Analysis Overview
SHA256
98ac763be5d695eff229e1ef2ac3cec8298e0023885fdd69fb15ac8da7adcbf7
Threat Level: Known bad
The file build.bin was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
Djvu Ransomware
Modifies file permissions
Checks computer location settings
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-28 05:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-28 05:26
Reported
2024-01-28 05:30
Platform
win7-20231215-en
Max time kernel
209s
Max time network
156s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1ebda8c6-3cf4-4234-abdc-05284fb54f90\\build.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2640 set thread context of 2224 | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | C:\Users\Admin\AppData\Local\Temp\build.exe |
| PID 2584 set thread context of 2608 | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | C:\Users\Admin\AppData\Local\Temp\build.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\1ebda8c6-3cf4-4234-abdc-05284fb54f90" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| KR | 211.171.233.129:80 | habrafa.com | tcp |
Files
memory/2640-0-0x00000000002F0000-0x0000000000381000-memory.dmp
memory/2640-1-0x00000000002F0000-0x0000000000381000-memory.dmp
memory/2640-3-0x0000000002D40000-0x0000000002E5B000-memory.dmp
memory/2224-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2224-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2224-7-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2224-8-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\1ebda8c6-3cf4-4234-abdc-05284fb54f90\build.exe
| MD5 | d1aa460d429d1a3a7354252293cb487f |
| SHA1 | 99f429ea0e47ddd7cf2956b5d88f78c0633a3fbf |
| SHA256 | 98ac763be5d695eff229e1ef2ac3cec8298e0023885fdd69fb15ac8da7adcbf7 |
| SHA512 | dfb81e8d389437859b752ce1f170eb22a9acc528e38ccc166e81d0f981c44aabb49b12d6930d97245aa78b758898e41eaa3eb7a6c56d2b08f931434a2d7e0e5a |
memory/2584-29-0x0000000000310000-0x00000000003A1000-memory.dmp
memory/2224-28-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2584-31-0x0000000000310000-0x00000000003A1000-memory.dmp
memory/2608-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2608-37-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b40baee421e93a6145908f67787a291a |
| SHA1 | 311874de97781222e06810a295e2f78a67b84f81 |
| SHA256 | 25d9d82b04a8a02ccdf9e5980ff2749edcae335faf854d05e24a4a42b35bfa17 |
| SHA512 | 77ceb1d112977f51b89484cbf29c7e299b9e44ba8e8f3daba20cfc71782b2cb1de99c58aaeae4f9741cb13a7389743863927cec42036666e3acf980be2cfd935 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 93722837fe187289d15355874774372a |
| SHA1 | cddfb160168d44fbcf43d21d99da3351a1263aaa |
| SHA256 | 7760366ad266dce5bf56855cba99129fa23d76844da13c3eb4b765d33d781fdd |
| SHA512 | 0b7e4076d0298a8454348db1ea6fb75bf323f854a6064355a36dfdbf66f42371c00f7b9f528b28815d90aee5608f6721ef70b42e23b59e312eee849b1558f0a7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | d29402008ec97ec2b47d15f9abba1924 |
| SHA1 | 5aca95bef3e215d03d356c5b1a7729180c422c52 |
| SHA256 | 6b9d2009faefd70facb7bfcd45e33e16f01d7a0b17005477479dc7bc0583d614 |
| SHA512 | 54d00fee4f8281e00e5cd2a88b261250e08d7aaee677fbda87a94da7cb5f903fa8354eb5040ad53d781332844f19538929ea866bffa9712a87013ceb512449f2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2102e9e9e3acf804b7958e92029b1ffb |
| SHA1 | 7a889a09e92dc523b9d3a2ec36653262ddaabac7 |
| SHA256 | 13989c3a23cbeeb6c7eb9b001c075f15320b21341936a4a44a567fb4deee244b |
| SHA512 | 78254f2b683d089970a6d4229e64a96413f8884d3273a9304faed9adc927d8dd88634e9a4a21128da36596fd672c6a035af614d16b11e04cdfc05b9d74a197de |
C:\Users\Admin\AppData\Local\Temp\Cab7907.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/2608-52-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2608-50-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2608-56-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2608-58-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2608-59-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2608-60-0x0000000000400000-0x0000000000537000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-28 05:26
Reported
2024-01-28 05:30
Platform
win10v2004-20231215-en
Max time kernel
203s
Max time network
200s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\74277d27-d64e-4c36-b71b-9c16c9baa79f\\build.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1416 set thread context of 2360 | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | C:\Users\Admin\AppData\Local\Temp\build.exe |
| PID 3524 set thread context of 1956 | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | C:\Users\Admin\AppData\Local\Temp\build.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\74277d27-d64e-4c36-b71b-9c16c9baa79f" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.214.58.216.in-addr.arpa | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| KR | 210.182.29.70:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | 70.29.182.210.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
memory/1416-1-0x0000000002C50000-0x0000000002CE9000-memory.dmp
memory/1416-2-0x00000000048C0000-0x00000000049DB000-memory.dmp
memory/2360-3-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2360-4-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2360-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2360-6-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\74277d27-d64e-4c36-b71b-9c16c9baa79f\build.exe
| MD5 | d1aa460d429d1a3a7354252293cb487f |
| SHA1 | 99f429ea0e47ddd7cf2956b5d88f78c0633a3fbf |
| SHA256 | 98ac763be5d695eff229e1ef2ac3cec8298e0023885fdd69fb15ac8da7adcbf7 |
| SHA512 | dfb81e8d389437859b752ce1f170eb22a9acc528e38ccc166e81d0f981c44aabb49b12d6930d97245aa78b758898e41eaa3eb7a6c56d2b08f931434a2d7e0e5a |
memory/2360-18-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3524-19-0x0000000002C50000-0x0000000002CE9000-memory.dmp
memory/1956-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1956-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1956-24-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b40baee421e93a6145908f67787a291a |
| SHA1 | 311874de97781222e06810a295e2f78a67b84f81 |
| SHA256 | 25d9d82b04a8a02ccdf9e5980ff2749edcae335faf854d05e24a4a42b35bfa17 |
| SHA512 | 77ceb1d112977f51b89484cbf29c7e299b9e44ba8e8f3daba20cfc71782b2cb1de99c58aaeae4f9741cb13a7389743863927cec42036666e3acf980be2cfd935 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 054ce26a0444218528010818664ff8be |
| SHA1 | 62de3e0f1f134b9d553f4fc778e45e2ef557fb80 |
| SHA256 | 975d598cebf03cf9684e30380019f18ef1996e46329b20857f52a719fb0b1df8 |
| SHA512 | 1d1f298bbfe779f099930382ced65fe4bd814c7091bad668d0f93be8b8ac52de8b36f312416ed1e3b095553f22c0fb3f4d0ffa60013b75f7012cf4b4775b9425 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 2b8b20b766bda4518d07dd3ca498416f |
| SHA1 | 7cbedabc5d3ad8102e5504326cc2196f915cf9b0 |
| SHA256 | 35316d7e7398169d0f4ede19a56fc4845f241738db8b55ae46effd0a99fb656b |
| SHA512 | 47103ff597531cbd4d397182a9dc44cdeafc1d5c0fbd235bc3d2561b0304f93f56878b638c2c1fe2eb8b42e03e65413924594b81cf314ddbeda53e6c4c73ff11 |
memory/1956-29-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1956-31-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1956-35-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1956-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1956-38-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1956-39-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1956-41-0x0000000000400000-0x0000000000537000-memory.dmp