Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    128s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11/05/2024, 21:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11787248543667fdcd0be279b136dcea5485b1bdffde066975921a268a1e675c.exe

  • Size

    744KB

  • MD5

    b8aebc100a274c95d2c92c50f721d12e

  • SHA1

    c5d43041dd429e8af06dc3c6302cca915ff77cc0

  • SHA256

    11787248543667fdcd0be279b136dcea5485b1bdffde066975921a268a1e675c

  • SHA512

    f746f6606befa5b5c510d99f4815e2dc26b45701ee32eea14f4498542216f112000d2e35a8ac1a727cffa21abd91f7c49be0b9d5b654a8f5311096e7ba386d50

  • SSDEEP

    12288:5VPXOr5lH8F6Ls1bAJW5axYRy9bC9ooXo6Xiak3OUiPMkdUv+:HPSKbJ5axYYgN7il+UZaUv+

Score
10/10
djvudiscoverypersistenceransomware

Malware Config

Extracted

Family

djvu

C2

http://cajgtus.com/test2/get.php

Attributes
  • extension

    .qehu

  • offline_id

    jgILOjDrBgyzY4JmT3B2jDSyBmDPBruKk8bKs6t1

  • payload_url

    http://sdfjhuz.com/dl/build2.exe

    http://cajgtus.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/665ddae3fc3cd10bbaaa4350408b196920240504141005/4cae7e Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0868PsawqS

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 17 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11787248543667fdcd0be279b136dcea5485b1bdffde066975921a268a1e675c.exe
    "C:\Users\Admin\AppData\Local\Temp\11787248543667fdcd0be279b136dcea5485b1bdffde066975921a268a1e675c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Users\Admin\AppData\Local\Temp\11787248543667fdcd0be279b136dcea5485b1bdffde066975921a268a1e675c.exe
      "C:\Users\Admin\AppData\Local\Temp\11787248543667fdcd0be279b136dcea5485b1bdffde066975921a268a1e675c.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4416
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\4d861f04-f43d-4f15-9f9d-96134352efdd" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:2416
      • C:\Users\Admin\AppData\Local\Temp\11787248543667fdcd0be279b136dcea5485b1bdffde066975921a268a1e675c.exe
        "C:\Users\Admin\AppData\Local\Temp\11787248543667fdcd0be279b136dcea5485b1bdffde066975921a268a1e675c.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3084
        • C:\Users\Admin\AppData\Local\Temp\11787248543667fdcd0be279b136dcea5485b1bdffde066975921a268a1e675c.exe
          "C:\Users\Admin\AppData\Local\Temp\11787248543667fdcd0be279b136dcea5485b1bdffde066975921a268a1e675c.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    1KB

    MD5

    844a93e096b7ac8f56f9286642d59fed

    SHA1

    6bf7e649df885f4338d9b84864c4fb2c6d06d2ed

    SHA256

    5a344dea279de4e33fd977f55d63b9518cac5ad62e2e5cd09a81f56ced29eddb

    SHA512

    eea9f130fdbb0b0ad23e0fcfc25c14be2827cb641f1d1a6aa2097a1e8b9b81e8e3ebc5633f8fccac60039d361da971f1c5e1085371ca23bc0c3c125bdddd60df

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
    Filesize

    724B

    MD5

    8202a1cd02e7d69597995cabbe881a12

    SHA1

    8858d9d934b7aa9330ee73de6c476acf19929ff6

    SHA256

    58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

    SHA512

    97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    410B

    MD5

    807bcea43f38ca582bfa0a0042940dad

    SHA1

    8089dc240a46cf8be244b9b715bfd77739f867ec

    SHA256

    63c41dd28cca6ede44ff34a7decdfce8e0ac2a3556ac5017f1eb9b500ec71b49

    SHA512

    d4225a1be27edd1636e61e27481f399b97cd56c308160368ec159e6724fa63a266246798d61d6979f81c006ab1b5a9e4d6fbebe69a6c528836f4afe6e578a4f1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
    Filesize

    392B

    MD5

    bb6aaf856cd4b841f05bda2242fde626

    SHA1

    09df7c0ddb8e962307c18d1f2101d2b36b5189a6

    SHA256

    f6cc71f758059393b167af51979ba040482f11c1bc9fe76a111d286054aa3308

    SHA512

    8f6a7572a7d1e0d4aad02fb3ed3cdcb760a493fbe35a45270d48a94170ba778bc81cacce8c9ac7ddc653fb4e0fe63dfa68d9552f4669c7930ddb798aa01caab9

    Download Submit

  • C:\Users\Admin\AppData\Local\4d861f04-f43d-4f15-9f9d-96134352efdd\11787248543667fdcd0be279b136dcea5485b1bdffde066975921a268a1e675c.exe
    Filesize

    744KB

    MD5

    b8aebc100a274c95d2c92c50f721d12e

    SHA1

    c5d43041dd429e8af06dc3c6302cca915ff77cc0

    SHA256

    11787248543667fdcd0be279b136dcea5485b1bdffde066975921a268a1e675c

    SHA512

    f746f6606befa5b5c510d99f4815e2dc26b45701ee32eea14f4498542216f112000d2e35a8ac1a727cffa21abd91f7c49be0b9d5b654a8f5311096e7ba386d50

    Download Submit

  • memory/2216-1-0x0000000002580000-0x000000000261A000-memory.dmp

    Filesize

    616KB

    Download

  • memory/2216-2-0x0000000002620000-0x000000000273B000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3084-24-0x0000000000400000-0x0000000000812000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/3084-27-0x0000000000400000-0x0000000000812000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/4416-3-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4416-5-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4416-4-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4416-21-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4416-6-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4984-35-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4984-28-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4984-25-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4984-36-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4984-26-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4984-37-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4984-40-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4984-43-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4984-42-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4984-44-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4984-45-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download