Malware Analysis Report

2025-08-05 13:12

Sample ID 240126-ltjtlscchn
Target 770875a906b4931c20fc1abf90bd3728
SHA256 187329e42948ef198658234eed2b95a769decf507415a6e4acc1a1eb4429e1db
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

187329e42948ef198658234eed2b95a769decf507415a6e4acc1a1eb4429e1db

Threat Level: Known bad

The file 770875a906b4931c20fc1abf90bd3728 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Djvu Ransomware

Detected Djvu ransomware

Modifies file permissions

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 09:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 09:49

Reported

2024-01-26 09:51

Platform

win7-20231129-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\129974e8-c8ae-4ffd-8fce-216f904b6674\\770875a906b4931c20fc1abf90bd3728.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1388 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 1388 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 1388 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 1388 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 1388 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 1388 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 1388 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 1388 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 1388 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 1388 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 1388 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 2876 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Windows\SysWOW64\icacls.exe
PID 2876 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Windows\SysWOW64\icacls.exe
PID 2876 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Windows\SysWOW64\icacls.exe
PID 2876 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Windows\SysWOW64\icacls.exe
PID 2876 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 2876 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 2876 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 2876 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 2732 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 2732 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 2732 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 2732 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 2732 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 2732 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 2732 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 2732 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 2732 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 2732 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 2732 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe

Processes

C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe

"C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe"

C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe

"C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\129974e8-c8ae-4ffd-8fce-216f904b6674" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe

"C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe

"C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp

Files

memory/1388-0-0x00000000002D0000-0x0000000000361000-memory.dmp

memory/1388-2-0x00000000002D0000-0x0000000000361000-memory.dmp

memory/2876-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2876-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2876-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2876-8-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1388-4-0x0000000004600000-0x000000000471B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\129974e8-c8ae-4ffd-8fce-216f904b6674\770875a906b4931c20fc1abf90bd3728.exe

MD5 bdc68d4cda77cd67a4c9c4b344500141
SHA1 348924210479b5e2f2b391611a5437d35b7cd55d
SHA256 7104117bfd16b1e6bd9f61af2f36f74e8f49b14ad019d20983ab70a0b7bb8d25
SHA512 c55688b39178a918d0bb9843f946b5c16372fca12b2ddbfb0992479916e4a5704b9d52a3dfb7274635a9dc6fab74ff658cfbf8bc361e7742f0fea4818dc2aea2

memory/2876-44-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2732-45-0x0000000000300000-0x0000000000391000-memory.dmp

memory/2732-47-0x0000000000300000-0x0000000000391000-memory.dmp

memory/2480-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2480-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2732-52-0x0000000000300000-0x0000000000391000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar2B94.tmp

MD5 61f643c153b42808c5c992e59e34cfd9
SHA1 b71c9a2791d9abfd4ebc7a8c7bb6cf6f8580e832
SHA256 e3e19feaddaa1db409f03df3b913790eb8ad06afb906e7d1f5860e43d3d59902
SHA512 62ea2c5a5a7490968c60d602c7e1eaf49cff7051f1009e980fd9dbf60bcd76f507a553d1f5298cd21dfa3728a0098e8969904eaf67f4c9a6feabe6ca72c3d774

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 c69fff85040487e6f2b7a4fc215e7383
SHA1 3d0261812a3981c80aee74cfe2025aa02980c77b
SHA256 4ae2ba25a3ef3dfb2721f959f1336a64569b109d2b7958f013706985cd3373f6
SHA512 02b60d3ff203a090bad852e92283b38ed959f5c4d397e1a3f2a4100b44217c745572f7104827fdb80a64da97a3222901a500a1a99d026ec959fca65669c44f45

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1db6a422fca811a50950953a4d058157
SHA1 867e1ad5d6a6916b89f0d44f130bc6328fd1eaf1
SHA256 cd9c36956f374c20d61f38d3cc26917ccf9a7175c90c636cf4a4d7ab0706d1a0
SHA512 55ad8e0b9f181379111675ac96daa63007eeb74022d9417f27d553da1bf822a9ef5a9016ef95c969ee2292432bf9a455f8154521be76c12255247cfc5b2a3ddf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

memory/2480-71-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2480-70-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 e6d736a9701f89e36e8d045854b5585f
SHA1 9d6bff35f14772b6360ac9a7cd7ea23143351e16
SHA256 2cb0f8ac96bf3ade23d22b643eb2a0112cf638d88d74f511439ad5509986e5e3
SHA512 4153deeacb3daafd39183abbaaed81f7a70029cf007fc3abd64e63219d0d48734667e884a21f728044d1acb894c360d0b00fb24d260acecc4acf17d315ee30d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 73ce21ff1fb2989f6350ace9274ae9b5
SHA1 7db6c387eb8351f3e8e361d10224711c3477821e
SHA256 d7005273bab949c42fcc73eac7820c4c5f08df1e9095020cdb0e17fc9e282d50
SHA512 a43767a55a559a8bf51d5dcb9bc378167f63e15f571b6be35903048570d036fed2a3f6a37c91f469ee9808d245cdd875b9dad38556e6bf97258a82c7071aeab3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 afc45000db2195c40325a4796a79eeed
SHA1 bf220910902d40e7cc7e8c185953ec0b2d785695
SHA256 6075ccc8c61124e65f6813e13660da7a891b720a91e2e64e9eab418ad841a4be
SHA512 439236c65919cfd9fafb2815ac3c9bccab067197158830aea67329009c78ee548ff9b6bbf6daca1a29b3464a356ff67ee781bbe90ce9bc956157601ef1900eee

memory/2480-72-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2480-78-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2480-77-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2480-75-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2480-79-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2480-80-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 09:49

Reported

2024-01-26 09:52

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c236505a-fe42-45d2-b7b6-a6d0d3e3a648\\770875a906b4931c20fc1abf90bd3728.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 3040 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 3040 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 3040 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 3040 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 3040 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 3040 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 3040 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 3040 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 3040 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 1212 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Windows\SysWOW64\icacls.exe
PID 1212 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Windows\SysWOW64\icacls.exe
PID 1212 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Windows\SysWOW64\icacls.exe
PID 1212 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 1212 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 1212 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 4068 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 4068 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 4068 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 4068 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 4068 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 4068 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 4068 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 4068 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 4068 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe
PID 4068 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe

Processes

C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe

"C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe"

C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe

"C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c236505a-fe42-45d2-b7b6-a6d0d3e3a648" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe

"C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe

"C:\Users\Admin\AppData\Local\Temp\770875a906b4931c20fc1abf90bd3728.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.2:443 api.2ip.ua tcp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 188.114.97.2:443 api.2ip.ua tcp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3040-1-0x0000000004A40000-0x0000000004ADA000-memory.dmp

memory/3040-2-0x0000000004B30000-0x0000000004C4B000-memory.dmp

memory/1212-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1212-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1212-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1212-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\c236505a-fe42-45d2-b7b6-a6d0d3e3a648\770875a906b4931c20fc1abf90bd3728.exe

MD5 770875a906b4931c20fc1abf90bd3728
SHA1 ee3a2a7399459c55de025b9a20a1aef3e770cb83
SHA256 187329e42948ef198658234eed2b95a769decf507415a6e4acc1a1eb4429e1db
SHA512 4aad8881caa4d33bc018291d22d9cf7993f5eeade1e6fc7f19995e2dbfa4af4fe9e585a5a18d382fc07798a53c0aa3a8ca8e87b7443bf01548adee92266fd974

memory/1212-16-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4068-19-0x0000000004830000-0x00000000048CB000-memory.dmp

memory/4588-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4588-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4588-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 b3a2356cbd5ce42914c79bc4a111a750
SHA1 6c9ac4a2daea1b306f776924ef9b52963e1ade36
SHA256 ae2731e9ee452f4c5345d8ac23c91782f215d55bbb4881da3fa15e4fd5ca7e3b
SHA512 eb6b4f9ff2810408b44266879e7fd0dba287699f7e43c531bb12097fff33955c93efa483b11e7254e43e949942dff697cbd951b128b568a4d5cc60a359578b84

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 73ce21ff1fb2989f6350ace9274ae9b5
SHA1 7db6c387eb8351f3e8e361d10224711c3477821e
SHA256 d7005273bab949c42fcc73eac7820c4c5f08df1e9095020cdb0e17fc9e282d50
SHA512 a43767a55a559a8bf51d5dcb9bc378167f63e15f571b6be35903048570d036fed2a3f6a37c91f469ee9808d245cdd875b9dad38556e6bf97258a82c7071aeab3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 74adee8a8bf071e721106cd4008f1623
SHA1 0a92a27b1fcf107c46c71564d617c946f426862c
SHA256 f0fdcc083da31b13b39252e150b00f5206ec7ab389056c378ce9981845027d39
SHA512 937cc6650def3a5162d88976a20ddd1ca713398da2f11ff5e568b333899c56a93555b030c45e5df4a29940fa2f6fca6d19cb3395ac68e5ccb2d986c7e750b5df

memory/4588-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4588-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4588-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4588-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4588-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4588-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4588-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4588-37-0x0000000000400000-0x0000000000537000-memory.dmp