djvu | a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
Size

967KB
MD5

9dd81b38f1c03d153b12bfda356c4e0b
SHA1

7a0d3f826aec05310dfce2e4a13937268c851e13
SHA256

a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208
SHA512

d991935227667045525c4f47c6b5312298b0499cb7b86fad9c85b97976f4f23111d56fc4401af678b061f253e88ce964fb2df3f08ec3d877eca0132eb5418533
SSDEEP

24576:lKKh+COuirrGiRBKDpvR+ZClH1U54ohV2/mg:/NO1rDKDf+Zie6CEm

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

http://zexeq.com/test2/get.php

Attributes

extension
.dapo
offline_id
8EM6M9LqEzIk18qaQ87WiPQ1u84RRdej5V1ovht1
payload_url
http://uaery.top/dl/build2.exe
http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-vbVkogQdu2 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0667JOsie

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3000-11-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3000-8-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3000-31-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2692-40-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2692-54-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2692-53-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2692-58-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2692-62-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2692-69-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2692-70-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2692-72-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2692-73-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2692-74-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2492 icacls.exe

pid	process
2492	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\51bb3270-362d-407a-b00f-e9c31a2fcab0\\a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe\" --AutoStart"	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 api.2ip.ua
4 api.2ip.ua
5 api.2ip.ua

flow	ioc
9	api.2ip.ua
4	api.2ip.ua
5	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

Processes:

a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exea5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe

description	pid	process	target process
PID 1920 set thread context of 3000	1920	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 2312 set thread context of 2692	2312	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exea5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe

pid	process
3000	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
2692	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
2692	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exea5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exea5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe

C:\Users\Admin\AppData\Local\Temp\a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
"C:\Users\Admin\AppData\Local\Temp\a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
"C:\Users\Admin\AppData\Local\Temp\a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\51bb3270-362d-407a-b00f-e9c31a2fcab0" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2492

C:\Users\Admin\AppData\Local\Temp\a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
"C:\Users\Admin\AppData\Local\Temp\a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2312

C:\Users\Admin\AppData\Local\Temp\a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
"C:\Users\Admin\AppData\Local\Temp\a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2692

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
984591c7c475e1fbaa38e7a1107ca546

SHA1
2f5bba5480eea8e0364cf2d2017fc21c1a121e90

SHA256
f4f6f23923a3ac14eb66148d13837d6f134d2691e2ba067aaba13a6747efce0f

SHA512
852574ed4a2bfebeb17039e59508f15dfe17a90cd73dce34b812d33b8bcd2f9e0347b0efb841e5747ecb677cef69f4106781cdf9464175f801ee533cd0a1ae69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
1975fc173feea3100d2da85ed4589111

SHA1
c42620e41963c59e97760705bb9793f33b82e79f

SHA256
184fe81f40fd081a5f999f2892e75ee5a473fa178a21c90b41643a40ad17955d

SHA512
6cbd5691b449bb13d31a8b9f332ba5f30a2a958707793a5cb3f2d728840d6375824009a35e515f47d2175f152af17c5363c00a3d63ff3d9a89f04d48787e468d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
37d6a6048393408cb808ea1c7be74e05

SHA1
af51bfd52a90a110009f5fcc8bd3b252cfc3143f

SHA256
f27a5184b62f036e6b29c12524bb45a7ab3cd99e26e1de0573113b9b73317514

SHA512
58e6e9fe5d4867f8522c67757d7b3a554cbb6af185c7a3f7b214e18640fe48e455af5fa8085bf958c41192225c06083908b00036d85e12a0c0dce9df2a0ea9a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
e8f04975b4c26d2c33915ad183d49bbb

SHA1
642b31197bf2e1ae2064d40830dc3b762386d98a

SHA256
df90c7d3480c583eb19b7f88f670dcfc7b9bc0e1fd3949cae681d85a24e6275b

SHA512
554dda3c5208700e71fbc4cd93aefbab2588237e62a813f55185120e991646532dea509e7e9e7d611de867a98d6167574c98fed9ec4b81b94c653bc1e7b19bce

Download Submit
C:\Users\Admin\AppData\Local\51bb3270-362d-407a-b00f-e9c31a2fcab0\a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
Filesize
967KB

MD5
9dd81b38f1c03d153b12bfda356c4e0b

SHA1
7a0d3f826aec05310dfce2e4a13937268c851e13

SHA256
a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208

SHA512
d991935227667045525c4f47c6b5312298b0499cb7b86fad9c85b97976f4f23111d56fc4401af678b061f253e88ce964fb2df3f08ec3d877eca0132eb5418533

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2DB5.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
memory/1920-12-0x0000000000400000-0x0000000002BA4000-memory.dmp

Filesize
39.6MB

Download
memory/1920-1-0x0000000000400000-0x0000000002BA4000-memory.dmp

Filesize
39.6MB

Download
memory/1920-3-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1920-9-0x0000000000400000-0x0000000002BA4000-memory.dmp

Filesize
39.6MB

Download
memory/1920-10-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/1920-6-0x0000000000401000-0x00000000004A2000-memory.dmp

Filesize
644KB

Download
memory/1920-4-0x0000000002BB0000-0x0000000002C42000-memory.dmp

Filesize
584KB

Download
memory/1920-5-0x0000000000400000-0x0000000002BA4000-memory.dmp

Filesize
39.6MB

Download
memory/1920-0-0x0000000000400000-0x0000000002BA4000-memory.dmp

Filesize
39.6MB

Download
memory/1920-2-0x0000000000400000-0x0000000002BA4000-memory.dmp

Filesize
39.6MB

Download
memory/2312-34-0x0000000000400000-0x0000000002BA4000-memory.dmp

Filesize
39.6MB

Download
memory/2312-36-0x0000000000360000-0x00000000003F2000-memory.dmp

Filesize
584KB

Download
memory/2312-33-0x0000000000400000-0x0000000002BA4000-memory.dmp

Filesize
39.6MB

Download
memory/2312-32-0x0000000000400000-0x0000000002BA4000-memory.dmp

Filesize
39.6MB

Download
memory/2312-39-0x0000000000400000-0x0000000002BA4000-memory.dmp

Filesize
39.6MB

Download
memory/2312-35-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2692-53-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2692-70-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2692-40-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2692-74-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2692-73-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2692-54-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2692-72-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2692-58-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2692-62-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2692-69-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3000-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3000-8-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3000-11-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3000-31-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download

description	pid	process	target process
PID 1920 wrote to memory of 3000	1920	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 1920 wrote to memory of 3000	1920	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 1920 wrote to memory of 3000	1920	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 1920 wrote to memory of 3000	1920	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 1920 wrote to memory of 3000	1920	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 1920 wrote to memory of 3000	1920	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 1920 wrote to memory of 3000	1920	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 1920 wrote to memory of 3000	1920	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 1920 wrote to memory of 3000	1920	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 1920 wrote to memory of 3000	1920	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 1920 wrote to memory of 3000	1920	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 3000 wrote to memory of 2492	3000	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	icacls.exe
PID 3000 wrote to memory of 2492	3000	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	icacls.exe
PID 3000 wrote to memory of 2492	3000	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	icacls.exe
PID 3000 wrote to memory of 2492	3000	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	icacls.exe
PID 3000 wrote to memory of 2312	3000	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 3000 wrote to memory of 2312	3000	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 3000 wrote to memory of 2312	3000	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 3000 wrote to memory of 2312	3000	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 2312 wrote to memory of 2692	2312	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 2312 wrote to memory of 2692	2312	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 2312 wrote to memory of 2692	2312	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 2312 wrote to memory of 2692	2312	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 2312 wrote to memory of 2692	2312	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 2312 wrote to memory of 2692	2312	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 2312 wrote to memory of 2692	2312	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 2312 wrote to memory of 2692	2312	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 2312 wrote to memory of 2692	2312	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 2312 wrote to memory of 2692	2312	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe
PID 2312 wrote to memory of 2692	2312	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe	a5ee7875b62e137233a5079b8b41401dd5d220a932293bd85edee825ef968208.exe