Analysis Overview
SHA256
bd12c49f8042d22bd417a8012a9d1dd5c086a5b0244d4eac163c2f9b730b8eec
Threat Level: Known bad
The file 797e3e1110e0486621a7b615ef234f1f was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
Djvu Ransomware
Modifies file permissions
Checks computer location settings
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-27 06:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-27 06:19
Reported
2024-01-27 06:22
Platform
win7-20231129-en
Max time kernel
141s
Max time network
122s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e2512cd8-54a2-4b88-85c9-73e23caa8092\\797e3e1110e0486621a7b615ef234f1f.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1840 set thread context of 2384 | N/A | C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe | C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe |
| PID 2224 set thread context of 2512 | N/A | C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe | C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C | C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C | C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
"C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe"
C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
"C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\e2512cd8-54a2-4b88-85c9-73e23caa8092" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
"C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
"C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe" --Admin IsNotAutoStart IsNotTask
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | securebiz.org | udp |
| US | 8.8.8.8:53 | astdg.top | udp |
Files
memory/1840-0-0x0000000000340000-0x00000000003D2000-memory.dmp
memory/2384-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1840-1-0x0000000000340000-0x00000000003D2000-memory.dmp
memory/1840-4-0x0000000004580000-0x000000000469B000-memory.dmp
memory/2384-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2384-7-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2384-8-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\e2512cd8-54a2-4b88-85c9-73e23caa8092\797e3e1110e0486621a7b615ef234f1f.exe
| MD5 | 797e3e1110e0486621a7b615ef234f1f |
| SHA1 | a89750f80cdb397fe9772544e6ddc3455efc15b0 |
| SHA256 | bd12c49f8042d22bd417a8012a9d1dd5c086a5b0244d4eac163c2f9b730b8eec |
| SHA512 | c0c20b60130a6fc2cf822e50feb8ea2132a9ff2bbc1b11377db41b2df36aeffa5b262da5680fa8759cb472173e9e60c5ab544226afe1971123c7eb143b1e0266 |
memory/2224-47-0x00000000002F0000-0x0000000000382000-memory.dmp
memory/2384-46-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2224-49-0x00000000002F0000-0x0000000000382000-memory.dmp
memory/2512-55-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2512-54-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 1695b9dafae2707291cc2eee2b30eafa |
| SHA1 | 750f9698e9fd7cfab7244a75d351c31f07c0f64e |
| SHA256 | baf6b46471994b837b6b6b17bf627f9f0b5803e231279595890be1b9f581b629 |
| SHA512 | f5ed38fc56f7b0ab229948e2a7b1efafc0d826ef750c31ff221a96f3f0e54c2f376d766d1e22cd3e53ecb8df92374424c7c6c6201796bfe314d2fd70c1ef7c29 |
C:\Users\Admin\AppData\Local\Temp\Tar3AEF.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3b7548c1ef185f0f11a6151ca9a3ffc3 |
| SHA1 | a951e51b9fb6bd790fb8a8b634452608319eec06 |
| SHA256 | 4a1241dbc2a3b0298b002914de9e0bac5cff94a35e7b04029c4e105bdc7c9c15 |
| SHA512 | ca373f9b3c3cbbe07490fb865695dad99a44118f465c25cbc85dd1692f34e2d49ec4c1295d0fbecdd1bcda6d96a22e53d874af398b03ce047db5dd49e68d3167 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 510e2ee30caf3f8d7733fc95054d2818 |
| SHA1 | 4d3dbd9bc3f2d978a720cdc52528bebadad22fc7 |
| SHA256 | d12bbb1517f258d01fbda8ef8fc396c4e0f0895c9b8b47e39891e603c23a03a7 |
| SHA512 | 03b6911f8e8dddfd47fcf478a86ae57425e6b4be97a243a9f349494da43f22b118aec30a266588cddda64bdef72a931740010b5f66a4a908729e847c6620c6b5 |
memory/2512-74-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2512-73-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 117581c8a2ff4fce10d77d2f81dd0cdc |
| SHA1 | a0fbeeef3c720485767906ddf3d699f78bd3a692 |
| SHA256 | 14924e43f9d37b1bfca5c3d878e9ad833b26ce047840565801eb2aa2257770e2 |
| SHA512 | 4230d5299fb961cb1d2ea3bd971e3df2cc3bdd10ff4331e672bfb4ab49a68f757df0d433dc0cfc8f07a6b6e0b51166cb571eefa93eb9a41f98197fcce5eec9a8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 9b7c24719412e6c894f22268580efe3f |
| SHA1 | a05377aedd57079dab7f568eed23774b713cfc60 |
| SHA256 | 05ec0e390a9362f23ced706b37c1ff553639981ba6e47c6b4e8df4c0cba0a2ec |
| SHA512 | ab551e7ec7ed479c4feef24df88d80658ef255f4c260c4f4b10bbad8a241c5ee2102b54f3d6eb72e7cfd7b29bf6d147dcd2c1f03ce95db2c0061ad79e20561d1 |
memory/2512-75-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2512-78-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2512-80-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2512-81-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2512-82-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2512-83-0x0000000000400000-0x0000000000537000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-27 06:19
Reported
2024-01-27 06:22
Platform
win10v2004-20231215-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\06fe5c60-4eba-4c3c-9999-b0a39ed2602e\\797e3e1110e0486621a7b615ef234f1f.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4976 set thread context of 316 | N/A | C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe | C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe |
| PID 3368 set thread context of 3420 | N/A | C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe | C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
"C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe"
C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
"C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\06fe5c60-4eba-4c3c-9999-b0a39ed2602e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
"C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe
"C:\Users\Admin\AppData\Local\Temp\797e3e1110e0486621a7b615ef234f1f.exe" --Admin IsNotAutoStart IsNotTask
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.18.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | securebiz.org | udp |
| US | 8.8.8.8:53 | astdg.top | udp |
| US | 8.8.8.8:53 | astdg.top | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | astdg.top | udp |
| US | 8.8.8.8:53 | astdg.top | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
Files
memory/4976-1-0x0000000004A60000-0x0000000004AFB000-memory.dmp
memory/4976-2-0x0000000004B60000-0x0000000004C7B000-memory.dmp
memory/316-3-0x0000000000400000-0x0000000000537000-memory.dmp
memory/316-4-0x0000000000400000-0x0000000000537000-memory.dmp
memory/316-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/316-6-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\06fe5c60-4eba-4c3c-9999-b0a39ed2602e\797e3e1110e0486621a7b615ef234f1f.exe
| MD5 | e5f0045b8e7132ba6749252cf90a0625 |
| SHA1 | 1cf640edba0758f946bddcf93a97f7ef2da0c18a |
| SHA256 | d7413120af2e9d7e749aac63681d5ca58846e759e830854fe646039bf317b4d3 |
| SHA512 | 6bdb4f213c3eaf9d27d204a10f22d052d4d4a7711d1d4898f4b740e8fd4fd2fd29b88361734004539e7242d48cce17e35d70ec017551d0c04ca8d5046a3da96e |
memory/316-18-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3368-20-0x0000000004910000-0x00000000049AF000-memory.dmp
memory/3420-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3420-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3420-24-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | a1c28371391eddea308574b3037df848 |
| SHA1 | 9735ace763cc213a153040ecbe0d3d6bd6f40eb1 |
| SHA256 | ab898305fce434823116aebdd24261c65df599b15c53fab40730714d734a9837 |
| SHA512 | 9c64ecec2f32dd7d578c03d7f1140752d2b25ab2d8e01030f73484c812ca21eba068777aa363b933fdd5b06b0a22faaeaa694ca1530c15f7b334aeadf75ff6bf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 117581c8a2ff4fce10d77d2f81dd0cdc |
| SHA1 | a0fbeeef3c720485767906ddf3d699f78bd3a692 |
| SHA256 | 14924e43f9d37b1bfca5c3d878e9ad833b26ce047840565801eb2aa2257770e2 |
| SHA512 | 4230d5299fb961cb1d2ea3bd971e3df2cc3bdd10ff4331e672bfb4ab49a68f757df0d433dc0cfc8f07a6b6e0b51166cb571eefa93eb9a41f98197fcce5eec9a8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 3b9de6831560601ff09ec87729aa712a |
| SHA1 | a98a1f7027d0a406f7ee581ceea91b22c985bfb7 |
| SHA256 | c5e56fcf79f9d1581c6a54fe1ed1e2e97ea927c9a4fe5ada14e770a5de5adf5c |
| SHA512 | e68141cd7de91a50c67749317614ae183ae5e6826078f5b01ede566e2f03461693043435f686a65c6e2d1cc5044e2ab7e617e069d801ca14384146c978c6282c |
memory/3420-31-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3420-32-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3420-33-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3420-35-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3420-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3420-38-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3420-39-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3420-41-0x0000000000400000-0x0000000000537000-memory.dmp