Malware Analysis Report

2024-10-23 16:23

Sample ID 240522-l2ff6abc46
Target 645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012
SHA256 645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012

Threat Level: Known bad

The file 645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Djvu Ransomware

Detected Djvu ransomware

Modifies file permissions

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 10:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 10:01

Reported

2024-05-22 10:04

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ae0c12a6-3ca4-42a2-a5c4-101b1ba17d41\\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 212 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 212 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 212 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 212 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 212 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 212 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 212 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 212 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 212 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 212 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 3928 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Windows\SysWOW64\icacls.exe
PID 3928 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Windows\SysWOW64\icacls.exe
PID 3928 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Windows\SysWOW64\icacls.exe
PID 3928 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 3928 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 3928 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1996 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1996 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1996 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1996 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1996 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1996 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1996 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1996 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1996 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1996 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe

Processes

C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe

"C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe"

C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe

"C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\ae0c12a6-3ca4-42a2-a5c4-101b1ba17d41" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe

"C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe

"C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 cajgtus.com udp
SA 5.42.246.42:80 cajgtus.com tcp
AZ 213.172.74.157:80 sdfjhuz.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
SA 5.42.246.42:80 cajgtus.com tcp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 42.246.42.5.in-addr.arpa udp
US 8.8.8.8:53 157.74.172.213.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
SA 5.42.246.42:80 cajgtus.com tcp
SA 5.42.246.42:80 cajgtus.com tcp
SA 5.42.246.42:80 cajgtus.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

memory/212-1-0x0000000004910000-0x00000000049B1000-memory.dmp

memory/3928-2-0x0000000000400000-0x0000000000537000-memory.dmp

memory/212-3-0x0000000004AE0000-0x0000000004BFB000-memory.dmp

memory/3928-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3928-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3928-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\ae0c12a6-3ca4-42a2-a5c4-101b1ba17d41\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe

MD5 dd1cb88ac4542fea3c32b4ff7c60483e
SHA1 b4b716636014911d002c72ca8e35fb90c7074b76
SHA256 645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012
SHA512 df9929a028576507fbf9307a723877eee25463868499c10d3b2c45defd665331f2425e96a6ad2035f7baa6a0c2fe3a75830d56a9bfc8ae44f1e846043d9f12f1

memory/3928-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2016-21-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 052587e878d47611f302a8e29f262974
SHA1 9fafd0f76d01de3c8646e431e91513b4b5b634ad
SHA256 1d23baae5e1a032a292874c4f467bb1b26b1fc81e593164dce1052591d78622e
SHA512 e943b7fc84796e9b2e04bf4c474fc8299e2b794900743a1116ab85cc8059188ac8ffd0c938171b3cd09fbd907927aee741031e60b4d0391430d7cfe68c7ee93d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 195fc28150bef9b30510eed36fb325af
SHA1 1ea8a314d8af1d431b77d5280d1782e9a8e867c6
SHA256 5c2e51ccf5767f80257a0a0bb66dee40957e5379431e15a118e7f1343ad1f6e0
SHA512 537da7e46d8b5afc796c1908042088c583c5380fb729f3665845fe36286b3efeaec9fa26475e9c2263f55b1eca04bd7ae26088a9a85950b2b7f750fd24eadcfc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 8dcf43fad1ff51ab8fdc006e013bed2f
SHA1 6fdd29dbee1c9a047ff20d34d1c5c52ada376a76
SHA256 9b399c7b602b0768603a9bcc80377f4b8d4d4c867ba4e6fe493f35fffc98c33f
SHA512 2a0309801b84a99bab2559128075efb7a1ca4fcc3677ddcc668fcb07186b8d7ad1494af7558360721cf3461bd958e4bec28b73db21a70e6906263df2718b99a5

memory/2016-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2016-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2016-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2016-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2016-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2016-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2016-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2016-36-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 10:01

Reported

2024-05-22 10:04

Platform

win11-20240508-en

Max time kernel

143s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e79973e8-e286-4d03-b4a9-962f6e104a95\\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5100 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 5100 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 5100 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 5100 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 5100 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 5100 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 5100 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 5100 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 5100 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 5100 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 5048 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Windows\SysWOW64\icacls.exe
PID 5048 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Windows\SysWOW64\icacls.exe
PID 5048 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Windows\SysWOW64\icacls.exe
PID 5048 wrote to memory of 104 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 5048 wrote to memory of 104 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 5048 wrote to memory of 104 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 104 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 104 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 104 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 104 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 104 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 104 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 104 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 104 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 104 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 104 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe

Processes

C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe

"C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe"

C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe

"C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\e79973e8-e286-4d03-b4a9-962f6e104a95" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe

"C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe

"C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
SA 5.42.246.42:80 cajgtus.com tcp
MX 189.232.53.223:80 sdfjhuz.com tcp
SA 5.42.246.42:80 cajgtus.com tcp
SA 5.42.246.42:80 cajgtus.com tcp
SA 5.42.246.42:80 cajgtus.com tcp
SA 5.42.246.42:80 cajgtus.com tcp
US 52.111.227.14:443 tcp

Files

memory/5100-1-0x0000000004AA0000-0x0000000004B3C000-memory.dmp

memory/5048-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5100-5-0x0000000004B60000-0x0000000004C7B000-memory.dmp

memory/5048-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5048-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5048-2-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\e79973e8-e286-4d03-b4a9-962f6e104a95\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe

MD5 dd1cb88ac4542fea3c32b4ff7c60483e
SHA1 b4b716636014911d002c72ca8e35fb90c7074b76
SHA256 645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012
SHA512 df9929a028576507fbf9307a723877eee25463868499c10d3b2c45defd665331f2425e96a6ad2035f7baa6a0c2fe3a75830d56a9bfc8ae44f1e846043d9f12f1

memory/5048-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1364-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 b464283a9104c250b476065b838d6e92
SHA1 e6e224b83f022df7eb31dc01d4a7bf3a6506b029
SHA256 61c2803fd69a3da8d7747c71fbf9fbd6c1d1b34a1b7b8ae5fd77c65ca8de64b9
SHA512 e09b5056794018eb4d48e43512c724796b96c0ae028686d6f16db7546f230a9f2294ecef035c37a096dc97695f273dc5f4347d8c0ad9a624b8557427b537b3cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 195fc28150bef9b30510eed36fb325af
SHA1 1ea8a314d8af1d431b77d5280d1782e9a8e867c6
SHA256 5c2e51ccf5767f80257a0a0bb66dee40957e5379431e15a118e7f1343ad1f6e0
SHA512 537da7e46d8b5afc796c1908042088c583c5380fb729f3665845fe36286b3efeaec9fa26475e9c2263f55b1eca04bd7ae26088a9a85950b2b7f750fd24eadcfc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 133d62f51f9606e085206c87e3c2c095
SHA1 bf3e8aedb2f92b12055730cd544cc4ebe79b45f8
SHA256 e0a4a861ec64fe9a3cdd73b2ff7bcdf626e4a965ee22d39a31721b80702d9898
SHA512 f8c28a01bf141a43da0b7d0192b27762ddf2ba183fcde5d9f2eb34d96bfdd8046adc1d63211a878b210c1e7abd1f4b3484aa043312b28835dccafc61fbfc8f9b

memory/1364-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1364-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1364-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1364-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1364-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1364-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1364-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1364-37-0x0000000000400000-0x0000000000537000-memory.dmp