Overview

overview

10

Static

static

3

02b137b6b2...0N.exe

windows7-x64

10

02b137b6b2...0N.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    02b137b6b241a10dcb0b2fdbe5c1f090N.exe

  • Size

    887KB

  • Sample

    240829-k2zdlawanj

  • MD5

    02b137b6b241a10dcb0b2fdbe5c1f090

  • SHA1

    9a3642a88fbfb5dad28002fc59be862e67563acc

  • SHA256

    82f0e9dfd4877c39903738a842045001359c431b114ca5cfa4e488a5c0257e06

  • SHA512

    db143182e4df7bcc266f437191122f97aaeb451258dd0f8f17f3b9c51312098872faedeb8b1ae7c19f890ce54da71fc78e4225b77bd06d49965bcfcf5267408c

  • SSDEEP

    12288:1G8ua3cRXmsmcU90p2aFZWI3ltIuEnnPJPYCGE1E2SIvhxfu0QnBYF7sFDF9R/:SaMkLBNanWKGuMRYDEO2SITQnBYZ+/

Score
10/10
djvudiscoverypersistenceransomware

Malware Config

Extracted

Family

djvu

C2

http://astdg.top/nddddhsspen6/get.php

Attributes
  • extension

    .piiq

  • offline_id

    7ucZviScWxXXYEE1znZMXmqHoguKJq5lmLcV78t1

  • payload_url

    http://astdg.top/files/penelop/updatewin1.exe

    http://astdg.top/files/penelop/updatewin2.exe

    http://astdg.top/files/penelop/updatewin.exe

    http://astdg.top/files/penelop/3.exe

    http://astdg.top/files/penelop/4.exe

    http://astdg.top/files/penelop/5.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-J9GjESeoLZ Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0308ewgfDd

rsa_pubkey.plain

Targets

    • Target

      02b137b6b241a10dcb0b2fdbe5c1f090N.exe

    • Size

      887KB

    • MD5

      02b137b6b241a10dcb0b2fdbe5c1f090

    • SHA1

      9a3642a88fbfb5dad28002fc59be862e67563acc

    • SHA256

      82f0e9dfd4877c39903738a842045001359c431b114ca5cfa4e488a5c0257e06

    • SHA512

      db143182e4df7bcc266f437191122f97aaeb451258dd0f8f17f3b9c51312098872faedeb8b1ae7c19f890ce54da71fc78e4225b77bd06d49965bcfcf5267408c

    • SSDEEP

      12288:1G8ua3cRXmsmcU90p2aFZWI3ltIuEnnPJPYCGE1E2SIvhxfu0QnBYF7sFDF9R/:SaMkLBNanWKGuMRYDEO2SITQnBYZ+/

    Score
    10/10
    djvudiscoverypersistenceransomware

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks