Malware Analysis Report

2024-10-19 01:49

Sample ID 240522-1489ksah87
Target f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3
SHA256 f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3

Threat Level: Known bad

The file f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 22:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 22:13

Reported

2024-05-22 22:15

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c58f3136-f633-4245-8521-c50794ad04a0\\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3724 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 3724 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 3724 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 3724 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 3724 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 3724 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 3724 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 3724 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 3724 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 3724 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 4888 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Windows\SysWOW64\icacls.exe
PID 4888 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Windows\SysWOW64\icacls.exe
PID 4888 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Windows\SysWOW64\icacls.exe
PID 4888 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 4888 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 4888 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 3592 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 3592 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 3592 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 3592 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 3592 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 3592 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 3592 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 3592 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 3592 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 3592 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe

"C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe"

C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe

"C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c58f3136-f633-4245-8521-c50794ad04a0" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe

"C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe

"C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 cajgtus.com udp
ZA 192.143.130.208:80 cajgtus.com tcp
NL 23.62.61.185:443 www.bing.com tcp
IQ 195.85.218.100:80 sdfjhuz.com tcp
ZA 192.143.130.208:80 cajgtus.com tcp
US 8.8.8.8:53 185.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 208.130.143.192.in-addr.arpa udp
US 8.8.8.8:53 100.218.85.195.in-addr.arpa udp
NL 23.62.61.185:443 www.bing.com tcp
ZA 192.143.130.208:80 cajgtus.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
ZA 192.143.130.208:80 cajgtus.com tcp
ZA 192.143.130.208:80 cajgtus.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

memory/3724-1-0x0000000004930000-0x00000000049C3000-memory.dmp

memory/3724-2-0x00000000049D0000-0x0000000004AEB000-memory.dmp

memory/4888-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4888-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4888-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4888-3-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\c58f3136-f633-4245-8521-c50794ad04a0\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe

MD5 fb34333020006660704924d0b9bc5c06
SHA1 a988526eba52058e862e78a8610a4d258b65d6d0
SHA256 f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3
SHA512 775ab9f6e9b9623104a3f5d8abbd9a68a8e1c7a9d1a6606e7da879bd72d642df5261cabd7ed41b64726dc0d9d26ede7ca3c1b4666e17283281f132a597eaa06a

memory/4888-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5032-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 18518b5f3e33d64e5840717b551024e3
SHA1 157debef86b502182451a308534beb2e73e748c5
SHA256 c4a36775086a82a4d0e1e9b7bf7efa0fdd7f21ae2eab03470ae58d0f4b23c0c2
SHA512 e70d1c149811cc3fad616b2f1b34f9d101870d415b0f362133d73aa3301de9b049cb92c2b699f0fcf4cc948ab013710b540413242e019cd4778fa0450b6f82eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 64c143e9f2a438ddf74501d3b3cc54bf
SHA1 66b41aabcaa5c364d405c858b85fa7a995f53c72
SHA256 02802fa86c2539668fb375ddf8b3ffa5a6c7ad8ae0050c3471dc9fca1275c0ca
SHA512 9decfe443630833dfc6c4e2b728c0395d0cbd59a5d868639f300244c4c61df6540b21d33497a8dd4e1947aaef02e4cbc815f53acc21d70ba1653d9492f438e96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e1f219f6011a07921863c6d81416e58d
SHA1 2400fb53531e5e95a46e0602f9768924d1ca74e6
SHA256 26f4f0c22eb883bc18f3badd3e1ddc22f085e6762e8dc93e0813df4db5c95785
SHA512 03628b980f1a6628830dd6e9733e2011a1cfd9a368dcdca7018c966e3be0fb9e9ce902c10ba02cb0e1098e6eb68907c96220b62a29c76487b64e15fe6262b255

memory/5032-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5032-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5032-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5032-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5032-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5032-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5032-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5032-39-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 22:13

Reported

2024-05-22 22:15

Platform

win11-20240426-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\32abbe94-a85e-4a30-aa32-c6bba2afea50\\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1632 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 1632 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 1632 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 1632 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 1632 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 1632 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 1632 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 1632 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 1632 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 1632 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 8 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Windows\SysWOW64\icacls.exe
PID 8 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Windows\SysWOW64\icacls.exe
PID 8 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Windows\SysWOW64\icacls.exe
PID 8 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 8 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 8 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 1328 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 1328 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 1328 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 1328 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 1328 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 1328 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 1328 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 1328 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 1328 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe
PID 1328 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe

"C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe"

C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe

"C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\32abbe94-a85e-4a30-aa32-c6bba2afea50" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe

"C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe

"C:\Users\Admin\AppData\Local\Temp\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
KR 211.181.24.132:80 cajgtus.com tcp
KR 183.100.39.16:80 sdfjhuz.com tcp
KR 211.181.24.132:80 cajgtus.com tcp
KR 211.181.24.132:80 cajgtus.com tcp
KR 211.181.24.132:80 cajgtus.com tcp
KR 211.181.24.132:80 cajgtus.com tcp
N/A 192.229.221.95:80 tcp

Files

memory/1632-1-0x0000000004A10000-0x0000000004AAD000-memory.dmp

memory/1632-2-0x0000000004AB0000-0x0000000004BCB000-memory.dmp

memory/8-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/8-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/8-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/8-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\32abbe94-a85e-4a30-aa32-c6bba2afea50\f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3.exe

MD5 fb34333020006660704924d0b9bc5c06
SHA1 a988526eba52058e862e78a8610a4d258b65d6d0
SHA256 f89a0b68aaf7c0792c10cf0212e3aeb28bd292dad258c7992c3574c30aab48b3
SHA512 775ab9f6e9b9623104a3f5d8abbd9a68a8e1c7a9d1a6606e7da879bd72d642df5261cabd7ed41b64726dc0d9d26ede7ca3c1b4666e17283281f132a597eaa06a

memory/8-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3296-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 313da7d41a53b00919e134537431b8bd
SHA1 0d726f480d72eee86117a869d8b7060d2cda2eb6
SHA256 047a571e19a2413da08bcd0b0bed2d8a8c329b0aa9871c21623fe2e996a51a7e
SHA512 d46e6da6368735f4ddb11c13671bcd4f79b3e930342fda411b7640ce3d5b27b39f635f09982781e4c9166b6960352adcf70424c9557284fd92db0260fa6abff6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 64c143e9f2a438ddf74501d3b3cc54bf
SHA1 66b41aabcaa5c364d405c858b85fa7a995f53c72
SHA256 02802fa86c2539668fb375ddf8b3ffa5a6c7ad8ae0050c3471dc9fca1275c0ca
SHA512 9decfe443630833dfc6c4e2b728c0395d0cbd59a5d868639f300244c4c61df6540b21d33497a8dd4e1947aaef02e4cbc815f53acc21d70ba1653d9492f438e96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 238cd8b2245a96832241ab92d1a72095
SHA1 4aa1b2b3386ecf8189f39f198930178098eab53e
SHA256 d9f00402a05bc6feb0f6552b83ee8abf4de4bc3429a5c5ff6cb28efe4c905f1c
SHA512 69f0bb52c40aa1a1f1aae0f21939b3c2e36f5e40fc7815112341c81e36c2052ff4e2326ed3a082cf547e791e2d43df79c20e14be025486f13927780ed4e4f141

memory/3296-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3296-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3296-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3296-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3296-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3296-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3296-40-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3296-41-0x0000000000400000-0x0000000000537000-memory.dmp