Malware Analysis Report

2024-10-23 16:23

Sample ID 240521-rq4x9sha39
Target 2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
SHA256 2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea

Threat Level: Known bad

The file 2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 14:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 14:24

Reported

2024-05-21 14:27

Platform

win7-20240220-en

Max time kernel

143s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4ce3c8b3-4d83-4eb3-997a-298492ad3f72\\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2792 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2792 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2792 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2792 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2792 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2792 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2792 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2792 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2792 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2792 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2584 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Windows\SysWOW64\icacls.exe
PID 2584 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Windows\SysWOW64\icacls.exe
PID 2584 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Windows\SysWOW64\icacls.exe
PID 2584 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Windows\SysWOW64\icacls.exe
PID 2584 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2584 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2584 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2584 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2424 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2424 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2424 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2424 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2424 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2424 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2424 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2424 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2424 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2424 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 2424 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe

"C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe"

C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe

"C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\4ce3c8b3-4d83-4eb3-997a-298492ad3f72" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe

"C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe

"C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.2:443 api.2ip.ua tcp
US 188.114.96.2:443 api.2ip.ua tcp
US 8.8.8.8:53 cajgtus.com udp
KW 62.150.232.50:80 cajgtus.com tcp
KW 62.150.232.50:80 cajgtus.com tcp
KW 62.150.232.50:80 cajgtus.com tcp
KW 62.150.232.50:80 cajgtus.com tcp

Files

memory/2792-0-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2792-1-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2584-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2792-6-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2584-8-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2792-7-0x0000000001D40000-0x0000000001E5B000-memory.dmp

memory/2584-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2584-9-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\4ce3c8b3-4d83-4eb3-997a-298492ad3f72\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe

MD5 add437e239eba1ceabca80af38f80b56
SHA1 7d288eb76b3f0b1b3c37a020a61e97d4e43a1450
SHA256 2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea
SHA512 c6447b5e35f05399efb4263db09c2e980f402c2368a06806a37684b0b248635b6f64f51587479d9fe66f833f5c44ea7a571ce7d5f5886a5eb54b6df30f9a9fd5

memory/2584-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2424-30-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2424-36-0x0000000000400000-0x00000000004FF000-memory.dmp

memory/2568-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2568-37-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 7e6fdbc8be9b4bb9134e3ab60fc31279
SHA1 5468930fca1e7d964db86a3a433a5bed12c42416
SHA256 42d5237712f420fe5f2fe0b01dec32a698c45c702ff4aa0e7aadfa842de1aeb4
SHA512 45a813666273cedff0bcfbf2adc46431f3b2d04830b7d86d4e7c7da8c352c32782d21715c8f03dddbe707e354e87c18835475f15ce586888a2f3fca92fa80489

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 df80f9ba75076db634761b6132e0d4e3
SHA1 07983946fb660752c7cccb2ef82d01ec4c9ecc5d
SHA256 d5ff96fd8b416de93a85783192206224cf8821c240cd8ff755f2e8270153dd99
SHA512 4ec734c5d29e9ce00b00e42b627253195e8c7a158433fedfcee428e692a6501981c33d7c8a39235f8b691f087145cdbe660b430493edbeedb12588c5cdd5a66a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 e525cb786e771c9374dad6a48c9f8cb0
SHA1 f314586c56f9809d94c9e80d5c86b5e50f799610
SHA256 19ff4b78afcca7ddb3a1883b99fd895f6556223dfa71276394af186811d458e1
SHA512 747228b3c6af98ceb21c2fe2912af0a48938898831ebd440f20169af24160d572e60098f996e3d6f9b6547bca6679ea7f5375a180fb437dd80d130cf5a47358b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e77247f6011c90863517471792c13c04
SHA1 8dd39772f26d3e6df687bf021f58459aded972bf
SHA256 c1f7f0c9363c390ca9cf659dccb7530f59b1b68c661272b329769ed4a4532d9a
SHA512 957ce4f5d7a8f3c73d63410af7dac2026baa750e4836182a8fabda6997de5aea1b59d0885cba86bb6e6b6f824a8bbb555ff2d96ef3888dc92a523b8b4edbff27

C:\Users\Admin\AppData\Local\Temp\Cab30D0.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2568-51-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2568-52-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2568-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2568-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2792-54-0x0000000001D40000-0x0000000001E5B000-memory.dmp

memory/2424-56-0x0000000000400000-0x00000000004FF000-memory.dmp

memory/2568-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2568-60-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2568-59-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2568-61-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 14:24

Reported

2024-05-21 14:27

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\cc04ecdb-dce0-4606-b1d9-f7fdea64fe2a\\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1448 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 1448 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 1448 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 1448 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 1448 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 1448 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 1448 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 1448 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 1448 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 1448 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 4596 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Windows\SysWOW64\icacls.exe
PID 4596 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Windows\SysWOW64\icacls.exe
PID 4596 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Windows\SysWOW64\icacls.exe
PID 4596 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 4596 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 4596 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 1596 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 1596 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 1596 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 1596 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 1596 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 1596 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 1596 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 1596 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 1596 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe
PID 1596 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe

"C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe"

C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe

"C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\cc04ecdb-dce0-4606-b1d9-f7fdea64fe2a" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe

"C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe

"C:\Users\Admin\AppData\Local\Temp\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 cajgtus.com udp
NL 23.62.61.72:443 www.bing.com tcp
IR 151.233.51.166:80 cajgtus.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 166.51.233.151.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
IR 151.233.51.166:80 cajgtus.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
IR 151.233.51.166:80 cajgtus.com tcp
IR 151.233.51.166:80 cajgtus.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/1448-1-0x0000000002100000-0x0000000002199000-memory.dmp

memory/4596-2-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4596-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4596-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1448-3-0x00000000021A0000-0x00000000022BB000-memory.dmp

memory/4596-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\cc04ecdb-dce0-4606-b1d9-f7fdea64fe2a\2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea.exe

MD5 add437e239eba1ceabca80af38f80b56
SHA1 7d288eb76b3f0b1b3c37a020a61e97d4e43a1450
SHA256 2ce2c104c964166cf5fc95d7c855c173533bf28b7053a398bb01e757fd0d94ea
SHA512 c6447b5e35f05399efb4263db09c2e980f402c2368a06806a37684b0b248635b6f64f51587479d9fe66f833f5c44ea7a571ce7d5f5886a5eb54b6df30f9a9fd5

memory/4596-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1596-19-0x0000000000400000-0x00000000004FF000-memory.dmp

memory/440-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/440-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1596-22-0x0000000000400000-0x00000000004FF000-memory.dmp

memory/440-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 302d46f9a5d106d6f1c5fa48629b814f
SHA1 d8b2c65f7609019efbab5a1597b3398d89b02572
SHA256 fbce592492d16a1983689da890b44e93001128d907f0a450e15e04a94fe1fc2e
SHA512 2814dd1700d9be1e3122775ba5c81a2050981de3969da095786de3692534c4d2be9919f66c960b52787b57cb0acecf62418f496f5feef7827745c71002dad272

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 b7c4e329fcefc5fbbe1caeb5bf0ffe0f
SHA1 e75d4c91c514431acfcce84ec6d4cfbba12d0546
SHA256 ec30a14b5c6ed06c3e2545785aad75b4363aed33cf5a77298ef3cd7c5c4325f6
SHA512 80b29c1298c2e7d60d55ed38fafaa6d0b9097dc946b7f8387699659d4eec8bef488e1e520ba0ec13dd4a3f790c46e72649f7e75ed333328994609b65f00045d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 df80f9ba75076db634761b6132e0d4e3
SHA1 07983946fb660752c7cccb2ef82d01ec4c9ecc5d
SHA256 d5ff96fd8b416de93a85783192206224cf8821c240cd8ff755f2e8270153dd99
SHA512 4ec734c5d29e9ce00b00e42b627253195e8c7a158433fedfcee428e692a6501981c33d7c8a39235f8b691f087145cdbe660b430493edbeedb12588c5cdd5a66a

memory/440-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/440-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/440-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/440-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/440-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/440-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/440-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/440-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/440-39-0x0000000000400000-0x0000000000537000-memory.dmp