Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    293s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30-05-2024 23:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f1068bf1348c18992c05859a866a75203ed9da51f418541ea2405a23136a579f.exe

  • Size

    785KB

  • MD5

    0d4d8f1fbf7ef6cc30dfc1b267b0cd2c

  • SHA1

    5e4c154733ec0964ac050b32ec54bfffa7def0fc

  • SHA256

    f1068bf1348c18992c05859a866a75203ed9da51f418541ea2405a23136a579f

  • SHA512

    19f181995db6ca50a7f89f63fcc3ed6836c5b6de7fcd50db2f24fd6a098042b85b3c71264fa480c8b49e100468604cf3976453274e41d0e80db33c3d9e253c12

  • SSDEEP

    12288:3/2PQ0JBxk/q//UmITXZZ2HcHJK3oFziEcybA6deZ3V5M:3/o/GqnlIzwIJKAzcyk6k5V6

Score
10/10
djvudiscoverypersistenceransomware

Malware Config

Extracted

Family

djvu

C2

http://cajgtus.com/test1/get.php

Attributes
  • extension

    .vepi

  • offline_id

    EGfa5svnSGFJka7LZBQoqff0QtO1IpTauoDvGvt1

  • payload_url

    http://sdfjhuz.com/dl/build2.exe

    http://cajgtus.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0871PsawqS

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 13 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1068bf1348c18992c05859a866a75203ed9da51f418541ea2405a23136a579f.exe
    "C:\Users\Admin\AppData\Local\Temp\f1068bf1348c18992c05859a866a75203ed9da51f418541ea2405a23136a579f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Users\Admin\AppData\Local\Temp\f1068bf1348c18992c05859a866a75203ed9da51f418541ea2405a23136a579f.exe
      "C:\Users\Admin\AppData\Local\Temp\f1068bf1348c18992c05859a866a75203ed9da51f418541ea2405a23136a579f.exe"
      2⤵
      • Adds Run key to start application
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2880
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\5b5393f5-7948-41b7-8ad9-401e38036ed5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:2536
      • C:\Users\Admin\AppData\Local\Temp\f1068bf1348c18992c05859a866a75203ed9da51f418541ea2405a23136a579f.exe
        "C:\Users\Admin\AppData\Local\Temp\f1068bf1348c18992c05859a866a75203ed9da51f418541ea2405a23136a579f.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2520
        • C:\Users\Admin\AppData\Local\Temp\f1068bf1348c18992c05859a866a75203ed9da51f418541ea2405a23136a579f.exe
          "C:\Users\Admin\AppData\Local\Temp\f1068bf1348c18992c05859a866a75203ed9da51f418541ea2405a23136a579f.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          PID:2712

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

File and Directory Permissions Modification

1
T1222

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    1KB

    MD5

    03c0f8ee77d876972cda274ac80f5e52

    SHA1

    a42ee63d82fae2390b4a3ee55dcaea356bc4e0d3

    SHA256

    d10478a42647f37ccbe419912d8ce3d35ccb84b5e83d8fce98d0b9baad81ccfe

    SHA512

    9d4c9deb0185c342cb20c17503e459a460313fd599a58e3a0e34c5e202bd4e44cf67f96275291eee922c55407404e71822bd5ae9924808544c3461e4e0080faa

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
    Filesize

    724B

    MD5

    8202a1cd02e7d69597995cabbe881a12

    SHA1

    8858d9d934b7aa9330ee73de6c476acf19929ff6

    SHA256

    58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

    SHA512

    97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    410B

    MD5

    80e49a74c391d7fab20ac4f705c04de6

    SHA1

    c0a4d094e6f4a991e43efd58987af74debe4b5bc

    SHA256

    aea7fe68d1333d46575467ac779d9f41006c490eaf6c86d4e9f8d2c23e9698f0

    SHA512

    87cdc0ecdbd143127319b3c0ff3a2e1aa1991961c14158ba7b14ce4ef3cf603857764d9a288a35584565becbe1709b3151411618150c336a6a9638076def7d9d

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    3f18e96e3372cd3a9e9ea99d73b58592

    SHA1

    cb89bb11475d7c7112cbbdcacfaeccc424db3209

    SHA256

    a9b60bc801bbe3a74e6eaf9e05b03beb62bcc792239c498f28b65678acf2c378

    SHA512

    b103e43024815c3fd9253834be3f0168d1ae78a315af3768c0e00edcccefadea6c16ac995014a127cec86d15aaec54862643b6b98105ee24a0cde2c7ed9bcab5

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
    Filesize

    392B

    MD5

    a8edc466a3d6ef2ebb012fbadddc2687

    SHA1

    541472e6b75a73ad1cb86b6adc4c42e7357e6d3b

    SHA256

    ab60fb913125f7a94f75b0eeebcdf438ca4f04d99ee413f8d02380e2f8a6b9de

    SHA512

    5792a382287b8e1e5adf5add307517ac8010be47a85a67357a9039efa59b90c89dd91a18281fc5f86782a72b3f7078f41c54836338bcba476d4c5b120a59a2ee

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    242B

    MD5

    57aa930077a398d8140ce3fc77c2e6ac

    SHA1

    bc16c8d4f92ed737e44d1a69b05a6f658cfbec8a

    SHA256

    917147a3500b55905419a0fdde5ffd885b80e00037aa0060f68ad6b1f23fd1b1

    SHA512

    17b94630cad02f7d3935ef7f3ff2460ee6bacf662cd92de7a88d8ce62ad847716694845e8b6460d7c21be8c8ade8df6ee8a1a949ba3e942939b93eb9946503ee

    Download Submit
  • C:\Users\Admin\AppData\Local\5b5393f5-7948-41b7-8ad9-401e38036ed5\f1068bf1348c18992c05859a866a75203ed9da51f418541ea2405a23136a579f.exe
    Filesize

    785KB

    MD5

    0d4d8f1fbf7ef6cc30dfc1b267b0cd2c

    SHA1

    5e4c154733ec0964ac050b32ec54bfffa7def0fc

    SHA256

    f1068bf1348c18992c05859a866a75203ed9da51f418541ea2405a23136a579f

    SHA512

    19f181995db6ca50a7f89f63fcc3ed6836c5b6de7fcd50db2f24fd6a098042b85b3c71264fa480c8b49e100468604cf3976453274e41d0e80db33c3d9e253c12

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Tar201F.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit
  • memory/2320-68-0x0000000000400000-0x0000000002D22000-memory.dmp
    Filesize

    41.1MB

    Download
  • memory/2320-5-0x0000000004600000-0x000000000471B000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2320-0-0x00000000002E0000-0x0000000000371000-memory.dmp
    Filesize

    580KB

    Download
  • memory/2520-45-0x0000000000320000-0x00000000003B1000-memory.dmp
    Filesize

    580KB

    Download
  • memory/2712-64-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2712-65-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2712-48-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2712-66-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2712-73-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2712-70-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2712-72-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2712-74-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2880-4-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2880-43-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2880-6-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2880-7-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2880-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download