9	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2140 set thread context of 988	2140	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	30
PID 2888 set thread context of 2660	2888	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
988	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe
988	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe
2660	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe
2660	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 988	2140	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	30
PID 2140 wrote to memory of 988	2140	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	30
PID 2140 wrote to memory of 988	2140	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	30
PID 2140 wrote to memory of 988	2140	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	30
PID 2140 wrote to memory of 988	2140	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	30
PID 2140 wrote to memory of 988	2140	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	30
PID 2140 wrote to memory of 988	2140	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	30
PID 2140 wrote to memory of 988	2140	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	30
PID 2140 wrote to memory of 988	2140	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	30
PID 2140 wrote to memory of 988	2140	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	30
PID 2140 wrote to memory of 988	2140	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	30
PID 988 wrote to memory of 900	988	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	32
PID 988 wrote to memory of 900	988	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	32
PID 988 wrote to memory of 900	988	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	32
PID 988 wrote to memory of 900	988	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	32
PID 988 wrote to memory of 2888	988	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	33
PID 988 wrote to memory of 2888	988	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	33
PID 988 wrote to memory of 2888	988	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	33
PID 988 wrote to memory of 2888	988	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	33
PID 2888 wrote to memory of 2660	2888	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	34
PID 2888 wrote to memory of 2660	2888	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	34
PID 2888 wrote to memory of 2660	2888	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	34
PID 2888 wrote to memory of 2660	2888	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	34
PID 2888 wrote to memory of 2660	2888	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	34
PID 2888 wrote to memory of 2660	2888	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	34
PID 2888 wrote to memory of 2660	2888	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	34
PID 2888 wrote to memory of 2660	2888	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	34
PID 2888 wrote to memory of 2660	2888	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	34
PID 2888 wrote to memory of 2660	2888	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	34
PID 2888 wrote to memory of 2660	2888	1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe	34

C:\Users\Admin\AppData\Local\Temp\1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe
"C:\Users\Admin\AppData\Local\Temp\1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe
  "C:\Users\Admin\AppData\Local\Temp\1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\b1e31178-260a-4364-b387-6cd76abe15af" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:900
- - C:\Users\Admin\AppData\Local\Temp\1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe
    "C:\Users\Admin\AppData\Local\Temp\1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Users\Admin\AppData\Local\Temp\1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe
      "C:\Users\Admin\AppData\Local\Temp\1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
5857aff0ea0365561d0f06769a04101c

SHA1
0ac570f0ec93618c5849baf94c0a167e4a706a95

SHA256
b50c616b5c29bd9611ed360a238b6b6c421d0fe3b85df331e4951aefab526b2e

SHA512
1863b40407893a4a26beaa7ae4add199676c15b633d59afb4dfd2906328b29497fdddcb0ff01b9ba77ac59c5c55511fa669b0ffd6e02bcfa2d2cc53df62390be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
915faa62fffb0b699d030877b84b8be6

SHA1
078c086636b0052ca07913fadaa459e04885b3db

SHA256
f4463d35c34acba65ba3a19b10d35454fa3d4d13b69314c320a61656fea36353

SHA512
7d3cbafc9610e7c2b98b0b7e5899704d931566ddb672afac017b53cbe0ea3b9f0ef3bafe383ac36ac81abed4b8725e70513f20f9fd1d83424ae203d056dde3cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
004f1926f1d4895cbdd0176c273c8165

SHA1
9c1afa92e9a6d99fcd49be808f7fe84a860ba090

SHA256
01f2f87da6191e87d1b2631a63241f96ec49902dd71a0d19da7cf13096f32110

SHA512
f85ea4ec3e4f1220dd38fb749f2c61e7828523f79d7a86295f17ac466e8fad4d872b487d3a547b706c4c78d93fa7af3ff6aa423a2b9d86f8360f4e297e11fae3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
14318332a6766cf87dedfc9d65b5c897

SHA1
f7407301c4f6807532ed71a51444bd55803c8f71

SHA256
f55d33b216d88657bfa650b3edf44441ba4d2c8a12e5bb4de1d7509d056866d0

SHA512
b526c2016e1a3c5cb9b20d9af5f8318ab33e8752e236f1aff57f95cfe45dba8e0818831c86a69320d9211b5d90961465407671d92191d1a3e960c3ba5a339879

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9E0.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\b1e31178-260a-4364-b387-6cd76abe15af\1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3.exe

Filesize
807KB

MD5
723aa64d603ccfb48104924995501a2a

SHA1
f9ecef27ab4601756647985070d5546e04ec0761

SHA256
1fcf99e0b22fe58b75d1772c030886b43e0411ccd6e8fe5a2c1139327080aec3

SHA512
b1a0e4f526c0652307dfd645639e06b173ecc3c4131fbf1aa13a518ad232851d97febfacb0820abd4f5f97ebc3b4e1a37ec5525371ac83692c73c1b53330c457

Download Submit
memory/988-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/988-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/988-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/988-8-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/988-28-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2140-7-0x0000000000400000-0x0000000001A94000-memory.dmp

Filesize
22.6MB

Download
memory/2140-0-0x0000000001AA0000-0x0000000001B32000-memory.dmp

Filesize
584KB

Download
memory/2140-5-0x0000000003420000-0x000000000353B000-memory.dmp

Filesize
1.1MB

Download
memory/2140-49-0x0000000000400000-0x0000000001A94000-memory.dmp

Filesize
22.6MB

Download
memory/2660-32-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2660-45-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2660-46-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2660-47-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2660-53-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2660-51-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2660-54-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2660-55-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2888-29-0x0000000000220000-0x00000000002B2000-memory.dmp

Filesize
584KB

Download