Malware Analysis Report

2025-08-10 18:25

Sample ID 240115-ffls6aaeh2
Target 1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9
SHA256 1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9

Threat Level: Known bad

The file 1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Djvu Ransomware

Detected Djvu ransomware

Downloads MZ/PE file

Modifies file permissions

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 04:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 04:48

Reported

2024-01-15 04:54

Platform

win7-20231215-en

Max time kernel

298s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f6b62297-b468-4adf-b135-388d3eb83c06\\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 2036 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 2036 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 2036 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 2036 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 2036 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 2036 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 2036 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 2036 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 2036 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 2036 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 2140 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Windows\SysWOW64\icacls.exe
PID 2140 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Windows\SysWOW64\icacls.exe
PID 2140 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Windows\SysWOW64\icacls.exe
PID 2140 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Windows\SysWOW64\icacls.exe
PID 2140 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 2140 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 2140 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 2140 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 1720 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 1720 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 1720 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 1720 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 1720 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 1720 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 1720 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 1720 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 1720 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 1720 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 1720 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 2520 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe
PID 2520 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe
PID 2520 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe
PID 2520 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe
PID 788 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe
PID 788 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe
PID 788 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe
PID 788 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe
PID 788 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe
PID 788 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe
PID 788 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe
PID 788 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe
PID 788 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe
PID 788 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe
PID 984 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 984 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 984 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 984 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2992 wrote to memory of 2244 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2992 wrote to memory of 2244 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2992 wrote to memory of 2244 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2992 wrote to memory of 2244 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2244 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2244 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2244 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2244 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2244 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2244 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2244 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2244 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2244 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2244 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2324 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe
PID 2324 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe

"C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe"

C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe

"C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\f6b62297-b468-4adf-b135-388d3eb83c06" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe

"C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe

"C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe

"C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe"

C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe

"C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {3377AEA4-88A3-4212-9DFB-2B0F63334E70} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
US 8.8.8.8:53 habrafa.com udp
KR 175.119.10.231:80 habrafa.com tcp
BA 185.12.79.25:80 habrafa.com tcp
BA 185.12.79.25:80 habrafa.com tcp

Files

memory/2036-0-0x0000000000300000-0x0000000000392000-memory.dmp

memory/2036-1-0x0000000000300000-0x0000000000392000-memory.dmp

memory/2036-2-0x0000000002240000-0x000000000235B000-memory.dmp

memory/2140-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2140-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2140-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2140-8-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\f6b62297-b468-4adf-b135-388d3eb83c06\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe

MD5 1f940a42c9441ea89bc4003de7dd477a
SHA1 50d68efbd5390fa9421696fe86a03a893b0b12e4
SHA256 1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9
SHA512 bc393859e58a89701ebdd92bff35d8265ec991ecdc9bcb9db47c246b309b70ae142320092157f74f0ea6b34171034820589d5807a17451a051eeb61d366dad99

memory/1720-27-0x0000000002080000-0x0000000002112000-memory.dmp

memory/2140-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1720-29-0x0000000002080000-0x0000000002112000-memory.dmp

memory/2520-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2520-35-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab9637.tmp

MD5 5436283659e9410ef09e40dacfcce928
SHA1 16317c605b333225594dc9fd3d70b726b07016b6
SHA256 d1d33f8d3ea0ca2106ab1c966090a2f1bbfd93d8c6f15974f20ef9ff9ea951d8
SHA512 6617b9c0ad607ba86997c0ad937ad3ddd43d69e7dc41d9fdec63e6989902c7c2259ff031b51fa17e9eaa06a7de4f7784c3d6163e4f29bd5b5087a119c58d55e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a81ba02f104fd1706b1438eb692b5a00
SHA1 4d279418065022c18173aa1e0317a2ec12493fb5
SHA256 72229acc4371239b950b568b9a9a7355c90549d4e1013c8dae3c4e2ebc7e13fb
SHA512 f337ae021b7c98e9770003aaf612c1f76c9709c87af744fbf551fdcd1eaff9fd81d5c5ee8174822d468fac964548752a0bcced0882a538e02cd5076083aa140a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 39fef77b8a622240c8f056f54343f568
SHA1 999fd9e7c78d584069cb285a87cf3a262688bda4
SHA256 c03e4d2c426cc7db9b0febfc8af010ee5d0ced497821e1b3a65eb7fc94205e8a
SHA512 0851c8f8ab81da7c2644d58eadb7003a383bb442cf402262f0c47f5d92936c00cd07433bd99925e1929c5c41ce6aa04ad1ed368b64863414887c6c58e8e343b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 9b5b5cd2d045b257470ffe7154fff906
SHA1 59cc32aafeeedb0b5f7440c20fcb31e5e0b48680
SHA256 60fc28a0f7ea8a0e51d09a703ef4376328ca3d1d71e94c4ea282f4b7628d5835
SHA512 b9c9747c43bed47c2c7feb6b0d64ae0abb0815335f02e1567e6e60a4d47c7cc0ec9831675171a9a0ebd8a167bc398178586a19f44461b06887a5d17a38664ab8

memory/2520-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2520-48-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2520-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2520-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2520-56-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe

MD5 b874c8f1a49504d406782bd15a594443
SHA1 d9a5d96e2e7c7c536e549638870d85348b654c8d
SHA256 a02dccabbce57586a603ee7c8e7b8b1331c5951344d805133a085c54f8feec8c
SHA512 24b0fe62f5360e2e0f84030b734901a4a80f417337b493446c3167bc7f95592821937604598e4e83a0f6873e748d45ebb53f2b5cb27bc58fc62ef6895e2ef785

C:\Users\Admin\AppData\Local\664e8c4c-7a99-4789-849e-4e8fbdfdd6eb\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2520-67-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2520-69-0x0000000000400000-0x0000000000537000-memory.dmp

memory/788-73-0x0000000000C30000-0x0000000000D30000-memory.dmp

memory/984-81-0x0000000000400000-0x0000000000406000-memory.dmp

memory/984-79-0x0000000000400000-0x0000000000406000-memory.dmp

memory/984-76-0x0000000000400000-0x0000000000406000-memory.dmp

memory/788-75-0x0000000000220000-0x0000000000224000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 d9df99082330063ecde75a95459b70e8
SHA1 e65d53fc4bbef19011ee5e719f7e53926c05b724
SHA256 0522a62299203a90d3b3d2366537a5cb44494534f3d51b693a77e4d327fed2d7
SHA512 212fe25f546f55182655a69981bade2d92e1641ccfa5706ab333bfd47ef8d89e338360995a4e5563a642ceb1bf5ea0dee0c50fd32220d070b70f9c0b09f3e858

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 e461fbb083298cf2eeb7e9e3a9fe4cc5
SHA1 18cb50e7f4903de9fd0ef33b7669769c417f868a
SHA256 adbd069d1a07e878be87fe16084a9d652dd0d195e52c0e7aec9f2b0f0504efe4
SHA512 08dc0ee8ac2005d5dffebc2a920cb4b78e3ab1d0e372a2e59dd9de55404c92662876aa448cd0da509980e6ad2696aa9f454c13b01d99433f425814f6f0b4856b

memory/2244-93-0x0000000000932000-0x0000000000942000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 6dc49fcda4c150dc161931fa44575443
SHA1 195ec819dca5cf1cf5d46366225a9e91e5d9da9f
SHA256 6ba89d7b8037c23f3245d522ca864199017b870cd33a02c8b6fa7710f4203da6
SHA512 e747a4fa47a39bcdec0c53a2c848ba6f71dd5eed911a236e4ce006a460d2e85bd10fd19adf190757e898733b22b52fa3679727340d32588ac5664721cfcd6e04

memory/2220-113-0x0000000000910000-0x0000000000A10000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 7f0dc9abeeebe3e08df9422fba38c90e
SHA1 68936de0928f6cf1f805280de70fe1a54dd093fd
SHA256 44e0da38c86b39dc15468afc619a073e2b49bd8c324634ddc8a7b24c12a5e650
SHA512 b76d93cedf9423dc4eb63d7ec013ec2adea778c6e58e0336bf4cc1893e3b4323700300a0a9a99094ee63d153be4778363347069a4a0baf4c6471904cdfbe29d2

memory/2788-138-0x0000000000942000-0x0000000000952000-memory.dmp

memory/300-157-0x0000000000860000-0x0000000000960000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 82eaf8ab4de63805ea164b4ef8ee1a7c
SHA1 80501ddfe8e066958a6ef5310dc515138b32e537
SHA256 04e3b54570a5c4b592b8dca28ad1ce33f237a4c329ebc7188440e9d9eff90217
SHA512 ba7434e5b3c5514c52833edbc2638df1a5f6791ffbdb3ab648e597bff81edad087918476e0d212f2070610774e775607e620c0f4ba1ca0e70339ef2a56e5cd69

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 04:48

Reported

2024-01-15 04:54

Platform

win10-20231215-en

Max time kernel

299s

Max time network

305s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Downloads MZ/PE file

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\9213a82c-40b6-4851-a48f-a31ca9d49ee3\\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3784 set thread context of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 3480 set thread context of 4120 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 1432 set thread context of 3468 N/A C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe
PID 2924 set thread context of 4520 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 632 set thread context of 2772 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4600 set thread context of 3584 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4828 set thread context of 3500 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2216 set thread context of 3336 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3784 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 3784 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 3784 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 3784 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 3784 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 3784 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 3784 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 3784 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 3784 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 3784 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 4856 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Windows\SysWOW64\icacls.exe
PID 4856 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Windows\SysWOW64\icacls.exe
PID 4856 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Windows\SysWOW64\icacls.exe
PID 4856 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 4856 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 4856 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 3480 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 3480 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 3480 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 3480 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 3480 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 3480 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 3480 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 3480 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 3480 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 3480 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe
PID 4120 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe
PID 4120 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe
PID 4120 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe
PID 1432 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe
PID 1432 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe
PID 1432 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe
PID 1432 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe
PID 1432 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe
PID 1432 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe
PID 1432 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe
PID 1432 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe
PID 1432 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe
PID 3468 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 3468 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 3468 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2924 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2924 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2924 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2924 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2924 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2924 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2924 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2924 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2924 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4520 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe
PID 4520 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe
PID 4520 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Windows\SysWOW64\schtasks.exe
PID 632 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 632 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 632 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 632 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 632 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 632 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 632 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 632 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 632 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4600 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4600 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe

"C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe"

C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe

"C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\9213a82c-40b6-4851-a48f-a31ca9d49ee3" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe

"C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe

"C:\Users\Admin\AppData\Local\Temp\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe

"C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe"

C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe

"C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 brusuax.com udp
KR 175.119.10.231:80 brusuax.com tcp
US 8.8.8.8:53 habrafa.com udp
AR 186.13.17.220:80 habrafa.com tcp
US 8.8.8.8:53 231.10.119.175.in-addr.arpa udp
AR 186.13.17.220:80 habrafa.com tcp
US 8.8.8.8:53 220.17.13.186.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/3784-1-0x00000000025B0000-0x0000000002647000-memory.dmp

memory/3784-2-0x0000000002680000-0x000000000279B000-memory.dmp

memory/4856-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4856-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4856-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4856-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\9213a82c-40b6-4851-a48f-a31ca9d49ee3\1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9.exe

MD5 1f940a42c9441ea89bc4003de7dd477a
SHA1 50d68efbd5390fa9421696fe86a03a893b0b12e4
SHA256 1a00b83b89579d21ffdfa114fc9cc74e283807af6bc1261d20e218953f8569a9
SHA512 bc393859e58a89701ebdd92bff35d8265ec991ecdc9bcb9db47c246b309b70ae142320092157f74f0ea6b34171034820589d5807a17451a051eeb61d366dad99

memory/4856-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3480-21-0x0000000002400000-0x000000000249E000-memory.dmp

memory/4120-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4120-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4120-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1 093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256 ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA512 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 5a89c688d8f45a31d52261c889606fcf
SHA1 fa576a68ef082950cfbeb51a404cb0ccbc880315
SHA256 d520b65b9a91c14309fd46ea72712049728227c38e9c1c672f48662563662675
SHA512 cbba2c08150d1464c157b33651d7252d673ca78e85af543f09c14e3215be05fabc05e0ff44a7e93f2fa9e5642c64171cd6d45367e3969897716e67a4714e426f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 6e9cc2d0f108323284a259c1c551ac5f
SHA1 e306b22da83d88df1becbea28095fbcebc624b23
SHA256 a6b9345209b4638d4ed95d6f55cccbb974ee2ceeac34a778791c9595dbdfed35
SHA512 7241892f9d3b56f07df3c19dd16fb4769ff4fdf89c607189b286a807e6dd0304cfb2ccfb34856da5aa09f2cfa64e57e75f8cab2f5979d35b695ac11102992c66

memory/4120-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4120-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4120-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4120-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4120-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4120-38-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\956d832f-550f-48bf-9e80-4f40dffc3912\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/4120-45-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1432-51-0x0000000000850000-0x0000000000854000-memory.dmp

memory/3468-53-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1432-49-0x0000000000950000-0x0000000000A50000-memory.dmp

memory/3468-54-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3468-48-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3468-56-0x0000000000410000-0x00000000004D5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2924-65-0x0000000000B60000-0x0000000000C60000-memory.dmp

memory/632-86-0x0000000000A50000-0x0000000000B50000-memory.dmp

memory/4600-108-0x00000000009B0000-0x0000000000AB0000-memory.dmp

memory/4828-127-0x0000000000AC0000-0x0000000000BC0000-memory.dmp

memory/2216-148-0x0000000000990000-0x0000000000A90000-memory.dmp