Malware Analysis Report

2024-10-23 16:23

Sample ID 240521-pee4nadc79
Target f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0
SHA256 f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0

Threat Level: Known bad

The file f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 12:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 12:14

Reported

2024-05-21 12:16

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\de6d7c77-a6c5-4aad-9aee-3f9bbefbeeb8\\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4564 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 4564 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 4564 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 4564 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 4564 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 4564 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 4564 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 4564 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 4564 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 4564 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 4136 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Windows\SysWOW64\icacls.exe
PID 4136 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Windows\SysWOW64\icacls.exe
PID 4136 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Windows\SysWOW64\icacls.exe
PID 4136 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 4136 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 4136 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 1716 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 1716 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 1716 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 1716 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 1716 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 1716 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 1716 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 1716 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 1716 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 1716 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe

"C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe"

C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe

"C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\de6d7c77-a6c5-4aad-9aee-3f9bbefbeeb8" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe

"C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe

"C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 cajgtus.com udp
BR 189.61.54.32:80 cajgtus.com tcp
US 8.8.8.8:53 216.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
AZ 185.18.245.58:80 sdfjhuz.com tcp
BR 189.61.54.32:80 cajgtus.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 32.54.61.189.in-addr.arpa udp
US 8.8.8.8:53 58.245.18.185.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.88:443 www.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.61.62.23.in-addr.arpa udp
BR 189.61.54.32:80 cajgtus.com tcp
BR 189.61.54.32:80 cajgtus.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
BR 189.61.54.32:80 cajgtus.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/4564-1-0x0000000003FE0000-0x0000000004078000-memory.dmp

memory/4564-2-0x0000000004090000-0x00000000041AB000-memory.dmp

memory/4136-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4136-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4136-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4136-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\de6d7c77-a6c5-4aad-9aee-3f9bbefbeeb8\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe

MD5 be321c572727e800755c4b8a1259dbd0
SHA1 a7977c6c83b51f2caa7ee89b5afdbf2c5ddf3cdb
SHA256 f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0
SHA512 258a831243ac3121368333488cfae24ae2572d94fc739238e56e4b67d69420a2ce7ca9a6645c634ab7d91040b196ad2850309df2885f1d2976b49d6de5a4703d

memory/4136-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1212-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 df80f9ba75076db634761b6132e0d4e3
SHA1 07983946fb660752c7cccb2ef82d01ec4c9ecc5d
SHA256 d5ff96fd8b416de93a85783192206224cf8821c240cd8ff755f2e8270153dd99
SHA512 4ec734c5d29e9ce00b00e42b627253195e8c7a158433fedfcee428e692a6501981c33d7c8a39235f8b691f087145cdbe660b430493edbeedb12588c5cdd5a66a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 80119f81e2051d052f9e5a260260bd44
SHA1 c378ba712fbc0ce038990a220a195b3bcae0ef1f
SHA256 09357c4e87513815afd7e10de91d6d15fab6d187843c8cb59ae9660ae4a0f8f0
SHA512 6d51e17f4d13d66f5ecd07f0cdfd57ea549c31a52744c8e77f354adc5da01566a0091abba073b7ffb747d4d6a06068d4b228761e3032ad376265def9feade896

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e9dbef1bfa5823f9e4f1c48545e0e05b
SHA1 ae053f0aa40e3a5546e7c248afd603ea67fcfbaf
SHA256 e556ef7c642486cc00e2906ee58ab1f45e13689aeff734a28ebd74a6eba92391
SHA512 d4afc7378d5a67a79645a81e6e3321167bad007428068a88eb262d857e56fbe10b29502299b5895ae213d772f0b239b524946c507cf92a4db5a2a7f72fd44299

memory/1212-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1212-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1212-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1212-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1212-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1212-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1212-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1212-37-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 12:14

Reported

2024-05-21 12:16

Platform

win11-20240426-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\084cf14c-1a51-4828-a8a2-657aaa667a58\\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3396 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 3396 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 3396 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 3396 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 3396 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 3396 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 3396 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 3396 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 3396 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 3396 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 716 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Windows\SysWOW64\icacls.exe
PID 716 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Windows\SysWOW64\icacls.exe
PID 716 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Windows\SysWOW64\icacls.exe
PID 716 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 716 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 716 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 1972 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 1972 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 1972 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 1972 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 1972 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 1972 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 1972 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 1972 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 1972 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe
PID 1972 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe

"C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe"

C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe

"C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\084cf14c-1a51-4828-a8a2-657aaa667a58" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe

"C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe

"C:\Users\Admin\AppData\Local\Temp\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
BG 84.252.15.104:80 cajgtus.com tcp
AZ 185.18.245.58:80 sdfjhuz.com tcp
BG 84.252.15.104:80 cajgtus.com tcp
BG 84.252.15.104:80 cajgtus.com tcp
BG 84.252.15.104:80 cajgtus.com tcp
BG 84.252.15.104:80 cajgtus.com tcp

Files

memory/3396-1-0x00000000040E0000-0x0000000004174000-memory.dmp

memory/3396-2-0x0000000004210000-0x000000000432B000-memory.dmp

memory/716-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/716-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/716-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/716-5-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\084cf14c-1a51-4828-a8a2-657aaa667a58\f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0.exe

MD5 be321c572727e800755c4b8a1259dbd0
SHA1 a7977c6c83b51f2caa7ee89b5afdbf2c5ddf3cdb
SHA256 f352876b06c96492e19d04561c4445fff1e102451655245585bc96db8a7da3b0
SHA512 258a831243ac3121368333488cfae24ae2572d94fc739238e56e4b67d69420a2ce7ca9a6645c634ab7d91040b196ad2850309df2885f1d2976b49d6de5a4703d

memory/716-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4324-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 df80f9ba75076db634761b6132e0d4e3
SHA1 07983946fb660752c7cccb2ef82d01ec4c9ecc5d
SHA256 d5ff96fd8b416de93a85783192206224cf8821c240cd8ff755f2e8270153dd99
SHA512 4ec734c5d29e9ce00b00e42b627253195e8c7a158433fedfcee428e692a6501981c33d7c8a39235f8b691f087145cdbe660b430493edbeedb12588c5cdd5a66a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 2674d402f1f232eebf2fac24f0f9c17f
SHA1 5b627911f70f74808489eca95a93c551c98be4e4
SHA256 e1b687daf517c5e2f6a725f49927615d85b10b934a41ca3025554a713f3d69d4
SHA512 dc17fdbca5b4d8cc8333b80290c38ecf4572b8c63e9183abd42bdbea0cb6baaf0d6a5d31c8bf06538f4444dc3d89fcd96cffeaaf4d71eafba26b72fdf7487975

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 4565cff4a30ac8a01576cc5864e81182
SHA1 2e131be96da5454dbd2ad8aa6bd16b64c09fb506
SHA256 87dec27cb778d6aa45a45ec47bc40da76ce8e3c785fca3cf3dc207a6fb7c6d85
SHA512 881dcf280c0047888ff00045b9b117f53282474380ad901e19ea2a8f3e448cfcdfb09ceabff66b3b5b69286df104004cb52bba85c9900b58ee30972dc42cdcdf

memory/4324-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4324-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4324-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4324-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4324-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4324-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4324-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4324-37-0x0000000000400000-0x0000000000537000-memory.dmp