Analysis
-
max time kernel
148s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
09-05-2024 01:47
General
-
Target
994c5358406c1383ecd084dc860a5d01ec6cad18afa0fa200bbefb339031390b.exe
-
Size
761KB
-
MD5
cbc0fb83669b4e7e03caa5c74f06be9a
-
SHA1
72dfbdd5cdb7b3d4a856bfc5a57c437ff354cfbf
-
SHA256
994c5358406c1383ecd084dc860a5d01ec6cad18afa0fa200bbefb339031390b
-
SHA512
50aaad65599e7208e03fb41208f7c0c7e59b3320eafcf584c480f7bc3df819b72b1460006697050cf6ccd705c72e0349b5d11377782c6180a15f2961a3a857ee
-
SSDEEP
12288:jriKZ0glHC70fdkwte/TMM0GKBlaHRUwQEvjAQ1UAXOhPlsOMzGY3X:jrBZ0gE70dtughGWoRXjAachSOMzt
Malware Config
Extracted
djvu
http://cajgtus.com/test1/get.php
-
extension
.qepi
-
offline_id
jgILOjDrBgyzY4JmT3B2jDSyBmDPBruKk8bKs6t1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://cajgtus.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/665ddae3fc3cd10bbaaa4350408b196920240504141005/4cae7e Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0867PsawqS
Signatures
-
Detected Djvu ransomware 13 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\994c5358406c1383ecd084dc860a5d01ec6cad18afa0fa200bbefb339031390b.exe"C:\Users\Admin\AppData\Local\Temp\994c5358406c1383ecd084dc860a5d01ec6cad18afa0fa200bbefb339031390b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\994c5358406c1383ecd084dc860a5d01ec6cad18afa0fa200bbefb339031390b.exe"C:\Users\Admin\AppData\Local\Temp\994c5358406c1383ecd084dc860a5d01ec6cad18afa0fa200bbefb339031390b.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\5ffece36-c2ec-4f06-88a0-513c1cb1c1d7" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\994c5358406c1383ecd084dc860a5d01ec6cad18afa0fa200bbefb339031390b.exe"C:\Users\Admin\AppData\Local\Temp\994c5358406c1383ecd084dc860a5d01ec6cad18afa0fa200bbefb339031390b.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\994c5358406c1383ecd084dc860a5d01ec6cad18afa0fa200bbefb339031390b.exe"C:\Users\Admin\AppData\Local\Temp\994c5358406c1383ecd084dc860a5d01ec6cad18afa0fa200bbefb339031390b.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5980db886f2cbf3110b71813f1c55cca9
SHA1a574aa7b6f0ae88191d135161b0329202957aba3
SHA256ca3b546e0b8ceb8c92416dc5081dbe1f5ea28c80fc867078c966c981138b7cf6
SHA51252a238e4ae4351b9a8074032a909fdf7b86da856f6fb430eec3fa58b6745a83a57d9a3e1c91f718ea102c131fb34230ebcb9ae8e32d86f84e75168975329abca
-
Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
Filesize
410B
MD5905011c219f2e47e89d7b5aeac544e56
SHA18c8daafeb124115d535e2168ef859944921ba08a
SHA2567ac3af74f0086deda7fa5ce7497237b54c2db3494b07033a8786cee421eb2565
SHA5122bfbc26db6bd2fd2d5e8da0bc94b2ed89698ef207cf7d4b5bc678478318857b3b6288ee341adf51467b526485ee46a4a6bc25eedf455f7bce6194dd6afbf8f5e
-
Filesize
344B
MD549022d02e79cf17c70ec2d1d5d459d62
SHA1e6c40678def06a589d28e6a97c47b809167ca5e3
SHA256deef1f4773641c41bc0ad8d419b2364b9b69da3623ffc895e9c3af836a5e9f44
SHA512eb71093bd4b4dc65e4bdf90ba9f1b465c9cf230837ba69f6b74e5ffa43fe4355d530eaef21bd7a8e6311a070cc62b253e0eb3d8bcf8b079ea11df3cfe18f6486
-
Filesize
392B
MD52a4a89bfe257637560575429658f1d9a
SHA1173fd0aee8f18c7a596dc8da4f512d848de6dd67
SHA2566711e4fb1348e5c3756c6de2b08a2fae7e6882e278eeab1915eab3d229b9717f
SHA512a0b30f01a869b08c438b097b2bdaf625f71f790e9208db10155601bfce6bfb4bf64e583df2d26449114a1ddb9f9207fb7322b73d367a15e503ab0ee0b828b57c
-
Filesize
761KB
MD5cbc0fb83669b4e7e03caa5c74f06be9a
SHA172dfbdd5cdb7b3d4a856bfc5a57c437ff354cfbf
SHA256994c5358406c1383ecd084dc860a5d01ec6cad18afa0fa200bbefb339031390b
SHA51250aaad65599e7208e03fb41208f7c0c7e59b3320eafcf584c480f7bc3df819b72b1460006697050cf6ccd705c72e0349b5d11377782c6180a15f2961a3a857ee
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
584KB
-
Filesize
584KB
-
Filesize
1.1MB
-
Filesize
584KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB