djvu | 65095394b8ee9ff4db8b8b7d88dfb1a3936450010fdd7266e9334e323b6c0da2

General

Target

liar.exe
Size

704KB
MD5

eeca05d25df9dd3ac6649d544af8b130
SHA1

02792783b0dcce6668431e6f00c82f25a9b5317a
SHA256

65095394b8ee9ff4db8b8b7d88dfb1a3936450010fdd7266e9334e323b6c0da2
SHA512

a7ffe32a4fbb976287d63ca143cd003fd2c5285bcb93f4e8270c16b582dc974e49ae1b33aa6197addfbb3e179b557071f1ef0e44c9cd8eb5fdab53d55ae04143
SSDEEP

12288:NmiX7brhCcIDkqBiBXrY0oZCMVzD/KAKExWfn52rFII74EbFOVwPBOu:wiXlCVDDfZvVHvKjf50IK1Rmw5f

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

C2

http://zexeq.com/test2/get.php

Attributes

extension
.goaq
offline_id
zMrgM3QgNJsLARd9vs9a31qnKMjRqxjLT6s9OQt1
payload_url
http://uaery.top/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-rayImYlyWe Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0656Usjf

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 9 IoCs

resource	yara_rule
behavioral2/memory/4460-2-0x0000000002470000-0x000000000258B000-memory.dmp	family_djvu
behavioral2/memory/3516-3-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3516-4-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3516-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3516-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3516-21-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2880-28-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2880-27-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2880-25-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	liar.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2992	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\dd8281fc-427d-4638-b5a1-37811f1b1f56\\liar.exe\" --AutoStart"	liar.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.2ip.ua
5	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4460 set thread context of 3516	4460	liar.exe	88
PID 4932 set thread context of 2880	4932	liar.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1820	2880	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	liar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	liar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	liar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	liar.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3516	liar.exe
3516	liar.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 3516	4460	liar.exe	88
PID 4460 wrote to memory of 3516	4460	liar.exe	88
PID 4460 wrote to memory of 3516	4460	liar.exe	88
PID 4460 wrote to memory of 3516	4460	liar.exe	88
PID 4460 wrote to memory of 3516	4460	liar.exe	88
PID 4460 wrote to memory of 3516	4460	liar.exe	88
PID 4460 wrote to memory of 3516	4460	liar.exe	88
PID 4460 wrote to memory of 3516	4460	liar.exe	88
PID 4460 wrote to memory of 3516	4460	liar.exe	88
PID 4460 wrote to memory of 3516	4460	liar.exe	88
PID 3516 wrote to memory of 2992	3516	liar.exe	89
PID 3516 wrote to memory of 2992	3516	liar.exe	89
PID 3516 wrote to memory of 2992	3516	liar.exe	89
PID 3516 wrote to memory of 4932	3516	liar.exe	90
PID 3516 wrote to memory of 4932	3516	liar.exe	90
PID 3516 wrote to memory of 4932	3516	liar.exe	90
PID 4932 wrote to memory of 2880	4932	liar.exe	92
PID 4932 wrote to memory of 2880	4932	liar.exe	92
PID 4932 wrote to memory of 2880	4932	liar.exe	92
PID 4932 wrote to memory of 2880	4932	liar.exe	92
PID 4932 wrote to memory of 2880	4932	liar.exe	92
PID 4932 wrote to memory of 2880	4932	liar.exe	92
PID 4932 wrote to memory of 2880	4932	liar.exe	92
PID 4932 wrote to memory of 2880	4932	liar.exe	92
PID 4932 wrote to memory of 2880	4932	liar.exe	92
PID 4932 wrote to memory of 2880	4932	liar.exe	92

C:\Users\Admin\AppData\Local\Temp\liar.exe
"C:\Users\Admin\AppData\Local\Temp\liar.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Users\Admin\AppData\Local\Temp\liar.exe
  "C:\Users\Admin\AppData\Local\Temp\liar.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\dd8281fc-427d-4638-b5a1-37811f1b1f56" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2992
- - C:\Users\Admin\AppData\Local\Temp\liar.exe
    "C:\Users\Admin\AppData\Local\Temp\liar.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Users\Admin\AppData\Local\Temp\liar.exe
      "C:\Users\Admin\AppData\Local\Temp\liar.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      System Location Discovery: System Language Discovery
      PID:2880
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 568
        5⤵
        Program crash
        
        PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2880 -ip 2880
1⤵
PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\dd8281fc-427d-4638-b5a1-37811f1b1f56\liar.exe

Filesize
704KB

MD5
eeca05d25df9dd3ac6649d544af8b130

SHA1
02792783b0dcce6668431e6f00c82f25a9b5317a

SHA256
65095394b8ee9ff4db8b8b7d88dfb1a3936450010fdd7266e9334e323b6c0da2

SHA512
a7ffe32a4fbb976287d63ca143cd003fd2c5285bcb93f4e8270c16b582dc974e49ae1b33aa6197addfbb3e179b557071f1ef0e44c9cd8eb5fdab53d55ae04143

Download Submit
memory/2880-28-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2880-27-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2880-25-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3516-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3516-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3516-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3516-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3516-21-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4460-2-0x0000000002470000-0x000000000258B000-memory.dmp

Filesize
1.1MB

Download
memory/4460-1-0x0000000002270000-0x000000000230B000-memory.dmp

Filesize
620KB

Download
memory/4932-23-0x0000000000400000-0x00000000005F3000-memory.dmp

Filesize
1.9MB

Download
memory/4932-29-0x0000000000400000-0x00000000005F3000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads