Malware Analysis Report

2024-10-23 16:23

Sample ID 240521-s9blhaah43
Target dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501
SHA256 dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501

Threat Level: Known bad

The file dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Checks computer location settings

Modifies file permissions

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 15:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 15:49

Reported

2024-05-21 15:51

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4e801223-84fe-4135-998c-49f00a2fd8ff\\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 2700 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 2700 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 2700 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 2700 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 2700 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 2700 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 2700 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 2700 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 2700 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 4032 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Windows\SysWOW64\icacls.exe
PID 4032 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Windows\SysWOW64\icacls.exe
PID 4032 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Windows\SysWOW64\icacls.exe
PID 4032 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 4032 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 4032 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 448 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 448 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 448 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 448 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 448 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 448 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 448 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 448 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 448 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 448 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe

"C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe"

C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe

"C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\4e801223-84fe-4135-998c-49f00a2fd8ff" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe

"C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe

"C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.2:443 api.2ip.ua tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 188.114.97.2:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 cajgtus.com udp
UZ 194.93.26.201:80 cajgtus.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
KG 212.112.110.243:80 sdfjhuz.com tcp
UZ 194.93.26.201:80 cajgtus.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 201.26.93.194.in-addr.arpa udp
US 8.8.8.8:53 243.110.112.212.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
UZ 194.93.26.201:80 cajgtus.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
UZ 194.93.26.201:80 cajgtus.com tcp
UZ 194.93.26.201:80 cajgtus.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

memory/2700-1-0x00000000025C0000-0x0000000002659000-memory.dmp

memory/2700-2-0x00000000040A0000-0x00000000041BB000-memory.dmp

memory/4032-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4032-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4032-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4032-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\4e801223-84fe-4135-998c-49f00a2fd8ff\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe

MD5 7f3b269130931ecd64e35f048c3a5a45
SHA1 7434c49a3386c9e6efe98e7f5345c922299adf9c
SHA256 dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501
SHA512 b941031026e4f3e113606a69630d8fdef11e3fcb79bde51ea238f0a73f84850a52b4e64d39568be052dafc4505ae256b2f503bd38a73d6be436b63fcab86ad83

memory/4032-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4128-20-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 df80f9ba75076db634761b6132e0d4e3
SHA1 07983946fb660752c7cccb2ef82d01ec4c9ecc5d
SHA256 d5ff96fd8b416de93a85783192206224cf8821c240cd8ff755f2e8270153dd99
SHA512 4ec734c5d29e9ce00b00e42b627253195e8c7a158433fedfcee428e692a6501981c33d7c8a39235f8b691f087145cdbe660b430493edbeedb12588c5cdd5a66a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 53e6724ce07802f2762cad33a377bc51
SHA1 0e8c69d58107ffbd9952e202a8d83d82fe0f1e2c
SHA256 84288b623764b0e2942e24dbb6d96a89e62c382687b2b30d891ce0c3a32a4934
SHA512 fd080eced91715cd7df81714f9b2616a3d869c8c3a2e06fdc6fce6888bb50c11c332a599167856ed9d4674624bb434d17624adfdc11af9f0b9f4d4d52bbfea76

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 ce5564a25df9906fd8f0189ca82bb808
SHA1 0e8c27334d7e141ccb48fae06a537a318f0bfeec
SHA256 5a77df8b57d793ca0a5679dae9d235f30fd14863709e4820faa94db745fa6cd0
SHA512 8802964b731a586ee201443567434bb6852740bc1412ea7e0faa6b08bdedfa9edd9bc67761b0a1654085cbf13117e5f8c6e21244670be02f97e2ea6514236a64

memory/4128-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4128-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4128-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4128-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4128-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4128-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4128-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4128-35-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 15:49

Reported

2024-05-21 15:51

Platform

win11-20240426-en

Max time kernel

143s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\9cfd3c99-c2d3-4f6f-9f69-d21ec0c8e0ae\\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1100 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 1100 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 1100 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 1100 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 1100 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 1100 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 1100 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 1100 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 1100 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 1100 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 2068 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Windows\SysWOW64\icacls.exe
PID 2068 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Windows\SysWOW64\icacls.exe
PID 2068 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Windows\SysWOW64\icacls.exe
PID 2068 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 2068 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 2068 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 2176 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 2176 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 2176 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 2176 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 2176 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 2176 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 2176 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 2176 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 2176 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe
PID 2176 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe

"C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe"

C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe

"C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\9cfd3c99-c2d3-4f6f-9f69-d21ec0c8e0ae" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe

"C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe

"C:\Users\Admin\AppData\Local\Temp\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.2:443 api.2ip.ua tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 188.114.97.2:443 api.2ip.ua tcp
PK 116.58.10.60:80 cajgtus.com tcp
AR 190.224.203.37:80 sdfjhuz.com tcp
PK 116.58.10.60:80 cajgtus.com tcp
PK 116.58.10.60:80 cajgtus.com tcp
PK 116.58.10.60:80 cajgtus.com tcp
PK 116.58.10.60:80 cajgtus.com tcp

Files

memory/1100-1-0x00000000025D0000-0x0000000002669000-memory.dmp

memory/1100-2-0x00000000041F0000-0x000000000430B000-memory.dmp

memory/2068-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2068-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2068-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2068-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\9cfd3c99-c2d3-4f6f-9f69-d21ec0c8e0ae\dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501.exe

MD5 7f3b269130931ecd64e35f048c3a5a45
SHA1 7434c49a3386c9e6efe98e7f5345c922299adf9c
SHA256 dc1c019f8fdb6cfa8cc568e8e2f49c2da73a8e110c032303fd3c1d50891b0501
SHA512 b941031026e4f3e113606a69630d8fdef11e3fcb79bde51ea238f0a73f84850a52b4e64d39568be052dafc4505ae256b2f503bd38a73d6be436b63fcab86ad83

memory/2068-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3928-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 6dbb4d5b3897ea5508cdd3ea5b4c3490
SHA1 9d97f182e2ca8ab7416be1c4d4b0aaf8b909daeb
SHA256 624ef7b397077a26fc2d18514710c6653125b0f128c31045f73ec86fcae336a5
SHA512 700f1edd488e3b3c1909bafe07acb8147cd1d65c20867501afc40cd111959a872523e4baba5310e4972e89952370f1c3549bdf0f232f56f4c3c6ab2ada836ca5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 0a194bbc022670ac4b84b57daeaa63d2
SHA1 258b433fbb958cf8cfae069d528fc6fc41d3f5b6
SHA256 0d3b2f4e354baea0cfe160a1771d8d0f622ee365a367ec6d7e7a8164c7f7ed13
SHA512 2f9b523f3404cb43460fdac6a2e540811b44906f89b268c95b32c7f6f63f2de943fae60d2da4d9e06861f48531a02da43174dd21abe8b69dd7a62bd45acad323

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 df80f9ba75076db634761b6132e0d4e3
SHA1 07983946fb660752c7cccb2ef82d01ec4c9ecc5d
SHA256 d5ff96fd8b416de93a85783192206224cf8821c240cd8ff755f2e8270153dd99
SHA512 4ec734c5d29e9ce00b00e42b627253195e8c7a158433fedfcee428e692a6501981c33d7c8a39235f8b691f087145cdbe660b430493edbeedb12588c5cdd5a66a

memory/3928-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3928-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3928-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3928-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3928-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3928-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3928-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3928-37-0x0000000000400000-0x0000000000537000-memory.dmp