djvu | 428fdf094c58f6dd9eda7f6efafaddcb43b482940bdca405db4b62e3a65c3c95

General

Target

runner.exe
Size

790KB
MD5

afc84a8b4609d2df281fb3490e109bbd
SHA1

60e14e134728ddb00e519ce1097ee3abdee95459
SHA256

428fdf094c58f6dd9eda7f6efafaddcb43b482940bdca405db4b62e3a65c3c95
SHA512

11c43645a8f7bd215dd5bcc76286aec7a309d030c83f33ab9903f734535fc376b01f545d05966a7e02c0e9ba4e962c573ad7c2320e03b2aa5adcbacf4136918a
SSDEEP

12288:2pV8ixHDVaVHqfEqpCet/A/k3i5trFvXUbmYTZ5qXxPezdE2vZ5d66gp9/:QmMKHqvt/A/kS/r9XitTZ4XtyZc

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

C2

http://fresherlights.com/lancer/get.php

Attributes

extension
.bozq
offline_id
oHp5e4SJxdFtxfvKYmeX06F4C5cn0EcsF5Ak9Wt1
payload_url
http://uaery.top/dl/build2.exe

http://fresherlights.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-dyi5UcwIT9 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0597Jhyjd

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2428-2-0x00000000044F0000-0x000000000460B000-memory.dmp	family_djvu
behavioral1/memory/2828-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2828-9-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2828-8-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2828-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2100-27-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2100-44-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2100-45-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2100-46-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2100-49-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2100-51-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2100-52-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2100-53-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2636 icacls.exe

pid	process
2636	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

runner.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e587d6ae-2484-4ce5-bf8c-e1235f93c866\\runner.exe\" --AutoStart"	runner.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.2ip.ua
4 api.2ip.ua
11 api.2ip.ua

flow	ioc
3	api.2ip.ua
4	api.2ip.ua
11	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

Processes:

runner.exerunner.exe

description	pid	process	target process
PID 2428 set thread context of 2828	2428	runner.exe	runner.exe
PID 2668 set thread context of 2100	2668	runner.exe	runner.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

runner.exerunner.exeicacls.exerunner.exerunner.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runner.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

runner.exerunner.exe

pid process

2828 runner.exe
2828 runner.exe
2100 runner.exe
2100 runner.exe

pid	process
2828	runner.exe
2828	runner.exe
2100	runner.exe
2100	runner.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

runner.exerunner.exerunner.exe

description	pid	process	target process
PID 2428 wrote to memory of 2828	2428	runner.exe	runner.exe
PID 2428 wrote to memory of 2828	2428	runner.exe	runner.exe
PID 2428 wrote to memory of 2828	2428	runner.exe	runner.exe
PID 2428 wrote to memory of 2828	2428	runner.exe	runner.exe
PID 2428 wrote to memory of 2828	2428	runner.exe	runner.exe
PID 2428 wrote to memory of 2828	2428	runner.exe	runner.exe
PID 2428 wrote to memory of 2828	2428	runner.exe	runner.exe
PID 2428 wrote to memory of 2828	2428	runner.exe	runner.exe
PID 2428 wrote to memory of 2828	2428	runner.exe	runner.exe
PID 2428 wrote to memory of 2828	2428	runner.exe	runner.exe
PID 2428 wrote to memory of 2828	2428	runner.exe	runner.exe
PID 2828 wrote to memory of 2636	2828	runner.exe	icacls.exe
PID 2828 wrote to memory of 2636	2828	runner.exe	icacls.exe
PID 2828 wrote to memory of 2636	2828	runner.exe	icacls.exe
PID 2828 wrote to memory of 2636	2828	runner.exe	icacls.exe
PID 2828 wrote to memory of 2668	2828	runner.exe	runner.exe
PID 2828 wrote to memory of 2668	2828	runner.exe	runner.exe
PID 2828 wrote to memory of 2668	2828	runner.exe	runner.exe
PID 2828 wrote to memory of 2668	2828	runner.exe	runner.exe
PID 2668 wrote to memory of 2100	2668	runner.exe	runner.exe
PID 2668 wrote to memory of 2100	2668	runner.exe	runner.exe
PID 2668 wrote to memory of 2100	2668	runner.exe	runner.exe
PID 2668 wrote to memory of 2100	2668	runner.exe	runner.exe
PID 2668 wrote to memory of 2100	2668	runner.exe	runner.exe
PID 2668 wrote to memory of 2100	2668	runner.exe	runner.exe
PID 2668 wrote to memory of 2100	2668	runner.exe	runner.exe
PID 2668 wrote to memory of 2100	2668	runner.exe	runner.exe
PID 2668 wrote to memory of 2100	2668	runner.exe	runner.exe
PID 2668 wrote to memory of 2100	2668	runner.exe	runner.exe
PID 2668 wrote to memory of 2100	2668	runner.exe	runner.exe

C:\Users\Admin\AppData\Local\Temp\runner.exe
"C:\Users\Admin\AppData\Local\Temp\runner.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\runner.exe
  "C:\Users\Admin\AppData\Local\Temp\runner.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\e587d6ae-2484-4ce5-bf8c-e1235f93c866" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2636
- - C:\Users\Admin\AppData\Local\Temp\runner.exe
    "C:\Users\Admin\AppData\Local\Temp\runner.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\runner.exe
      "C:\Users\Admin\AppData\Local\Temp\runner.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72b9143c906a9fda0cf1bc3663ba453d

SHA1
401e271d56eecfb348019523acd9b395567db261

SHA256
3b6de7eaf323ce30e1350a24033cedd64905f64748350aea99b1a2e7d4def633

SHA512
8262b5879d3892164438d0ea03b5385f016526dd7714c158f1a6da50e652d5318844c1017d63c58b77fd62d748fef9cf6f49373f875710b65d7fcd9adb5ceca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCE38.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\e587d6ae-2484-4ce5-bf8c-e1235f93c866\runner.exe

Filesize
790KB

MD5
afc84a8b4609d2df281fb3490e109bbd

SHA1
60e14e134728ddb00e519ce1097ee3abdee95459

SHA256
428fdf094c58f6dd9eda7f6efafaddcb43b482940bdca405db4b62e3a65c3c95

SHA512
11c43645a8f7bd215dd5bcc76286aec7a309d030c83f33ab9903f734535fc376b01f545d05966a7e02c0e9ba4e962c573ad7c2320e03b2aa5adcbacf4136918a

Download Submit
memory/2100-46-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2100-53-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2100-52-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2100-51-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2100-49-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2100-45-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2100-27-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2100-44-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2428-7-0x0000000000250000-0x00000000002E2000-memory.dmp

Filesize
584KB

Download
memory/2428-0-0x0000000000250000-0x00000000002E2000-memory.dmp

Filesize
584KB

Download
memory/2428-2-0x00000000044F0000-0x000000000460B000-memory.dmp

Filesize
1.1MB

Download
memory/2428-1-0x0000000000250000-0x00000000002E2000-memory.dmp

Filesize
584KB

Download
memory/2668-24-0x0000000004460000-0x00000000044F2000-memory.dmp

Filesize
584KB

Download
memory/2828-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2828-8-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2828-9-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2828-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2828-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads