analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DJVU ransomware.exe

Full analysis: https://app.any.run/tasks/4745d9db-b643-412e-a9a9-ace8f2f777d9
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 01, 2023, 07:09:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
ransomware
stop
stealer
vidar
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

454E5D237B4D653690D3DC0353FD1AD4

SHA1:

2FBF4560FB68AB9A984C266E96B80F07E3EE2E4F

SHA256:

3805A3DA1DE4867E80CF097E771A90BB7AFD4EB5C710398BBC870AF90A825EED

SSDEEP:

24576:lgPX0NYTOupbq9q8nEKAz5uBv0DVY+Pa3j1jaV:29TJpKq8nn45lDVYtj1j8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • build2.exe (PID: 2468)
      • build2.exe (PID: 308)
      • build3.exe (PID: 1648)
      • mstsca.exe (PID: 616)

    • Stop is detected

      • DJVU ransomware.exe (PID: 3196)

    • Uses Task Scheduler to run other applications

      • build3.exe (PID: 1648)
      • mstsca.exe (PID: 616)

    • Connects to the CnC server

      • build2.exe (PID: 2468)

    • VIDAR was detected

      • build2.exe (PID: 2468)

    • Steals credentials from Web Browsers

      • build2.exe (PID: 2468)

    • Starts CMD.EXE for self-deleting

      • build2.exe (PID: 2468)

    • Actions looks like stealing of personal data

      • build2.exe (PID: 2468)

  • SUSPICIOUS

    • Reads the Internet Settings

      • DJVU ransomware.exe (PID: 2444)
      • DJVU ransomware.exe (PID: 3196)
      • build2.exe (PID: 2468)

    • Application launched itself

      • DJVU ransomware.exe (PID: 2696)
      • DJVU ransomware.exe (PID: 2444)
      • DJVU ransomware.exe (PID: 2456)
      • build2.exe (PID: 308)

    • Uses ICACLS.EXE to modify access control lists

      • DJVU ransomware.exe (PID: 2444)

    • Executable content was dropped or overwritten

      • DJVU ransomware.exe (PID: 2444)
      • DJVU ransomware.exe (PID: 3196)
      • build3.exe (PID: 1648)
      • build2.exe (PID: 2468)

    • Checks Windows Trust Settings

      • DJVU ransomware.exe (PID: 3196)
      • build2.exe (PID: 2468)

    • Reads settings of System Certificates

      • DJVU ransomware.exe (PID: 3196)
      • build2.exe (PID: 2468)

    • Reads security settings of Internet Explorer

      • DJVU ransomware.exe (PID: 3196)
      • build2.exe (PID: 2468)

    • Adds/modifies Windows certificates

      • DJVU ransomware.exe (PID: 2456)

    • The process executes via Task Scheduler

      • mstsca.exe (PID: 616)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • build2.exe (PID: 2468)

    • Process requests binary or script from the Internet

      • DJVU ransomware.exe (PID: 3196)

    • Reads browser cookies

      • build2.exe (PID: 2468)

    • Searches for installed software

      • build2.exe (PID: 2468)

    • Starts CMD.EXE for commands execution

      • build2.exe (PID: 2468)

    • Connects to the server without a host name

      • build2.exe (PID: 2468)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 2500)

  • INFO

    • Checks supported languages

      • DJVU ransomware.exe (PID: 2444)
      • DJVU ransomware.exe (PID: 2696)
      • DJVU ransomware.exe (PID: 3196)
      • DJVU ransomware.exe (PID: 2456)
      • build2.exe (PID: 308)
      • build2.exe (PID: 2468)
      • build3.exe (PID: 1648)
      • mstsca.exe (PID: 616)

    • Reads the computer name

      • DJVU ransomware.exe (PID: 2444)
      • DJVU ransomware.exe (PID: 3196)
      • build2.exe (PID: 2468)

    • The process checks LSA protection

      • DJVU ransomware.exe (PID: 2444)
      • icacls.exe (PID: 2168)
      • DJVU ransomware.exe (PID: 3196)
      • build2.exe (PID: 2468)
      • explorer.exe (PID: 3816)

    • Checks proxy server information

      • DJVU ransomware.exe (PID: 2444)
      • DJVU ransomware.exe (PID: 3196)
      • build2.exe (PID: 2468)

    • Reads the machine GUID from the registry

      • DJVU ransomware.exe (PID: 2444)
      • DJVU ransomware.exe (PID: 3196)
      • build2.exe (PID: 2468)

    • Creates files or folders in the user directory

      • DJVU ransomware.exe (PID: 2444)
      • DJVU ransomware.exe (PID: 3196)
      • build3.exe (PID: 1648)
      • build2.exe (PID: 2468)

    • Creates files in the program directory

      • build2.exe (PID: 2468)

    • Reads product name

      • build2.exe (PID: 2468)

    • Manual execution by a user

      • taskmgr.exe (PID: 2260)
      • WINWORD.EXE (PID: 2744)
      • explorer.exe (PID: 3816)
      • WINWORD.EXE (PID: 2544)
      • WINWORD.EXE (PID: 3260)

    • Reads Environment values

      • build2.exe (PID: 2468)

    • Reads CPU info

      • build2.exe (PID: 2468)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

ProductName: ValveTech
OriginalFileName: DesertEagle.exe
LegalTrademark1: Glob fantasmagoric
InternalName: GrayJump.exe
FilesVersion: 95.13.44.97
FileDescriptions: WorldSrapper
CompanyName: Silly
CharacterSet: Unknown (05E6)
LanguageCode: Unknown (0468)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 16.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x4339
UninitializedDataSize: -
InitializedDataSize: 41777152
CodeSize: 114688
LinkerVersion: 10
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, 32-bit
TimeStamp: 2022:05:31 00:07:08+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 31-May-2022 00:07:08
CompanyName: Silly
FileDescriptions: WorldSrapper
FilesVersion: 95.13.44.97
InternalName: GrayJump.exe
LegalTrademark1: Glob fantasmagoric
OriginalFilename: DesertEagle.exe
ProductName: ValveTech

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 31-May-2022 00:07:08
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0001BF16
0x0001C000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.62349
.data
0x0001D000
0x027BDB34
0x00092200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99569
.rsrc
0x027DB000
0x000140F0
0x00014200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.15159

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.13522
2216
UNKNOWN
UNKNOWN
RT_ICON
2
5.37437
4264
UNKNOWN
UNKNOWN
RT_ICON
3
5.49002
2216
UNKNOWN
UNKNOWN
RT_ICON
4
3.73464
9640
UNKNOWN
UNKNOWN
RT_ICON
5
3.7935
4264
UNKNOWN
UNKNOWN
RT_ICON
6
3.46341
3752
UNKNOWN
UNKNOWN
RT_ICON
7
3.61254
2216
UNKNOWN
UNKNOWN
RT_ICON
8
3.46827
1736
UNKNOWN
UNKNOWN
RT_ICON
9
3.14323
1384
UNKNOWN
UNKNOWN
RT_ICON
10
3.34317
652
UNKNOWN
UNKNOWN
RT_VERSION

Imports

KERNEL32.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
71
Monitored processes
18
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start djvu ransomware.exe no specs djvu ransomware.exe icacls.exe no specs djvu ransomware.exe #STOP djvu ransomware.exe build2.exe no specs #VIDAR build2.exe build3.exe schtasks.exe no specs mstsca.exe no specs schtasks.exe no specs taskmgr.exe no specs cmd.exe no specs timeout.exe no specs explorer.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2696"C:\Users\admin\AppData\Local\Temp\DJVU ransomware.exe" C:\Users\admin\AppData\Local\Temp\DJVU ransomware.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\djvu ransomware.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
2444"C:\Users\admin\AppData\Local\Temp\DJVU ransomware.exe" C:\Users\admin\AppData\Local\Temp\DJVU ransomware.exe
DJVU ransomware.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\djvu ransomware.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mpr.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
2168icacls "C:\Users\admin\AppData\Local\a4f1d0e5-abab-4c8d-9c92-e61d6d35dabf" /deny *S-1-1-0:(OI)(CI)(DE,DC)C:\Windows\System32\icacls.exeDJVU ransomware.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
2456"C:\Users\admin\AppData\Local\Temp\DJVU ransomware.exe" --Admin IsNotAutoStart IsNotTaskC:\Users\admin\AppData\Local\Temp\DJVU ransomware.exe
DJVU ransomware.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\djvu ransomware.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
3196"C:\Users\admin\AppData\Local\Temp\DJVU ransomware.exe" --Admin IsNotAutoStart IsNotTaskC:\Users\admin\AppData\Local\Temp\DJVU ransomware.exe
DJVU ransomware.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\djvu ransomware.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
308"C:\Users\admin\AppData\Local\fd5e4c81-9b0e-4ec2-b510-c6efed21c3a7\build2.exe" C:\Users\admin\AppData\Local\fd5e4c81-9b0e-4ec2-b510-c6efed21c3a7\build2.exeDJVU ransomware.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\fd5e4c81-9b0e-4ec2-b510-c6efed21c3a7\build2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
2468"C:\Users\admin\AppData\Local\fd5e4c81-9b0e-4ec2-b510-c6efed21c3a7\build2.exe" C:\Users\admin\AppData\Local\fd5e4c81-9b0e-4ec2-b510-c6efed21c3a7\build2.exe
build2.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\fd5e4c81-9b0e-4ec2-b510-c6efed21c3a7\build2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
1648"C:\Users\admin\AppData\Local\fd5e4c81-9b0e-4ec2-b510-c6efed21c3a7\build3.exe" C:\Users\admin\AppData\Local\fd5e4c81-9b0e-4ec2-b510-c6efed21c3a7\build3.exe
DJVU ransomware.exe
User:
admin
Integrity Level:
HIGH
Exit code:
4294967295
Modules
Images
c:\users\admin\appdata\local\fd5e4c81-9b0e-4ec2-b510-c6efed21c3a7\build3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2000/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\admin\AppData\Roaming\Microsoft\Network\mstsca.exe"C:\Windows\System32\schtasks.exebuild3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
616C:\Users\admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\admin\AppData\Roaming\Microsoft\Network\mstsca.exetaskeng.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\roaming\microsoft\network\mstsca.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
28 496
Read events
27 504
Write events
404
Delete events
588

Modification events

(PID) Process:(2444) DJVU ransomware.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2444) DJVU ransomware.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2444) DJVU ransomware.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2444) DJVU ransomware.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2444) DJVU ransomware.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2444) DJVU ransomware.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2444) DJVU ransomware.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2444) DJVU ransomware.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2444) DJVU ransomware.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionReason
Value:
1
(PID) Process:(2444) DJVU ransomware.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionTime
Value:
7863B4E06864D901
Executable files
24
Suspicious files
28
Text files
6
Unknown types
52

Dropped files

PID
Process
Filename
Type
3196DJVU ransomware.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:EC74168D90B6245AB8098C5A9784B6BD
SHA256:05F6EC4AAF9A033A943D11F80314AE56275AC9C12CF0B830F7C7EA2484875971
2444DJVU ransomware.exeC:\Users\admin\AppData\Local\a4f1d0e5-abab-4c8d-9c92-e61d6d35dabf\DJVU ransomware.exeexecutable
MD5:454E5D237B4D653690D3DC0353FD1AD4
SHA256:3805A3DA1DE4867E80CF097E771A90BB7AFD4EB5C710398BBC870AF90A825EED
3196DJVU ransomware.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dbinary
MD5:9202E319B84BFEA786D9330435B004B6
SHA256:BB58E5B0E987D4618965AD63D18047CF8F0FD773150C331DD77469E14DE5DE68
3196DJVU ransomware.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:39BCF6753667F098DA76C7EDB7D5286F
SHA256:3CA987FBC8BA0955A2C0C506B021469D50D84C8FE700F35DC811DA3449527835
3196DJVU ransomware.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\geo[1].jsonbinary
MD5:312A0BCBC6032741DBF150E6AFCBBBA9
SHA256:BD9B9BBB1D6E03B6729537F1C9EB61A32ECC0BA4EB4208CDB71331BC4834C429
3196DJVU ransomware.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dder
MD5:EE7AD9D8F28E0558A94E667206E8A271
SHA256:9EEEEF2CBD8192C6586FFA64114AD0C3E8E5AB3A73817E1044895517C6EBA712
3196DJVU ransomware.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Eder
MD5:6A3B8331E801F083B403B0857ED8D574
SHA256:98651A2DA4A4613BC2A03C4128926FE6B05F1AF8A7A21E1FEDEC75DB013706A0
3196DJVU ransomware.exeC:\Users\admin\AppData\Local\fd5e4c81-9b0e-4ec2-b510-c6efed21c3a7\build2.exeexecutable
MD5:AA18968E6CFBDC382ADA6A3ED2852085
SHA256:C165C8DB38EF8DD8C33D103B5EE78E9DDAFD8081FF0C7C035FA5251F970E6CFB
2468build2.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2Dder
MD5:0CC22A011CCAAEBC8D6E46EBB016A84E
SHA256:308735064FF38C7FD32D09FA073F491B50D25B2DCF542A66D59B5ADF5E64944D
2468build2.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2Dbinary
MD5:DAC1040A1BCD63956202DAE94C3D822B
SHA256:234DDD54CB4C92C0E6F5232B127A39275DC980525B4B28CDD6F67B293CB1F8EE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
11
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3196
DJVU ransomware.exe
GET
200
104.18.32.68:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
2.18 Kb
whitelisted
3196
DJVU ransomware.exe
GET
200
175.119.10.231:80
http://uaery.top/dl/build2.exe
KR
executable
416 Kb
malicious
2468
build2.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
2468
build2.exe
GET
200
78.47.168.170:80
http://78.47.168.170/
DE
text
211 b
malicious
3196
DJVU ransomware.exe
GET
200
172.64.155.188:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
1.42 Kb
whitelisted
2468
build2.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQCxJlJbiuuimg%3D%3D
US
der
1.74 Kb
whitelisted
2468
build2.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
3196
DJVU ransomware.exe
GET
200
175.126.109.15:80
http://zexeq.com/test2/get.php?pid=6E3AAB7CB29BC9495DFDE01272C66F39&first=true
KR
binary
563 b
malicious
3196
DJVU ransomware.exe
GET
200
175.126.109.15:80
http://zexeq.com/files/1/build3.exe
KR
executable
9.50 Kb
malicious
2468
build2.exe
POST
200
78.47.168.170:80
http://78.47.168.170/
DE
text
2 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3196
DJVU ransomware.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
3196
DJVU ransomware.exe
172.64.155.188:80
ocsp.comodoca.com
CLOUDFLARENET
US
suspicious
2444
DJVU ransomware.exe
162.0.217.254:443
api.2ip.ua
NAMECHEAP-NET
NL
suspicious
3196
DJVU ransomware.exe
104.18.32.68:80
ocsp.comodoca.com
CLOUDFLARENET
suspicious
3196
DJVU ransomware.exe
175.119.10.231:80
uaery.top
SK Broadband Co Ltd
KR
malicious
162.0.217.254:443
api.2ip.ua
NAMECHEAP-NET
NL
suspicious
3196
DJVU ransomware.exe
175.126.109.15:80
zexeq.com
SK Broadband Co Ltd
KR
malicious
2468
build2.exe
192.124.249.41:80
ocsp.godaddy.com
SUCURI-SEC
US
suspicious
2468
build2.exe
78.47.168.170:80
Hetzner Online GmbH
DE
malicious
2468
build2.exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
malicious

DNS requests

Domain
IP
Reputation
api.2ip.ua
  • 162.0.217.254
shared
dns.msftncsi.com
  • 131.107.255.255
shared
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.comodoca.com
  • 172.64.155.188
  • 104.18.32.68
whitelisted
ocsp.usertrust.com
  • 104.18.32.68
  • 172.64.155.188
whitelisted
uaery.top
  • 175.119.10.231
  • 46.195.124.102
  • 187.156.105.116
  • 211.171.233.129
  • 203.91.116.53
  • 211.53.230.67
  • 86.122.83.142
  • 187.245.185.123
  • 211.119.84.111
  • 211.59.14.90
malicious
zexeq.com
  • 175.126.109.15
  • 86.122.83.142
  • 185.95.186.58
  • 203.91.116.53
  • 84.224.34.240
  • 190.140.74.43
  • 2.180.10.7
  • 210.182.29.70
  • 37.34.248.24
  • 195.158.3.162
malicious
t.me
  • 149.154.167.99
whitelisted
ocsp.godaddy.com
  • 192.124.249.41
  • 192.124.249.36
  • 192.124.249.24
  • 192.124.249.23
  • 192.124.249.22
whitelisted

Threats

PID
Process
Class
Message
Device Retrieving External IP Address Detected
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
3196
DJVU ransomware.exe
Potentially Bad Traffic
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
3196
DJVU ransomware.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
3196
DJVU ransomware.exe
A Network Trojan was detected
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
3196
DJVU ransomware.exe
A Network Trojan was detected
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
3196
DJVU ransomware.exe
A Network Trojan was detected
ET MALWARE Win32/Vodkagats Loader Requesting Payload
3196
DJVU ransomware.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
3196
DJVU ransomware.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
3196
DJVU ransomware.exe
A Network Trojan was detected
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
DJVU ransomware.exe