Malware Analysis Report

2025-08-06 04:33

Sample ID 240125-l1f2asddb9
Target 74660e011065ca6216f408d59cadf33e
SHA256 de8f146808af12f7a609b39c56cf46d9d204ef2e717ff5b83422b7d7deb34739
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de8f146808af12f7a609b39c56cf46d9d204ef2e717ff5b83422b7d7deb34739

Threat Level: Known bad

The file 74660e011065ca6216f408d59cadf33e was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Renames multiple (196) files with added filename extension

Checks computer location settings

Executes dropped EXE

Modifies file permissions

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 09:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 09:59

Reported

2024-01-25 10:02

Platform

win7-20231215-en

Max time kernel

146s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a2bc9af1-4e73-4266-b579-c91af4f52362\\74660e011065ca6216f408d59cadf33e.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 928 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 928 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 928 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 928 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 928 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 928 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 928 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 928 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 928 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 928 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 928 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 2612 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Windows\SysWOW64\icacls.exe
PID 2612 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Windows\SysWOW64\icacls.exe
PID 2612 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Windows\SysWOW64\icacls.exe
PID 2612 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Windows\SysWOW64\icacls.exe
PID 2612 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 2612 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 2612 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 2612 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 1704 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 1704 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 1704 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 1704 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 1704 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 1704 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 1704 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 1704 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 1704 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 1704 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 1704 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 1552 wrote to memory of 1368 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe
PID 1552 wrote to memory of 1368 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe
PID 1552 wrote to memory of 1368 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe
PID 1552 wrote to memory of 1368 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe
PID 1368 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe
PID 1368 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe
PID 1368 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe
PID 1368 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe
PID 1368 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe
PID 1368 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe
PID 1368 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe
PID 1368 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe
PID 1368 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe
PID 1368 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe
PID 1368 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe

Processes

C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe

"C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe"

C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe

"C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe

"C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe

"C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\taskeng.exe

taskeng.exe {50F23011-F18B-4F58-8BE5-921A7F422179} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe

C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe --Task

C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe

C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe --Task

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 www.microsoft.com udp

Files

memory/928-0-0x0000000000280000-0x0000000000312000-memory.dmp

memory/928-1-0x0000000000280000-0x0000000000312000-memory.dmp

memory/928-3-0x00000000045C0000-0x00000000046DB000-memory.dmp

memory/2612-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2612-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2612-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2612-8-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\a2bc9af1-4e73-4266-b579-c91af4f52362\74660e011065ca6216f408d59cadf33e.exe

MD5 74660e011065ca6216f408d59cadf33e
SHA1 0ad378f1f469f5c57a1516aa05139eee4bda5e8e
SHA256 de8f146808af12f7a609b39c56cf46d9d204ef2e717ff5b83422b7d7deb34739
SHA512 1cd8adc191f35d905cbd5e28806d578203501530e58d6fbc21bbb321cd23f2a77931ec055e80b17445a7c0470c77353d659f9e1c116d4fddeb45d7f06f81f218

memory/1704-28-0x0000000002D50000-0x0000000002DE2000-memory.dmp

memory/2612-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1704-29-0x0000000002D50000-0x0000000002DE2000-memory.dmp

memory/2616-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2616-35-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 819d2f6d228f94bfebac03edbfa4bc64
SHA1 257acbdf2270c5285962d10460a77f422143cc8d
SHA256 e8b016b694a9c3224b6a405cf52010c03b7bc6c8948ecc8a3d9aaa39a18f6d47
SHA512 b81c03ca94d21cdb106281fa478dccd390e07bd0a03d0077952041f3d1d41a671ac9a3d4c97d41d9c8f74b14214abfcaff696a10d0615b603a7a9b1a67adde67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a9732f94e8189ae982055aaeac142330
SHA1 f4609e75c14b2be21f068087723db546e663a4ee
SHA256 4b7f7033f08d539f0d82ccf358de1a521c24a6ac43b4abcf586417e35890392c
SHA512 a8817e8e671d8777a82455c6018faf9a0009aefa47c63ea27897dfb4d6418d90fdd01311458bbe318eaed6b756473487961998003e91124831f7e7c4373bc402

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 d23f9795d7c0acf364770c37386128c6
SHA1 517668881451a294a26d4670ae3cb6c646ddab10
SHA256 7b6e991202646dacc00b8c9410193308e7df37cec062b163fc5c175f41e74cc5
SHA512 804278767d950d87b37c61191020dc5c5718ce536984a1b4d80dfea654c5be74d6dbd8eb628e54783d0191c5b4c11a2cd0d2bdf7dbe395a4a96f5656150966e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc763f390e83d8a5b212054d336cef50
SHA1 5f2c0ee4fe20c487b066f76ee56ce3335a1863e2
SHA256 8729ba3b78e65cee809171bc67b858a7368e0d75accf4b08c0348213e6e8b1e1
SHA512 9ad4074c86b24796511b5ae0fdf9b52bc60216bfb2a1e4426d3f2ca9978ca503ff51fe3c62a6e93e7e8e4e1d04f3b9755b8efa830f0e3aa131d0a8a0731e46b6

C:\Users\Admin\AppData\Local\Temp\Cab9A5C.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2616-48-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2616-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2616-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2616-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2616-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2616-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2616-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2616-58-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1368-72-0x0000000002D90000-0x0000000002E22000-memory.dmp

memory/1368-76-0x0000000002D90000-0x0000000002E22000-memory.dmp

memory/1944-80-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar7189.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/1944-90-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 09:59

Reported

2024-01-25 10:02

Platform

win10v2004-20231222-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Renames multiple (196) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e4bc9c35-37e3-4295-9f34-515d63f424d7\\74660e011065ca6216f408d59cadf33e.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3308 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 3308 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 3308 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 3308 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 3308 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 3308 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 3308 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 3308 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 3308 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 3308 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 968 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Windows\SysWOW64\icacls.exe
PID 968 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Windows\SysWOW64\icacls.exe
PID 968 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Windows\SysWOW64\icacls.exe
PID 968 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 968 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 968 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 4152 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 4152 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 4152 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 4152 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 4152 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 4152 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 4152 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 4152 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 4152 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 4152 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe
PID 4352 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe
PID 4352 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe
PID 4352 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe
PID 4352 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe
PID 4352 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe
PID 4352 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe
PID 4352 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe
PID 4352 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe
PID 4352 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe
PID 4352 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe

Processes

C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe

"C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe"

C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe

"C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe

"C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe

"C:\Users\Admin\AppData\Local\Temp\74660e011065ca6216f408d59cadf33e.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe

C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe --Task

C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe

C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe --Task

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 188.114.96.2:443 api.2ip.ua tcp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 188.114.96.2:443 api.2ip.ua tcp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 188.114.96.2:443 api.2ip.ua tcp

Files

memory/3308-1-0x0000000004B70000-0x0000000004C0C000-memory.dmp

memory/968-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/968-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/968-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/968-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3308-2-0x0000000004C10000-0x0000000004D2B000-memory.dmp

C:\Users\Admin\AppData\Local\e4bc9c35-37e3-4295-9f34-515d63f424d7\74660e011065ca6216f408d59cadf33e.exe

MD5 74660e011065ca6216f408d59cadf33e
SHA1 0ad378f1f469f5c57a1516aa05139eee4bda5e8e
SHA256 de8f146808af12f7a609b39c56cf46d9d204ef2e717ff5b83422b7d7deb34739
SHA512 1cd8adc191f35d905cbd5e28806d578203501530e58d6fbc21bbb321cd23f2a77931ec055e80b17445a7c0470c77353d659f9e1c116d4fddeb45d7f06f81f218

memory/968-15-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4152-18-0x0000000004810000-0x00000000048AF000-memory.dmp

memory/1296-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1296-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1296-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 819d2f6d228f94bfebac03edbfa4bc64
SHA1 257acbdf2270c5285962d10460a77f422143cc8d
SHA256 e8b016b694a9c3224b6a405cf52010c03b7bc6c8948ecc8a3d9aaa39a18f6d47
SHA512 b81c03ca94d21cdb106281fa478dccd390e07bd0a03d0077952041f3d1d41a671ac9a3d4c97d41d9c8f74b14214abfcaff696a10d0615b603a7a9b1a67adde67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 775cae5d8e861b8b8850289a202d541e
SHA1 6a68b7c53d6c6e391ed7965eaf45ac4a94c1b9ee
SHA256 cd1751448972924e5255906534ee184348b9a44bb6e72c0164f0ac6271cc23c4
SHA512 9838f716bb09e71c97abc650a91a9b358430e53b70764a9d05e9ee0b1e0a0aacdb745c3696ee427adfa9b7fe044e7160817d98409c8581353f035fb7496bab3c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 c1b5777d366096b61dc8c5748fe2934c
SHA1 3bf4120a193da89fdfda0988736cf6671d606b86
SHA256 f38a407dd6831fa72d6e16c53dbfe6566fba8e77f7cfbc7985f2532a5bf43a27
SHA512 f55c7caaf0ead5ac12a6f9d2ea95be8c7ba3b375d8552412a7b0da8af9626446a062f7ed7b5b17d5cc3919bae533fb6a94c1a4967fa88b2f5e43b7cbac1d5f89

memory/1296-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1296-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1296-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1296-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1296-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1296-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1296-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1296-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4352-50-0x00000000048E0000-0x0000000004975000-memory.dmp

memory/4692-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4692-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4692-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4692-56-0x0000000000400000-0x0000000000537000-memory.dmp