Malware Analysis Report

2024-10-23 16:23

Sample ID 240522-flddzacg3z
Target 628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e
SHA256 628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e

Threat Level: Known bad

The file 628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Checks computer location settings

Modifies file permissions

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 04:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 04:57

Reported

2024-05-22 04:59

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\408a7dc6-7e1b-4087-8561-091ef1a1a63f\\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 2208 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 2208 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 2208 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 2208 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 2208 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 2208 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 2208 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 2208 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 2208 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 4328 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Windows\SysWOW64\icacls.exe
PID 4328 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Windows\SysWOW64\icacls.exe
PID 4328 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Windows\SysWOW64\icacls.exe
PID 4328 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 4328 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 4328 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 776 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 776 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 776 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 776 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 776 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 776 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 776 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 776 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 776 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 776 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe

Processes

C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe

"C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe"

C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe

"C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\408a7dc6-7e1b-4087-8561-091ef1a1a63f" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe

"C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe

"C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 cajgtus.com udp
IQ 195.85.218.100:80 cajgtus.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 100.218.85.195.in-addr.arpa udp
IR 46.100.50.5:80 sdfjhuz.com tcp
IQ 195.85.218.100:80 cajgtus.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 5.50.100.46.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
IQ 195.85.218.100:80 cajgtus.com tcp
IQ 195.85.218.100:80 cajgtus.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
IQ 195.85.218.100:80 cajgtus.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2208-1-0x0000000002500000-0x000000000259D000-memory.dmp

memory/2208-2-0x0000000004170000-0x000000000428B000-memory.dmp

memory/4328-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4328-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4328-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4328-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\408a7dc6-7e1b-4087-8561-091ef1a1a63f\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe

MD5 f4ac3bb65473350957e8ea894b4a2532
SHA1 315b733cac562d5dc8c6e04b5d26f45bd849f202
SHA256 628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e
SHA512 215d839238739b2242522666a5f3fdd1c7cb967ad2d3d44e00a72d6b16530aa7a0b007274b49613276d8136595bd6a718c9c69d086cd85098d616fbbe94dbdba

memory/4328-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3280-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 899f44a98faebba6aae9269798345a87
SHA1 a304c93f7fcec09ae9d2f6c9f28967dbe6d57e6c
SHA256 2a2b0c5d4923b9dbe3abc126a3b8e71701b3f62d7ee962c84f1be98637f31510
SHA512 8005cc0856dc0c25ad2f2fa8c3a3257650719e67848fab93f09308e26ab0d786da40f54736f1c5bc2533110b45c4620d90347a43eba416e6dd9e79dff5f5f810

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 7ada31a1faeae1c6931cdf4d69e6698f
SHA1 059589de387bcc62a0221ad2ee19a7023b01f6d5
SHA256 c9ae61f1a78fe675647d30b14e32aba9f12e10adce67f516aeb7d6c6f912f452
SHA512 8a1b5cbe337c7a59d8c200bf3111e69a393ebd96be0f08317608f3bce93f42db634bcb557c120b17663b9c3b61838f18b785e24ae77d5f1c36d2cbc9114c8528

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 cb35bd9d6c5a4fd50a9263018bbd9784
SHA1 efec24f93d2af7bd01969c36870ebc928fa6c790
SHA256 be648ee93df285417e494e28c01e3ab8f3d043845f4d3b397dfd137d187ed612
SHA512 ac26182fb167458da4b465b118720470859e8028db8d3d71ddbe0c5be0e46b9178c5f7ccb8b1252c38754e27da1af546f8d2f6e32e1bfcbeac0d510aa831bf11

memory/3280-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3280-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3280-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3280-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3280-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3280-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3280-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3280-37-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 04:57

Reported

2024-05-22 04:59

Platform

win11-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c32bdc0b-64b6-40a5-bb7d-a87c205fee09\\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 8 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 8 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 8 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 8 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 8 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 8 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 8 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 8 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 8 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 8 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 5012 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Windows\SysWOW64\icacls.exe
PID 5012 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Windows\SysWOW64\icacls.exe
PID 5012 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Windows\SysWOW64\icacls.exe
PID 5012 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 5012 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 5012 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 2308 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 2308 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 2308 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 2308 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 2308 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 2308 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 2308 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 2308 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 2308 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe
PID 2308 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe

Processes

C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe

"C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe"

C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe

"C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c32bdc0b-64b6-40a5-bb7d-a87c205fee09" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe

"C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe

"C:\Users\Admin\AppData\Local\Temp\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 249.138.73.23.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
SA 94.98.232.163:80 sdfjhuz.com tcp
MA 105.159.16.236:80 sdfjhuz.com tcp
SA 94.98.232.163:80 sdfjhuz.com tcp
SA 94.98.232.163:80 sdfjhuz.com tcp
SA 94.98.232.163:80 sdfjhuz.com tcp
SA 94.98.232.163:80 sdfjhuz.com tcp
US 52.111.229.19:443 tcp

Files

memory/8-1-0x0000000002790000-0x000000000282A000-memory.dmp

memory/8-2-0x00000000041D0000-0x00000000042EB000-memory.dmp

memory/5012-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5012-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5012-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5012-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\c32bdc0b-64b6-40a5-bb7d-a87c205fee09\628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e.exe

MD5 f4ac3bb65473350957e8ea894b4a2532
SHA1 315b733cac562d5dc8c6e04b5d26f45bd849f202
SHA256 628bb09d4a1fb84f30fedf4b6bfdf039fc3f7d6d1dce80d0ea4bf0e83747050e
SHA512 215d839238739b2242522666a5f3fdd1c7cb967ad2d3d44e00a72d6b16530aa7a0b007274b49613276d8136595bd6a718c9c69d086cd85098d616fbbe94dbdba

memory/5012-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4340-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 cb35bd9d6c5a4fd50a9263018bbd9784
SHA1 efec24f93d2af7bd01969c36870ebc928fa6c790
SHA256 be648ee93df285417e494e28c01e3ab8f3d043845f4d3b397dfd137d187ed612
SHA512 ac26182fb167458da4b465b118720470859e8028db8d3d71ddbe0c5be0e46b9178c5f7ccb8b1252c38754e27da1af546f8d2f6e32e1bfcbeac0d510aa831bf11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 ff05ee3c7f11658a89ac9d9bbee73347
SHA1 1c30e3a7d58e6667ea68b7b73861257f81c037a7
SHA256 bafac9cdda50175096c079657ae60e2970c52e1efe1f8db146aa9326acd3a32d
SHA512 697bab0b6c0f3df0c8839bf1650f7de0e2a9211e4f9fbe54163da169720942ccff4c73e7d87401f67aa6cac49dfba197e771a7e2e068b083e1e57f440871a4a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 4eb4ed411e2f6ec6897278b921dc7780
SHA1 d64d8c45bf41fd6420f02c2de0c0ce7e3ca9c0ec
SHA256 b98fffe64b36979eb206abc40775127babb0bb511ed214e8932dd10e42ccfa53
SHA512 02009f4c5bc022fdafe3575d0bc6deb035744e74f4d848b130af64582b6db3588053c17b2d4f3adf33d4aadf09bc72293284e84209a5bf98c8a523f7c31cc8e4

memory/4340-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4340-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4340-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4340-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4340-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4340-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4340-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4340-37-0x0000000000400000-0x0000000000537000-memory.dmp