Malware Analysis Report

2025-08-05 13:12

Sample ID 240127-g3mjmseha2
Target 797e3e1110e0486621a7b615ef234f1f
SHA256 bd12c49f8042d22bd417a8012a9d1dd5c086a5b0244d4eac163c2f9b730b8eec
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd12c49f8042d22bd417a8012a9d1dd5c086a5b0244d4eac163c2f9b730b8eec

Threat Level: Known bad

The file 797e3e1110e0486621a7b615ef234f1f was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Modifies file permissions

Checks computer location settings

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-27 06:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-27 06:19

Reported

2024-01-27 06:22

Platform

win7-20231129-en

Max time kernel

141s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e2512cd8-54a2-4b88-85c9-73e23caa8092\\797e3e1110e0486621a7b615ef234f1f.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1840 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 1840 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 1840 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 1840 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 1840 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 1840 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 1840 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 1840 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 1840 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 1840 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 1840 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 2384 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Windows\SysWOW64\icacls.exe
PID 2384 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Windows\SysWOW64\icacls.exe
PID 2384 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Windows\SysWOW64\icacls.exe
PID 2384 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Windows\SysWOW64\icacls.exe
PID 2384 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 2384 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 2384 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 2384 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 2224 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 2224 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 2224 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 2224 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 2224 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 2224 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 2224 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 2224 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 2224 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 2224 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 2224 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe

"C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe"

C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe

"C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\e2512cd8-54a2-4b88-85c9-73e23caa8092" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe

"C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe

"C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp

Files

memory/1840-0-0x0000000000340000-0x00000000003D2000-memory.dmp

memory/2384-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1840-1-0x0000000000340000-0x00000000003D2000-memory.dmp

memory/1840-4-0x0000000004580000-0x000000000469B000-memory.dmp

memory/2384-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2384-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2384-8-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\e2512cd8-54a2-4b88-85c9-73e23caa8092\797e3e1110e0486621a7b615ef234f1f.exe

MD5 797e3e1110e0486621a7b615ef234f1f
SHA1 a89750f80cdb397fe9772544e6ddc3455efc15b0
SHA256 bd12c49f8042d22bd417a8012a9d1dd5c086a5b0244d4eac163c2f9b730b8eec
SHA512 c0c20b60130a6fc2cf822e50feb8ea2132a9ff2bbc1b11377db41b2df36aeffa5b262da5680fa8759cb472173e9e60c5ab544226afe1971123c7eb143b1e0266

memory/2224-47-0x00000000002F0000-0x0000000000382000-memory.dmp

memory/2384-46-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2224-49-0x00000000002F0000-0x0000000000382000-memory.dmp

memory/2512-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2512-54-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 1695b9dafae2707291cc2eee2b30eafa
SHA1 750f9698e9fd7cfab7244a75d351c31f07c0f64e
SHA256 baf6b46471994b837b6b6b17bf627f9f0b5803e231279595890be1b9f581b629
SHA512 f5ed38fc56f7b0ab229948e2a7b1efafc0d826ef750c31ff221a96f3f0e54c2f376d766d1e22cd3e53ecb8df92374424c7c6c6201796bfe314d2fd70c1ef7c29

C:\Users\Admin\AppData\Local\Temp\Tar3AEF.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b7548c1ef185f0f11a6151ca9a3ffc3
SHA1 a951e51b9fb6bd790fb8a8b634452608319eec06
SHA256 4a1241dbc2a3b0298b002914de9e0bac5cff94a35e7b04029c4e105bdc7c9c15
SHA512 ca373f9b3c3cbbe07490fb865695dad99a44118f465c25cbc85dd1692f34e2d49ec4c1295d0fbecdd1bcda6d96a22e53d874af398b03ce047db5dd49e68d3167

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 510e2ee30caf3f8d7733fc95054d2818
SHA1 4d3dbd9bc3f2d978a720cdc52528bebadad22fc7
SHA256 d12bbb1517f258d01fbda8ef8fc396c4e0f0895c9b8b47e39891e603c23a03a7
SHA512 03b6911f8e8dddfd47fcf478a86ae57425e6b4be97a243a9f349494da43f22b118aec30a266588cddda64bdef72a931740010b5f66a4a908729e847c6620c6b5

memory/2512-74-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2512-73-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 117581c8a2ff4fce10d77d2f81dd0cdc
SHA1 a0fbeeef3c720485767906ddf3d699f78bd3a692
SHA256 14924e43f9d37b1bfca5c3d878e9ad833b26ce047840565801eb2aa2257770e2
SHA512 4230d5299fb961cb1d2ea3bd971e3df2cc3bdd10ff4331e672bfb4ab49a68f757df0d433dc0cfc8f07a6b6e0b51166cb571eefa93eb9a41f98197fcce5eec9a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 9b7c24719412e6c894f22268580efe3f
SHA1 a05377aedd57079dab7f568eed23774b713cfc60
SHA256 05ec0e390a9362f23ced706b37c1ff553639981ba6e47c6b4e8df4c0cba0a2ec
SHA512 ab551e7ec7ed479c4feef24df88d80658ef255f4c260c4f4b10bbad8a241c5ee2102b54f3d6eb72e7cfd7b29bf6d147dcd2c1f03ce95db2c0061ad79e20561d1

memory/2512-75-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2512-78-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2512-80-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2512-81-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2512-82-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2512-83-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-27 06:19

Reported

2024-01-27 06:22

Platform

win10v2004-20231215-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\06fe5c60-4eba-4c3c-9999-b0a39ed2602e\\797e3e1110e0486621a7b615ef234f1f.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4976 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 4976 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 4976 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 4976 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 4976 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 4976 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 4976 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 4976 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 4976 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 4976 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 316 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Windows\SysWOW64\icacls.exe
PID 316 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Windows\SysWOW64\icacls.exe
PID 316 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Windows\SysWOW64\icacls.exe
PID 316 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 316 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 316 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 3368 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 3368 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 3368 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 3368 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 3368 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 3368 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 3368 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 3368 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 3368 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
PID 3368 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe

"C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe"

C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe

"C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\06fe5c60-4eba-4c3c-9999-b0a39ed2602e" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe

"C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe

"C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 195.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 astdg.top udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

memory/4976-1-0x0000000004A60000-0x0000000004AFB000-memory.dmp

memory/4976-2-0x0000000004B60000-0x0000000004C7B000-memory.dmp

memory/316-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/316-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/316-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/316-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\06fe5c60-4eba-4c3c-9999-b0a39ed2602e\797e3e1110e0486621a7b615ef234f1f.exe

MD5 e5f0045b8e7132ba6749252cf90a0625
SHA1 1cf640edba0758f946bddcf93a97f7ef2da0c18a
SHA256 d7413120af2e9d7e749aac63681d5ca58846e759e830854fe646039bf317b4d3
SHA512 6bdb4f213c3eaf9d27d204a10f22d052d4d4a7711d1d4898f4b740e8fd4fd2fd29b88361734004539e7242d48cce17e35d70ec017551d0c04ca8d5046a3da96e

memory/316-18-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3368-20-0x0000000004910000-0x00000000049AF000-memory.dmp

memory/3420-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3420-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3420-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 a1c28371391eddea308574b3037df848
SHA1 9735ace763cc213a153040ecbe0d3d6bd6f40eb1
SHA256 ab898305fce434823116aebdd24261c65df599b15c53fab40730714d734a9837
SHA512 9c64ecec2f32dd7d578c03d7f1140752d2b25ab2d8e01030f73484c812ca21eba068777aa363b933fdd5b06b0a22faaeaa694ca1530c15f7b334aeadf75ff6bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 117581c8a2ff4fce10d77d2f81dd0cdc
SHA1 a0fbeeef3c720485767906ddf3d699f78bd3a692
SHA256 14924e43f9d37b1bfca5c3d878e9ad833b26ce047840565801eb2aa2257770e2
SHA512 4230d5299fb961cb1d2ea3bd971e3df2cc3bdd10ff4331e672bfb4ab49a68f757df0d433dc0cfc8f07a6b6e0b51166cb571eefa93eb9a41f98197fcce5eec9a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3b9de6831560601ff09ec87729aa712a
SHA1 a98a1f7027d0a406f7ee581ceea91b22c985bfb7
SHA256 c5e56fcf79f9d1581c6a54fe1ed1e2e97ea927c9a4fe5ada14e770a5de5adf5c
SHA512 e68141cd7de91a50c67749317614ae183ae5e6826078f5b01ede566e2f03461693043435f686a65c6e2d1cc5044e2ab7e617e069d801ca14384146c978c6282c

memory/3420-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3420-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3420-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3420-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3420-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3420-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3420-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3420-41-0x0000000000400000-0x0000000000537000-memory.dmp