Analysis Overview
SHA256
1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9
Threat Level: Known bad
The file 1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9 was found to be: Known bad.
Malicious Activity Summary
Djvu Ransomware
Detected Djvu ransomware
Downloads MZ/PE file
Modifies file permissions
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-15 04:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-15 04:48
Reported
2024-01-15 04:54
Platform
win7-20231215-en
Max time kernel
298s
Max time network
165s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f6b62297-b468-4adf-b135-388d3eb83c06\\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
"C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe"
C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
"C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\f6b62297-b468-4adf-b135-388d3eb83c06" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
"C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
"C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe
"C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe"
C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe
"C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {3377AEA4-88A3-4212-9DFB-2B0F63334E70} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| KR | 175.119.10.231:80 | habrafa.com | tcp |
| BA | 185.12.79.25:80 | habrafa.com | tcp |
| BA | 185.12.79.25:80 | habrafa.com | tcp |
Files
memory/2036-0-0x0000000000300000-0x0000000000392000-memory.dmp
memory/2036-1-0x0000000000300000-0x0000000000392000-memory.dmp
memory/2036-2-0x0000000002240000-0x000000000235B000-memory.dmp
memory/2140-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2140-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2140-7-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2140-8-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\f6b62297-b468-4adf-b135-388d3eb83c06\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
| MD5 | 1f940a42c9441ea89bc4003de7dd477a |
| SHA1 | 50d68efbd5390fa9421696fe86a03a893b0b12e4 |
| SHA256 | 1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9 |
| SHA512 | bc393859e58a89701ebdd92bff35d8265ec991ecdc9bcb9db47c246b309b70ae142320092157f74f0ea6b34171034820589d5807a17451a051eeb61d366dad99 |
memory/1720-27-0x0000000002080000-0x0000000002112000-memory.dmp
memory/2140-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1720-29-0x0000000002080000-0x0000000002112000-memory.dmp
memory/2520-34-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2520-35-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab9637.tmp
| MD5 | 5436283659e9410ef09e40dacfcce928 |
| SHA1 | 16317c605b333225594dc9fd3d70b726b07016b6 |
| SHA256 | d1d33f8d3ea0ca2106ab1c966090a2f1bbfd93d8c6f15974f20ef9ff9ea951d8 |
| SHA512 | 6617b9c0ad607ba86997c0ad937ad3ddd43d69e7dc41d9fdec63e6989902c7c2259ff031b51fa17e9eaa06a7de4f7784c3d6163e4f29bd5b5087a119c58d55e4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a81ba02f104fd1706b1438eb692b5a00 |
| SHA1 | 4d279418065022c18173aa1e0317a2ec12493fb5 |
| SHA256 | 72229acc4371239b950b568b9a9a7355c90549d4e1013c8dae3c4e2ebc7e13fb |
| SHA512 | f337ae021b7c98e9770003aaf612c1f76c9709c87af744fbf551fdcd1eaff9fd81d5c5ee8174822d468fac964548752a0bcced0882a538e02cd5076083aa140a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 39fef77b8a622240c8f056f54343f568 |
| SHA1 | 999fd9e7c78d584069cb285a87cf3a262688bda4 |
| SHA256 | c03e4d2c426cc7db9b0febfc8af010ee5d0ced497821e1b3a65eb7fc94205e8a |
| SHA512 | 0851c8f8ab81da7c2644d58eadb7003a383bb442cf402262f0c47f5d92936c00cd07433bd99925e1929c5c41ce6aa04ad1ed368b64863414887c6c58e8e343b8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 9b5b5cd2d045b257470ffe7154fff906 |
| SHA1 | 59cc32aafeeedb0b5f7440c20fcb31e5e0b48680 |
| SHA256 | 60fc28a0f7ea8a0e51d09a703ef4376328ca3d1d71e94c4ea282f4b7628d5835 |
| SHA512 | b9c9747c43bed47c2c7feb6b0d64ae0abb0815335f02e1567e6e60a4d47c7cc0ec9831675171a9a0ebd8a167bc398178586a19f44461b06887a5d17a38664ab8 |
memory/2520-49-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2520-48-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2520-53-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2520-55-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2520-56-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe
| MD5 | b874c8f1a49504d406782bd15a594443 |
| SHA1 | d9a5d96e2e7c7c536e549638870d85348b654c8d |
| SHA256 | a02dccabbce57586a603ee7c8e7b8b1331c5951344d805133a085c54f8feec8c |
| SHA512 | 24b0fe62f5360e2e0f84030b734901a4a80f417337b493446c3167bc7f95592821937604598e4e83a0f6873e748d45ebb53f2b5cb27bc58fc62ef6895e2ef785 |
C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2520-67-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2520-69-0x0000000000400000-0x0000000000537000-memory.dmp
memory/788-73-0x0000000000C30000-0x0000000000D30000-memory.dmp
memory/984-81-0x0000000000400000-0x0000000000406000-memory.dmp
memory/984-79-0x0000000000400000-0x0000000000406000-memory.dmp
memory/984-76-0x0000000000400000-0x0000000000406000-memory.dmp
memory/788-75-0x0000000000220000-0x0000000000224000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | d9df99082330063ecde75a95459b70e8 |
| SHA1 | e65d53fc4bbef19011ee5e719f7e53926c05b724 |
| SHA256 | 0522a62299203a90d3b3d2366537a5cb44494534f3d51b693a77e4d327fed2d7 |
| SHA512 | 212fe25f546f55182655a69981bade2d92e1641ccfa5706ab333bfd47ef8d89e338360995a4e5563a642ceb1bf5ea0dee0c50fd32220d070b70f9c0b09f3e858 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | e461fbb083298cf2eeb7e9e3a9fe4cc5 |
| SHA1 | 18cb50e7f4903de9fd0ef33b7669769c417f868a |
| SHA256 | adbd069d1a07e878be87fe16084a9d652dd0d195e52c0e7aec9f2b0f0504efe4 |
| SHA512 | 08dc0ee8ac2005d5dffebc2a920cb4b78e3ab1d0e372a2e59dd9de55404c92662876aa448cd0da509980e6ad2696aa9f454c13b01d99433f425814f6f0b4856b |
memory/2244-93-0x0000000000932000-0x0000000000942000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 6dc49fcda4c150dc161931fa44575443 |
| SHA1 | 195ec819dca5cf1cf5d46366225a9e91e5d9da9f |
| SHA256 | 6ba89d7b8037c23f3245d522ca864199017b870cd33a02c8b6fa7710f4203da6 |
| SHA512 | e747a4fa47a39bcdec0c53a2c848ba6f71dd5eed911a236e4ce006a460d2e85bd10fd19adf190757e898733b22b52fa3679727340d32588ac5664721cfcd6e04 |
memory/2220-113-0x0000000000910000-0x0000000000A10000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 7f0dc9abeeebe3e08df9422fba38c90e |
| SHA1 | 68936de0928f6cf1f805280de70fe1a54dd093fd |
| SHA256 | 44e0da38c86b39dc15468afc619a073e2b49bd8c324634ddc8a7b24c12a5e650 |
| SHA512 | b76d93cedf9423dc4eb63d7ec013ec2adea778c6e58e0336bf4cc1893e3b4323700300a0a9a99094ee63d153be4778363347069a4a0baf4c6471904cdfbe29d2 |
memory/2788-138-0x0000000000942000-0x0000000000952000-memory.dmp
memory/300-157-0x0000000000860000-0x0000000000960000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 82eaf8ab4de63805ea164b4ef8ee1a7c |
| SHA1 | 80501ddfe8e066958a6ef5310dc515138b32e537 |
| SHA256 | 04e3b54570a5c4b592b8dca28ad1ce33f237a4c329ebc7188440e9d9eff90217 |
| SHA512 | ba7434e5b3c5514c52833edbc2638df1a5f6791ffbdb3ab648e597bff81edad087918476e0d212f2070610774e775607e620c0f4ba1ca0e70339ef2a56e5cd69 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-15 04:48
Reported
2024-01-15 04:54
Platform
win10-20231215-en
Max time kernel
299s
Max time network
305s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\9213a82c-40b6-4851-a48f-a31ca9d49ee3\\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
"C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe"
C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
"C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\9213a82c-40b6-4851-a48f-a31ca9d49ee3" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
"C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
"C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe
"C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe"
C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe
"C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.193.125.74.in-addr.arpa | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| KR | 175.119.10.231:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| AR | 186.13.17.220:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | 231.10.119.175.in-addr.arpa | udp |
| AR | 186.13.17.220:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | 220.17.13.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
memory/3784-1-0x00000000025B0000-0x0000000002647000-memory.dmp
memory/3784-2-0x0000000002680000-0x000000000279B000-memory.dmp
memory/4856-3-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4856-4-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4856-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4856-6-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\9213a82c-40b6-4851-a48f-a31ca9d49ee3\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
| MD5 | 1f940a42c9441ea89bc4003de7dd477a |
| SHA1 | 50d68efbd5390fa9421696fe86a03a893b0b12e4 |
| SHA256 | 1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9 |
| SHA512 | bc393859e58a89701ebdd92bff35d8265ec991ecdc9bcb9db47c246b309b70ae142320092157f74f0ea6b34171034820589d5807a17451a051eeb61d366dad99 |
memory/4856-17-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3480-21-0x0000000002400000-0x000000000249E000-memory.dmp
memory/4120-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4120-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4120-24-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 5a89c688d8f45a31d52261c889606fcf |
| SHA1 | fa576a68ef082950cfbeb51a404cb0ccbc880315 |
| SHA256 | d520b65b9a91c14309fd46ea72712049728227c38e9c1c672f48662563662675 |
| SHA512 | cbba2c08150d1464c157b33651d7252d673ca78e85af543f09c14e3215be05fabc05e0ff44a7e93f2fa9e5642c64171cd6d45367e3969897716e67a4714e426f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 6e9cc2d0f108323284a259c1c551ac5f |
| SHA1 | e306b22da83d88df1becbea28095fbcebc624b23 |
| SHA256 | a6b9345209b4638d4ed95d6f55cccbb974ee2ceeac34a778791c9595dbdfed35 |
| SHA512 | 7241892f9d3b56f07df3c19dd16fb4769ff4fdf89c607189b286a807e6dd0304cfb2ccfb34856da5aa09f2cfa64e57e75f8cab2f5979d35b695ac11102992c66 |
memory/4120-29-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4120-30-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4120-34-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4120-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4120-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4120-38-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/4120-45-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1432-51-0x0000000000850000-0x0000000000854000-memory.dmp
memory/3468-53-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1432-49-0x0000000000950000-0x0000000000A50000-memory.dmp
memory/3468-54-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3468-48-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3468-56-0x0000000000410000-0x00000000004D5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2924-65-0x0000000000B60000-0x0000000000C60000-memory.dmp
memory/632-86-0x0000000000A50000-0x0000000000B50000-memory.dmp
memory/4600-108-0x00000000009B0000-0x0000000000AB0000-memory.dmp
memory/4828-127-0x0000000000AC0000-0x0000000000BC0000-memory.dmp
memory/2216-148-0x0000000000990000-0x0000000000A90000-memory.dmp