Malware Analysis Report

2025-08-06 04:33

Sample ID 240125-kqz6racda3
Target 7441a4ce9c4e8ac5928eed31e78d925c
SHA256 3a245127ba06fa4a0106c4562138e0dafba141aa265795859ee000662e4ca470
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a245127ba06fa4a0106c4562138e0dafba141aa265795859ee000662e4ca470

Threat Level: Known bad

The file 7441a4ce9c4e8ac5928eed31e78d925c was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Renames multiple (182) files with added filename extension

Modifies file permissions

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 08:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 08:49

Reported

2024-01-25 08:51

Platform

win7-20231215-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\\7441a4ce9c4e8ac5928eed31e78d925c.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2880 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2880 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2880 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2880 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2880 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2880 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2880 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2880 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2880 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2880 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2880 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2852 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Windows\SysWOW64\icacls.exe
PID 2852 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Windows\SysWOW64\icacls.exe
PID 2852 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Windows\SysWOW64\icacls.exe
PID 2852 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Windows\SysWOW64\icacls.exe
PID 2852 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2852 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2852 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2852 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2608 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2608 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2608 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2608 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2608 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2608 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2608 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2608 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2608 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2608 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2608 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2148 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2148 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2148 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2148 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2108 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2108 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2108 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2108 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2108 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2108 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2108 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2108 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2108 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2108 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 2108 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe

"C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe"

C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe

"C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe

"C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe

"C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\taskeng.exe

taskeng.exe {E04C05A8-D369-4263-9068-3FBACC90C32F} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe

C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe --Task

C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe

C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe --Task

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.2:443 api.2ip.ua tcp
US 188.114.97.2:443 api.2ip.ua tcp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp
US 188.114.97.2:443 api.2ip.ua tcp
US 8.8.8.8:53 www.microsoft.com udp

Files

memory/2880-0-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/2852-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2880-2-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/2880-3-0x0000000002430000-0x000000000254B000-memory.dmp

memory/2852-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2852-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2852-8-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\fbe9f230-573d-4c93-a77e-74a4e6f9e0ea\7441a4ce9c4e8ac5928eed31e78d925c.exe

MD5 7441a4ce9c4e8ac5928eed31e78d925c
SHA1 7cacc24fbfb677bfadd4685d5f7820a946a44448
SHA256 3a245127ba06fa4a0106c4562138e0dafba141aa265795859ee000662e4ca470
SHA512 bfe262ba1c33ad1d0f8a26e12621a89f7156c68ab2762c0a0b3359345510fd3583599e6750d0ca5b08f4c2627f2c659c4110f47e8095f2ebdd97d1ddab6e01df

memory/2608-27-0x0000000000330000-0x00000000003C1000-memory.dmp

memory/2852-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2608-29-0x0000000000330000-0x00000000003C1000-memory.dmp

memory/2540-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2540-35-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 fea5c8a6d52044fb9537f5e6db72eae6
SHA1 69119fe9e4a26e99730e3be59bd198b25a799411
SHA256 032d8c3018e0286c276f77e55f25b2eec22d0e1fb25b08125b04682346930a09
SHA512 000121dbcdab19adf8c94deea2d670b08f10c5b5d97dae31c093f6e572fa4a11ed2bc586208fcc3a88c5fc717c99ee0a7799321d00f1c11bb63175ee395c3b82

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 819d2f6d228f94bfebac03edbfa4bc64
SHA1 257acbdf2270c5285962d10460a77f422143cc8d
SHA256 e8b016b694a9c3224b6a405cf52010c03b7bc6c8948ecc8a3d9aaa39a18f6d47
SHA512 b81c03ca94d21cdb106281fa478dccd390e07bd0a03d0077952041f3d1d41a671ac9a3d4c97d41d9c8f74b14214abfcaff696a10d0615b603a7a9b1a67adde67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 d5559587af50904e8573ad13ebd147fe
SHA1 2463fd1c78f2c95c2c53b585737438eb3968af4d
SHA256 f4a26b399d93950f008cf93feb96b60769af013cf068e6f74cf6a5cb9cf386d8
SHA512 0f171956daac5a7c6e583212de7b2cc5301406a114cebb1a987c46f0730776135c255d19740f51f15dd4574a844d4c65d90865671fc63b18200b11c7401cd719

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 75952e0c1c5670af5dcd379c606c9ebe
SHA1 27d234cc8b9469cb89c4e792c2e287f538acc28c
SHA256 756bd5b16422ee0ff433b7c565eccc5f04836dda10568320320cf06c20601d92
SHA512 775f16538dbed11a7e85b2a889d3736454a96e1e99041f483db81f1c416bc98ed3aa82f16b70033e04d9f4b88be7292fc44c36f96b3322ad7f3f6e8adb6111da

C:\Users\Admin\AppData\Local\Temp\CabB27D.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2540-48-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2540-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2540-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2108-64-0x0000000000250000-0x00000000002E1000-memory.dmp

memory/2108-65-0x0000000000250000-0x00000000002E1000-memory.dmp

memory/436-72-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar8EF8.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/436-82-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 08:49

Reported

2024-01-25 08:51

Platform

win10v2004-20231222-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Renames multiple (182) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\\7441a4ce9c4e8ac5928eed31e78d925c.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3216 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 3216 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 3216 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 3216 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 3216 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 3216 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 3216 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 3216 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 3216 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 3216 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 3316 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Windows\SysWOW64\icacls.exe
PID 3316 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Windows\SysWOW64\icacls.exe
PID 3316 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Windows\SysWOW64\icacls.exe
PID 3316 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 3316 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 3316 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 4868 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 4868 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 4868 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 4868 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 4868 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 4868 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 4868 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 4868 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 4868 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 4868 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 448 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 448 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 448 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 448 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 448 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 448 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 448 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 448 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 448 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe
PID 448 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe

"C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe"

C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe

"C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe

"C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe

"C:\Users\Admin\AppData\Local\Temp\7441a4ce9c4e8ac5928eed31e78d925c.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe

C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe --Task

C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe

C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe --Task

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.2:443 api.2ip.ua tcp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 188.114.97.2:443 api.2ip.ua tcp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 188.114.97.2:443 api.2ip.ua tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/3216-1-0x0000000002570000-0x0000000002602000-memory.dmp

memory/3216-2-0x00000000027E0000-0x00000000028FB000-memory.dmp

memory/3316-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3316-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3316-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3316-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe

MD5 7441a4ce9c4e8ac5928eed31e78d925c
SHA1 7cacc24fbfb677bfadd4685d5f7820a946a44448
SHA256 3a245127ba06fa4a0106c4562138e0dafba141aa265795859ee000662e4ca470
SHA512 bfe262ba1c33ad1d0f8a26e12621a89f7156c68ab2762c0a0b3359345510fd3583599e6750d0ca5b08f4c2627f2c659c4110f47e8095f2ebdd97d1ddab6e01df

memory/3316-15-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4868-18-0x0000000002580000-0x0000000002616000-memory.dmp

memory/2088-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2088-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2088-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 02f35a2d8cd3130c3be18c2eb00e1fe1
SHA1 dce0dc82612d7234f8a9c2e2828ddb96afb5d7f5
SHA256 c086f01ecb771beb99b1bf146b82a31072af688c9d77977a474d32e0af27eb5a
SHA512 3bf51e9baca9aeb05bc8b418c5bdb4da457946a18093de2795b7b6a9b16a0f654169c15733f32337afc68cb650a3df1c81f1a0a043ef0234c1416f4fd570426b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 819d2f6d228f94bfebac03edbfa4bc64
SHA1 257acbdf2270c5285962d10460a77f422143cc8d
SHA256 e8b016b694a9c3224b6a405cf52010c03b7bc6c8948ecc8a3d9aaa39a18f6d47
SHA512 b81c03ca94d21cdb106281fa478dccd390e07bd0a03d0077952041f3d1d41a671ac9a3d4c97d41d9c8f74b14214abfcaff696a10d0615b603a7a9b1a67adde67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a8f57f9fc60e110005c59da12cc933d8
SHA1 36ebdd4a5b771c3b146573bc8ececd3b1cc2675b
SHA256 1b14bf746e2b2b854de0b9da31ddd652a3058c39f0a3251c1608db80f660d049
SHA512 9d36bdf382665f90804c033bc5fc7af8b5aced57f7d3f795d15d205eb7353c03d46fa04cc1b426087cece19048294140f6a6f3d566b8605bada8c66fed9b0094

memory/2088-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2088-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2088-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2088-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2088-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2088-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2088-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2088-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1120-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1120-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1120-53-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\8ae8bc69-3b8a-47da-a3e9-81f1d5adf81a\7441a4ce9c4e8ac5928eed31e78d925c.exe

MD5 5f54ad291e321fd454c783216afa317e
SHA1 99fbe4daf4b97636fd388ed0921acbc33f06b4bb
SHA256 29d85dede6f20a7a142514b1b2084cbfe96b8de07df3486004388871b9ef1e50
SHA512 d6a8adf2da60b42f70b6c82b483e153ec383617e685f68d0df09aa0546355fd205991bba679de2ac2431856eddee6cf578409eef5cf554e511084b7e93a868d5

memory/448-51-0x0000000002670000-0x0000000002704000-memory.dmp

memory/1120-56-0x0000000000400000-0x0000000000537000-memory.dmp