Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-08-2024 09:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    729KB

  • MD5

    d7528cd33b73718b5949277420681f90

  • SHA1

    61d97f8da20ff2995890ce5f2c8a2c9e6e51c078

  • SHA256

    3b8d07693e296aee36e7607c71503d981396a21b367e169146afdd052cdcf4d1

  • SHA512

    b3dab709e19a2a8bad92b259ea1739ad55564f6fe31e9f4e502b6280ae6c70cdf5a0f1fda208887da4bbcf9213986e2038abe6a09dc2940998df08d82e87d474

  • SSDEEP

    12288:koywWrwlTyC9yR+xBP4wMpAuhjH8/Hl19KKjNgzqE0CM6EpJMwk:PlTX9Xj4w+hbM1/g2kM

Score
10/10
djvudiscoverypersistenceransomware

Malware Config

Extracted

Family

djvu

C2

http://cajgtus.com/test1/get.php

Attributes
  • extension

    .watz

  • offline_id

    Lc3VTezPWbMhuVAQFzJUdeA68PwI7UDpc5aKHYt1

  • payload_url

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284d Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0874PsawqS

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 17 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4168
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:932
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\f70f890c-c25c-4eaf-b2d2-b4dd0931ff39" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:3008
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        "C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4592
        • C:\Users\Admin\AppData\Local\Temp\file.exe
          "C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:3584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
    Filesize

    1KB

    MD5

    7fb5fa1534dcf77f2125b2403b30a0ee

    SHA1

    365d96812a69ac0a4611ea4b70a3f306576cc3ea

    SHA256

    33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

    SHA512

    a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
    Filesize

    436B

    MD5

    971c514f84bba0785f80aa1c23edfd79

    SHA1

    732acea710a87530c6b08ecdf32a110d254a54c8

    SHA256

    f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

    SHA512

    43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
    Filesize

    174B

    MD5

    9df454429b04b130bfa1b74f6565c8e4

    SHA1

    0d3ab58db37c483d6f0825e6a0f7acc1f09b9f61

    SHA256

    86966bb95740e3088920de8318e4a7d397e40649d1cbb0d14eea189a22e0960d

    SHA512

    5a0e939b090f4e4e8e4b39db2728ce172ee25cf6109e3dbc22b63e9d07ca25b612242edb8968dc38fb83742453bf025ed0d527a8930dc6773b8d82f888bff64e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
    Filesize

    170B

    MD5

    e46c94a2a04b40ce158ab0fd2aaed80e

    SHA1

    3bfbba3ea07f70447ff7849ad6fa2ff3f825f588

    SHA256

    d7bbed451793dc7374de96451e221a60de5f3e4b3dd0cabfa0c26dbe7141b711

    SHA512

    8fa86c62f9ca10bde05c6c3af9a29e17502712e0efde892e45fbd4beac60db0126ac3a84385b48345fb5edeb1886c81e957e23f0811fd8f6f59ef8a9e7344286

    Download Submit

  • C:\Users\Admin\AppData\Local\f70f890c-c25c-4eaf-b2d2-b4dd0931ff39\file.exe
    Filesize

    729KB

    MD5

    d7528cd33b73718b5949277420681f90

    SHA1

    61d97f8da20ff2995890ce5f2c8a2c9e6e51c078

    SHA256

    3b8d07693e296aee36e7607c71503d981396a21b367e169146afdd052cdcf4d1

    SHA512

    b3dab709e19a2a8bad92b259ea1739ad55564f6fe31e9f4e502b6280ae6c70cdf5a0f1fda208887da4bbcf9213986e2038abe6a09dc2940998df08d82e87d474

    Download Submit

  • memory/932-3-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/932-4-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/932-5-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/932-6-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/932-17-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3584-22-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3584-29-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3584-40-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3584-39-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3584-21-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3584-38-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3584-37-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3584-24-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3584-30-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3584-31-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3584-35-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4168-2-0x0000000002240000-0x000000000235B000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4168-1-0x00000000021A0000-0x0000000002237000-memory.dmp

    Filesize

    604KB

    Download

  • memory/4592-19-0x0000000000400000-0x00000000004CA000-memory.dmp

    Filesize

    808KB

    Download

  • memory/4592-23-0x0000000000400000-0x00000000004CA000-memory.dmp

    Filesize

    808KB

    Download