Malware Analysis Report

2024-10-19 01:46

Sample ID 240808-ndmaxasgmq
Target 2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop
SHA256 8268b6324c6890e1c93813ebbef9164c962af7be7a67f930c00e7879e1115014
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8268b6324c6890e1c93813ebbef9164c962af7be7a67f930c00e7879e1115014

Threat Level: Known bad

The file 2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Djvu Ransomware

Detected Djvu ransomware

Djvu family

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-08 11:16

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Djvu family

djvu

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-08 11:16

Reported

2024-08-08 11:19

Platform

win7-20240708-en

Max time kernel

118s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ef1b9148-c49a-4738-8b4d-4c224b48f575\\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2924 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe C:\Windows\SysWOW64\icacls.exe
PID 2924 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe C:\Windows\SysWOW64\icacls.exe
PID 2924 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe C:\Windows\SysWOW64\icacls.exe
PID 2924 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe C:\Windows\SysWOW64\icacls.exe
PID 2924 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe
PID 2924 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe
PID 2924 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe
PID 2924 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\ef1b9148-c49a-4738-8b4d-4c224b48f575" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.179.131:80 c.pki.goog tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 uaery.top udp
US 8.8.8.8:53 drampik.com udp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.71:80 crl.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\ef1b9148-c49a-4738-8b4d-4c224b48f575\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe

MD5 c11cf10ac6c3b434565b929ddf84c534
SHA1 622e89291e0de0043f1daa5344d8d90fb26e8bb6
SHA256 8268b6324c6890e1c93813ebbef9164c962af7be7a67f930c00e7879e1115014
SHA512 19c1fc5740ea8d100d8d7df332a21038562a650a2c97e681db6ee19ff17bc56450d69dd96f8f30ae169475856d4fde2fad479acb93ee06e0e63dd9dd1a2a8971

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 4ba4d1166baf6d62c549a86268ff3963
SHA1 839d1bd68a26bf9138946a30bfa333999154f36c
SHA256 5d77478bb2fe9c0aecb41ac0902cf225bc2c8291c006d89cb5da0dd66200eabd
SHA512 8656eddc6d9ed1b476c819e30905bbf7f380f4b8f1a000bdf1a65696ad90505b34c81d388b03b8b108eca32480288a20ba286ef41dc12e462659fa4263449252

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc931dcf6689f3e214756691c7befe9f
SHA1 b2c5b0289b153d0023945aee62798a73182d8df2
SHA256 446771ab43a30081818d4d65a9523dab795b3b2afe10d052927a5a3b8d263a6d
SHA512 ab58245defc5c825ca8ff2fd3e2f66a092c36313ade714b2e111e6e4bcf76ad145d05424d1957ea047b190649a0dbed2e802ffb6fa548a1168eafe6d249cd0c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 3080162e13fa8df3165464c2b6aaef50
SHA1 008276cd63c70ec44a000780579c57e5dd7f1f4d
SHA256 77e5b3f443639bead9b124f9bc5eae773225e6880722d74bb65366b415046a8e
SHA512 6b9fdc4a87f488378792bdd32c655be7b1283b161596dc99a6c94d67f3dc1219bfad752abc6a78569aa6184abe09d7e5d7fc91fdf7eb8b13c91d7259368d2438

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 7fb5fa1534dcf77f2125b2403b30a0ee
SHA1 365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA256 33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512 a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

C:\Users\Admin\AppData\Local\Temp\Cab3C8.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-08 11:16

Reported

2024-08-08 11:19

Platform

win10v2004-20240802-en

Max time kernel

98s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2aa9a93a-30cb-4a9c-ab71-756110cb1dc1\\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\2aa9a93a-30cb-4a9c-ab71-756110cb1dc1" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.179.131:80 c.pki.goog tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 uaery.top udp
US 8.8.8.8:53 drampik.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 drampik.com udp
US 8.8.8.8:53 drampik.com udp
US 8.8.8.8:53 drampik.com udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\2aa9a93a-30cb-4a9c-ab71-756110cb1dc1\2024-08-08_c11cf10ac6c3b434565b929ddf84c534_stop.exe

MD5 c11cf10ac6c3b434565b929ddf84c534
SHA1 622e89291e0de0043f1daa5344d8d90fb26e8bb6
SHA256 8268b6324c6890e1c93813ebbef9164c962af7be7a67f930c00e7879e1115014
SHA512 19c1fc5740ea8d100d8d7df332a21038562a650a2c97e681db6ee19ff17bc56450d69dd96f8f30ae169475856d4fde2fad479acb93ee06e0e63dd9dd1a2a8971

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 a3646c70d6c49dc7bd56abdbb8f6c56b
SHA1 c702bfc25b3f464ec665a94e1d7d473600dce49e
SHA256 541e68eb13ea7629da14fa918182cfc590c980585bf10182bc60a4e933c4c268
SHA512 68d2b5ed67e588cdcc4adcc59296dda4fc38db98838e5d009ae2e5e71802392e2de96aa8e99f2e29c44d4223d808ee2304b283953c58ecc2ba05b6ffb2acf54b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 7fb5fa1534dcf77f2125b2403b30a0ee
SHA1 365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA256 33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512 a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 6e38137ac0837da74d3bbc1043613718
SHA1 3a19bb40aa0672874bac57758dc65e6efa78f7a3
SHA256 945d02bc8601069be2c606d13378fdfcc7324c584edf13acc873b58db7c9fa2f
SHA512 c2458704e7f5ec36826f7259512a9c01553c3c9518f843a1d049c213f4848b4c44f63909c434cc23e7ca476b6a9edeaf3de197c34a23c0d41028cb023a74dd96