Malware Analysis Report

2024-10-23 16:21

Sample ID 240810-edvslsydjd
Target 2024-08-10_258b365aa910c2560eee37b70df27656_stop
SHA256 ca6794679dc6c84aa9870304229cbbbcd4a6c97149bb8bb1fc01912a64d17e2c
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca6794679dc6c84aa9870304229cbbbcd4a6c97149bb8bb1fc01912a64d17e2c

Threat Level: Known bad

The file 2024-08-10_258b365aa910c2560eee37b70df27656_stop was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu family

Djvu Ransomware

Modifies file permissions

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-10 03:49

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Djvu family

djvu

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-10 03:49

Reported

2024-08-10 03:52

Platform

win7-20240705-en

Max time kernel

33s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7353fd3e-2dfe-427e-84c3-86c20f0ca404\\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe C:\Windows\SysWOW64\icacls.exe
PID 2244 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe C:\Windows\SysWOW64\icacls.exe
PID 2244 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe C:\Windows\SysWOW64\icacls.exe
PID 2244 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe C:\Windows\SysWOW64\icacls.exe
PID 2244 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe
PID 2244 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe
PID 2244 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe
PID 2244 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\7353fd3e-2dfe-427e-84c3-86c20f0ca404" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.179.131:80 c.pki.goog tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 uaery.top udp
US 8.8.8.8:53 drampik.com udp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.80:80 crl.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\7353fd3e-2dfe-427e-84c3-86c20f0ca404\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe

MD5 258b365aa910c2560eee37b70df27656
SHA1 117e38e9ea29f84128ab63e03c3694fc1acc5eec
SHA256 ca6794679dc6c84aa9870304229cbbbcd4a6c97149bb8bb1fc01912a64d17e2c
SHA512 7ca59107ca25875651d27dfedc6cb0af1528e6cd32d237c4e7986112b9065567ad96784d57bef9ce4b67258bdc04943d1b864fdd1de278d34fea54ec2745e328

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 7fb5fa1534dcf77f2125b2403b30a0ee
SHA1 365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA256 33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512 a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 e1eb98f47ffe175a2f055c03ca733744
SHA1 3cb174e7e30f18009b404bc6021359783ad02af8
SHA256 fccea3c4734292d8554df4a854013c76bfbef5a3195afb12d54e7002e1677b51
SHA512 9489572d59a91d3562bc75f720d0d90bfd5415fae2d7de3d9e8443d46227999eb375aeefff3f0c2b089de14be53fc8753cb9677514241ad9912f3ecde65766ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 9cf9f95c90c649e23d02d7d86b24cd1c
SHA1 f122a1e7f71714448d8115c5b5c0a577f8f651cc
SHA256 d0fe22ae5d169e2838dd3dd8465b230ce8284cc61003c4a3ed7fc5bba4363716
SHA512 079731fdb43e51ec2c0ef9d09a3eb0f7f7cac661d1cee17ceec486e9b7ac4e89e6f73c568548bfa918c53d51507251a4691a1920e14ab9795838eb4d338e28bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d3a9ab63ddaab74bedc1e9ee07bca90f
SHA1 720bce5e62acd0db90547c2cfad08f5fa70ac902
SHA256 0fd7bedeb4cd6e9976aedba249e66e613b15a27ef1ee2eea7bec2bfd7a9c650c
SHA512 c40b4dafe2b0aa7a220fad1ab83b3f93059474f1f9259a1c4c90e13b4fc9637d5457af11d5ca73205663c6e7ae2afdb42aac7e615df4ebbcee9e55bafe7ed5dd

C:\Users\Admin\AppData\Local\Temp\Cab7C32.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-10 03:49

Reported

2024-08-10 03:52

Platform

win10v2004-20240802-en

Max time kernel

133s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d41ca5c6-ce65-4178-a2d9-e93600f47eb0\\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\d41ca5c6-ce65-4178-a2d9-e93600f47eb0" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.179.131:80 c.pki.goog tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 uaery.top udp
US 8.8.8.8:53 drampik.com udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 drampik.com udp
US 8.8.8.8:53 drampik.com udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 drampik.com udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\d41ca5c6-ce65-4178-a2d9-e93600f47eb0\2024-08-10_258b365aa910c2560eee37b70df27656_stop.exe

MD5 258b365aa910c2560eee37b70df27656
SHA1 117e38e9ea29f84128ab63e03c3694fc1acc5eec
SHA256 ca6794679dc6c84aa9870304229cbbbcd4a6c97149bb8bb1fc01912a64d17e2c
SHA512 7ca59107ca25875651d27dfedc6cb0af1528e6cd32d237c4e7986112b9065567ad96784d57bef9ce4b67258bdc04943d1b864fdd1de278d34fea54ec2745e328

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 dccfc76b23de7d8992b506e0bfcadd22
SHA1 a033109058a24fa78aa067a4c62b0c5f1821f0a7
SHA256 3c21063f50fcaf076358fe027fb9f58ebfa65cfc2d99a5576b1482b472ba7324
SHA512 f03e6e13215fa64a48155c1a262e0976d0465108426975e552389e4cccf2aa6ef278be8fb4bcdd3c584fbf72134da4eb3ee2e1657051c5cacba3fddf6b5578c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 7fb5fa1534dcf77f2125b2403b30a0ee
SHA1 365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA256 33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512 a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 a37cb0bb827c63939180cbc92f0a438c
SHA1 9be393f18f708c2919dbd3fc34c9b96253a4a55a
SHA256 2f44f23d55342967b1bae4289fe4531cb6273a34dc13d81962c1b4ee81e148ab
SHA512 0bea92f2431909490c293b04c01cb0583bcb51f1298c5749081413a9f90a1656dcd0436e8858bf9cc5c86cdedbde93a64fd7b726894a3f94c1e1866c86d81dde