Analysis

  • max time kernel
    147s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2024 15:34

General

  • Target

    0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe

  • Size

    792KB

  • MD5

    4e8dcbde14041ca343eea4ab3f0966c6

  • SHA1

    ed696645eca467d84ea2fd5c7d03517f3762da93

  • SHA256

    0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db

  • SHA512

    fd31800fa8139f4cda7977b4bf4c298359e39d606f5db480063546765f9b4a1e3280abce985cb58fe8ae783479e0f006350e52e4bd6b8160a19ec2b3cb4f31bc

  • SSDEEP

    24576:tocYLYjvFiJMEjiXyDxdY3l5bnZ/GZyN:2c5vsnjiXHbbZOwN

Malware Config

Extracted

Family

djvu

C2

http://fuyt.org/test1/get.php

Attributes
  • extension

    .kkia

  • offline_id

    dYUDKE4rrBmSPsf8srHMsyP40jle9uyxDDCfdxt1

  • payload_url

    http://zerit.top/dl/build2.exe

    http://fuyt.org/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-NdDG3HIUZp Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0425Jsfkjn

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 16 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe
    "C:\Users\Admin\AppData\Local\Temp\0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:384
    • C:\Users\Admin\AppData\Local\Temp\GTpwsO.exe
      C:\Users\Admin\AppData\Local\Temp\GTpwsO.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4760
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\126764c9.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3476
    • C:\Users\Admin\AppData\Local\Temp\0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe
      "C:\Users\Admin\AppData\Local\Temp\0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4640
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\0197d4f0-99cd-4f58-99b7-75b2de68df15" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:748
      • C:\Users\Admin\AppData\Local\Temp\0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe
        "C:\Users\Admin\AppData\Local\Temp\0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1288
        • C:\Users\Admin\AppData\Local\Temp\GTpwsO.exe
          C:\Users\Admin\AppData\Local\Temp\GTpwsO.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1020
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\62760151.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            PID:5040
        • C:\Users\Admin\AppData\Local\Temp\0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe
          "C:\Users\Admin\AppData\Local\Temp\0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:3088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

    Filesize

    1KB

    MD5

    7fb5fa1534dcf77f2125b2403b30a0ee

    SHA1

    365d96812a69ac0a4611ea4b70a3f306576cc3ea

    SHA256

    33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

    SHA512

    a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

    Filesize

    436B

    MD5

    1bfe0a81db078ea084ff82fe545176fe

    SHA1

    50b116f578bd272922fa8eae94f7b02fd3b88384

    SHA256

    5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

    SHA512

    37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

    Filesize

    174B

    MD5

    3fef17aa69250ae33a67dd10066a05da

    SHA1

    a162a4844d444067b9c2e781d075c54edca51079

    SHA256

    79c6f2fd6f87d498f84128a56d582b807677b075ff2124f03105aba0d83bb7f0

    SHA512

    5798c869c63b143d32de600ecb923a0959bea482734b2c302a7bebeef01c89ba14506f4f1637480754961cc7f8023a7e0e8b80c8c682681ecacb90d75a09acb0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

    Filesize

    170B

    MD5

    71dcdf29dc5cb8f63787ff71e2efcdc1

    SHA1

    e11b97feaa0ebb589af8718a30817959f5a94c0f

    SHA256

    c9c9705064101b71457d95a526664471af619ac64fe8746550475ec0f69cc36d

    SHA512

    b63de9c1981525117d6309f6e327caafa355e12bbe1084d6049854c10c42e38145a56c43c53420dee93e809173846aa8c70bdff0a001647797f720eb61cd094d

  • C:\Users\Admin\AppData\Local\0197d4f0-99cd-4f58-99b7-75b2de68df15\0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe

    Filesize

    792KB

    MD5

    4e8dcbde14041ca343eea4ab3f0966c6

    SHA1

    ed696645eca467d84ea2fd5c7d03517f3762da93

    SHA256

    0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db

    SHA512

    fd31800fa8139f4cda7977b4bf4c298359e39d606f5db480063546765f9b4a1e3280abce985cb58fe8ae783479e0f006350e52e4bd6b8160a19ec2b3cb4f31bc

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5G8JI3LV\k2[1].rar

    Filesize

    4B

    MD5

    d3b07384d113edec49eaa6238ad5ff00

    SHA1

    f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

    SHA256

    b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

    SHA512

    0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

  • C:\Users\Admin\AppData\Local\Temp\126764c9.bat

    Filesize

    187B

    MD5

    5a38b27d8834711c4c2b36cc60ced2cd

    SHA1

    f5d930894ae2d5c00b08fc9e1be1d974ff276f23

    SHA256

    673a442373e8cb026b56707ad947dd6852c8db77d4c24bfa742bb9dfb1948960

    SHA512

    d730fb55c02aba55ea8774c0dbbe6060b08ac1ced7175747560c94bcdd65e6eb7e5764ab22cefe936e2f808cd54a5296a8fd47d5764ea920c45b511d3f470345

  • C:\Users\Admin\AppData\Local\Temp\297902C4.exe

    Filesize

    4B

    MD5

    20879c987e2f9a916e578386d499f629

    SHA1

    c7b33ddcc42361fdb847036fc07e880b81935d5d

    SHA256

    9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

    SHA512

    bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

  • C:\Users\Admin\AppData\Local\Temp\62760151.bat

    Filesize

    187B

    MD5

    95879db5dd3d9ddeaa78c3fcb8d795ee

    SHA1

    24c71a2b5dbc58b75318f3122be4c3bc3c503ab4

    SHA256

    9078f1d1518d0c9bf6cc9b030f9fe4d016e6d2c417f9100baba89bca85d3a5f5

    SHA512

    80d35b5f7ac076abe57da81cf24dd75d5f9da889a38124b0a5b800b09ffa5f965f9697ca57195d90164f6ba0c84aee9824c2b8afe43bf47f6fced7b5d6da4eb9

  • C:\Users\Admin\AppData\Local\Temp\GTpwsO.exe

    Filesize

    15KB

    MD5

    f7d21de5c4e81341eccd280c11ddcc9a

    SHA1

    d4e9ef10d7685d491583c6fa93ae5d9105d815bd

    SHA256

    4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

    SHA512

    e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

  • memory/384-50-0x00000000023E0000-0x00000000024FB000-memory.dmp

    Filesize

    1.1MB

  • memory/384-0-0x0000000000400000-0x000000000050B000-memory.dmp

    Filesize

    1.0MB

  • memory/384-54-0x0000000000400000-0x000000000050B000-memory.dmp

    Filesize

    1.0MB

  • memory/384-49-0x0000000002340000-0x00000000023DA000-memory.dmp

    Filesize

    616KB

  • memory/1020-71-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1020-76-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1288-68-0x0000000000400000-0x000000000050B000-memory.dmp

    Filesize

    1.0MB

  • memory/1288-82-0x0000000000400000-0x000000000050B000-memory.dmp

    Filesize

    1.0MB

  • memory/3088-100-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

  • memory/3088-103-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

  • memory/3088-105-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

  • memory/3088-81-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

  • memory/3088-104-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

  • memory/3088-102-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

  • memory/3088-97-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

  • memory/3088-89-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

  • memory/3088-87-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

  • memory/3088-88-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

  • memory/4640-67-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

  • memory/4640-52-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

  • memory/4640-51-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

  • memory/4640-53-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

  • memory/4640-55-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

  • memory/4760-5-0x0000000000650000-0x0000000000659000-memory.dmp

    Filesize

    36KB

  • memory/4760-46-0x0000000000650000-0x0000000000659000-memory.dmp

    Filesize

    36KB