Malware Analysis Report

2024-10-23 16:23

Sample ID 240522-l31tgsbd71
Target 645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012
SHA256 645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012

Threat Level: Known bad

The file 645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012 was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Djvu Ransomware

Detected Djvu ransomware

Modifies file permissions

Checks computer location settings

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 10:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 10:04

Reported

2024-05-22 10:06

Platform

win7-20240419-en

Max time kernel

143s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b0bf3935-e296-4e6d-bde3-38b2f0677dc8\\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 3020 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 3020 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 3020 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 3020 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 3020 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 3020 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 3020 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 3020 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 3020 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 3020 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1828 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Windows\SysWOW64\icacls.exe
PID 1828 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Windows\SysWOW64\icacls.exe
PID 1828 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Windows\SysWOW64\icacls.exe
PID 1828 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Windows\SysWOW64\icacls.exe
PID 1828 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1828 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1828 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1828 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 2652 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 2652 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 2652 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 2652 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 2652 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 2652 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 2652 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 2652 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 2652 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 2652 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 2652 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe

Processes

C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe

"C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe"

C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe

"C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\b0bf3935-e296-4e6d-bde3-38b2f0677dc8" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe

"C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe

"C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 cajgtus.com udp
PE 190.12.87.61:80 cajgtus.com tcp
AZ 213.172.74.157:80 sdfjhuz.com tcp
PE 190.12.87.61:80 cajgtus.com tcp
PE 190.12.87.61:80 cajgtus.com tcp
PE 190.12.87.61:80 cajgtus.com tcp
PE 190.12.87.61:80 cajgtus.com tcp

Files

memory/3020-0-0x0000000002D80000-0x0000000002E11000-memory.dmp

memory/3020-2-0x0000000004550000-0x000000000466B000-memory.dmp

memory/3020-1-0x0000000002D80000-0x0000000002E11000-memory.dmp

memory/1828-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1828-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3020-7-0x0000000002D80000-0x0000000002E11000-memory.dmp

memory/1828-8-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1828-9-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\b0bf3935-e296-4e6d-bde3-38b2f0677dc8\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe

MD5 dd1cb88ac4542fea3c32b4ff7c60483e
SHA1 b4b716636014911d002c72ca8e35fb90c7074b76
SHA256 645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012
SHA512 df9929a028576507fbf9307a723877eee25463868499c10d3b2c45defd665331f2425e96a6ad2035f7baa6a0c2fe3a75830d56a9bfc8ae44f1e846043d9f12f1

memory/1828-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2652-29-0x0000000000320000-0x00000000003B1000-memory.dmp

memory/2600-32-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 4f56afe84d680d02a1d3a64b4e76166e
SHA1 84fe896c20a1981ec57653cf2ca0223486ed0605
SHA256 576cd89e100349a03d8411491ebe0f051b4d84e4861a36ccbad9321ba060e4d8
SHA512 6121b2ca4d8123294e6a8aedb4618c2fb0da97814d996c739ea8c72575d676e380e20dcc4284147ec72033c313392d17c1614d4c4961ef9fbd718a73da053c64

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 195fc28150bef9b30510eed36fb325af
SHA1 1ea8a314d8af1d431b77d5280d1782e9a8e867c6
SHA256 5c2e51ccf5767f80257a0a0bb66dee40957e5379431e15a118e7f1343ad1f6e0
SHA512 537da7e46d8b5afc796c1908042088c583c5380fb729f3665845fe36286b3efeaec9fa26475e9c2263f55b1eca04bd7ae26088a9a85950b2b7f750fd24eadcfc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 e4099c6219bbe2ebd9e072f4101c4227
SHA1 221021504f78b3b2b9e5a4e8f52d3774a07ac9ae
SHA256 0ca04ecec4c422af17297a36fe66323804394a5b5e006962ef068a4ab24ab133
SHA512 bd2011281844d42f1cedc9904a34b19ee2a0acd8f40d1edc706738aac4f8b0cbff7a6c1b2c452c2f7385774797fd95cce9142970fb138e9122e6969421f93502

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dfa18b6efdf5498433ff6ff55df6b792
SHA1 6d39db48624dc90ae3331466859f3a68bbfe1a6c
SHA256 e38fe3a2dbb4aeb7427bc418e886c04cdd863833ebba082317eda4b7983b18cd
SHA512 5ee7e62a48c7244f5ce1f9772b9ca6dc03329b83acf9451c980029304dd0113746fa473dcff7ce02e0b9b7460cfb30f56933fd17de7018ca99aa0d1184d4fb41

C:\Users\Admin\AppData\Local\Temp\Cab1D8F.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

memory/2600-45-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2600-46-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2600-47-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2600-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2600-52-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2600-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2600-54-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 10:04

Reported

2024-05-22 10:06

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e483a20a-444e-4d75-bc7d-a42159279c03\\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1124 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1124 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1124 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1124 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1124 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1124 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1124 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1124 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1124 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1124 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1860 wrote to memory of 5344 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Windows\SysWOW64\icacls.exe
PID 1860 wrote to memory of 5344 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Windows\SysWOW64\icacls.exe
PID 1860 wrote to memory of 5344 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Windows\SysWOW64\icacls.exe
PID 1860 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1860 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 1860 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 464 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 464 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 464 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 464 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 464 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 464 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 464 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 464 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 464 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe
PID 464 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe

Processes

C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe

"C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe"

C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe

"C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\e483a20a-444e-4d75-bc7d-a42159279c03" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe

"C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe

"C:\Users\Admin\AppData\Local\Temp\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 cajgtus.com udp
BR 179.159.229.64:80 cajgtus.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
AR 200.114.83.251:80 sdfjhuz.com tcp
BR 179.159.229.64:80 cajgtus.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 64.229.159.179.in-addr.arpa udp
US 8.8.8.8:53 251.83.114.200.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BR 179.159.229.64:80 cajgtus.com tcp
BR 179.159.229.64:80 cajgtus.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
BR 179.159.229.64:80 cajgtus.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1124-1-0x0000000004910000-0x00000000049B0000-memory.dmp

memory/1860-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1860-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1124-2-0x00000000049B0000-0x0000000004ACB000-memory.dmp

memory/1860-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1860-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\e483a20a-444e-4d75-bc7d-a42159279c03\645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012.exe

MD5 dd1cb88ac4542fea3c32b4ff7c60483e
SHA1 b4b716636014911d002c72ca8e35fb90c7074b76
SHA256 645bc13bf5dfefb2f0d2412363f424439f266989a5eba19abe6a2d98a7e2c012
SHA512 df9929a028576507fbf9307a723877eee25463868499c10d3b2c45defd665331f2425e96a6ad2035f7baa6a0c2fe3a75830d56a9bfc8ae44f1e846043d9f12f1

memory/1860-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1380-20-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 71c200efcb806741f048feae356fbce5
SHA1 e790dd9fbb5dfc7c081e4c0b2de1f5900e420e1a
SHA256 76c7a40d0fd7061be8e5da74b54b44959a8a8e94a3e199e22eb374da95a6069f
SHA512 5b662931645342e297a97c41a8b85f0dd2573fe4d1fc2fec8be45fffce88188be7529b850eccb7a95bc84e0b94f794d81f3e286c7e59f5a739d7740870e6e525

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 60f45580c57c750c554e3d240a59f9dd
SHA1 3fa2cec1a4b898e5a435ae75a1653123ab1ce6c2
SHA256 e686d3d59ffb19ceceab988df7e57abd22a5cbd2cc4e57fdfac28f62d166ec90
SHA512 512eb95f41a6cef9ed143a6f7e80071a2c628c3b0354007489b337bba882421a821e9446d015b2d15b17e633b628f9326f6598429abf72d907f43ed7a103c3bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 195fc28150bef9b30510eed36fb325af
SHA1 1ea8a314d8af1d431b77d5280d1782e9a8e867c6
SHA256 5c2e51ccf5767f80257a0a0bb66dee40957e5379431e15a118e7f1343ad1f6e0
SHA512 537da7e46d8b5afc796c1908042088c583c5380fb729f3665845fe36286b3efeaec9fa26475e9c2263f55b1eca04bd7ae26088a9a85950b2b7f750fd24eadcfc

memory/1380-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1380-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1380-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1380-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1380-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1380-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1380-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1380-35-0x0000000000400000-0x0000000000537000-memory.dmp