Malware Analysis Report

2024-10-19 01:49

Sample ID 240522-xm98rsch3s
Target ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
SHA256 ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35

Threat Level: Known bad

The file ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Modifies file permissions

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 18:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 18:59

Reported

2024-05-22 19:02

Platform

win7-20240221-en

Max time kernel

147s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ccc0a912-8396-4242-b557-ac3f10805189\\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2240 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2240 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2240 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2240 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2240 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2240 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2240 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2240 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2240 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2240 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 1500 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Windows\SysWOW64\icacls.exe
PID 1500 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Windows\SysWOW64\icacls.exe
PID 1500 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Windows\SysWOW64\icacls.exe
PID 1500 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Windows\SysWOW64\icacls.exe
PID 1500 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 1500 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 1500 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 1500 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2644 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2644 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2644 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2644 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2644 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2644 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2644 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2644 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2644 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2644 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2644 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe

"C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe"

C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe

"C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\ccc0a912-8396-4242-b557-ac3f10805189" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe

"C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe

"C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 cajgtus.com udp
AR 186.182.55.44:80 cajgtus.com tcp
IR 2.185.214.11:80 sdfjhuz.com tcp
AR 186.182.55.44:80 cajgtus.com tcp
AR 186.182.55.44:80 cajgtus.com tcp
AR 186.182.55.44:80 cajgtus.com tcp
AR 186.182.55.44:80 cajgtus.com tcp

Files

memory/2240-0-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/1500-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2240-6-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2240-5-0x0000000002D10000-0x0000000002E2B000-memory.dmp

memory/1500-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1500-7-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1500-8-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\ccc0a912-8396-4242-b557-ac3f10805189\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe

MD5 3b8a963e6b19ad273243a1a31c8daca5
SHA1 a1e84e3b6d68892d95427fb0d2602982b0ed3763
SHA256 ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35
SHA512 c7560121fa534a6945eca35a395e57683157ce2942e9bfebc69bad16013c2c864e3bf2b8f7b39a6dbdfa4a00d6d63cefbec785b6cdaa844123c97b44999f6561

memory/1500-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2644-28-0x0000000000330000-0x00000000003C2000-memory.dmp

memory/2548-31-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 6728aea2631b86a76c237508d8ba9b55
SHA1 7a670f95cac088313f7558869162fe01c6dc0ec9
SHA256 e1dd7380c6df33cd5702b032e0e359029d3ef7630f06ceb42cfdc154fd0baf7b
SHA512 533080cd1ec40b8530cad5c9914e0a5156d225f7392283ed2607eda4f1db4a6930002274060ed9130a6f634222c2e15818e16a50579cfe7f5274d028d31212f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a8c4af226b9354d7149e25d0f49dfa39
SHA1 f8c3244619c3eda04ebafa9f1de0f5928efcd2e1
SHA256 b5e86f3aca8ed7485886d50e84af4f6f996ba88d82507a818ce70aeea48b2a86
SHA512 aabdea5b3c1f5c5d448575930e1b3948905c44f24878f31ceaef1a16f0fb78f45303f89ae24331649e402a608e8d7e3a25257e4bc3423d496909c338524e3d3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 108b1a2b106f74fce056be49d50060ae
SHA1 2f870afeecacbf1e055c0fa210b86d37fb0df9ba
SHA256 5c60d9070c1cb56fdcb68d50884bc826f62862eb1d19e9c6a74975e6355c9f20
SHA512 20fc65dacf68bea855d610cfc6310c09eb0f38f2e10c0be12c1731c032db99e85c98e02e684b8c7a0b86b19243ca0111f7dc81ac42c9a968e16d2ee099f64bad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba5f9dea83766b3d6e6afda52a4bbf92
SHA1 3b97eb7193c07951767c00ece60a158c88b3dc6e
SHA256 be582b666e7b16416b28569675129e2682f2f616f516b29438a70885d651a5f7
SHA512 003a4a6c51f6222945f0c8898a6f2a525a3c0b5a3ec5ed4a99734375f3dc18a79dedf1af70347bc5c35f98fb3d7bac5f56606029ddb4e84e0b212b79d9c77542

C:\Users\Admin\AppData\Local\Temp\Cab94E0.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2548-44-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2548-45-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2548-46-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2548-51-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2548-52-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2548-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2548-53-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 18:59

Reported

2024-05-22 19:02

Platform

win10v2004-20240426-en

Max time kernel

144s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\62ac14a8-fc23-4081-83ac-6d24dfe8d366\\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2688 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2688 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2688 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2688 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2688 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2688 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2688 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2688 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2688 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 2688 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 4896 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Windows\SysWOW64\icacls.exe
PID 4896 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Windows\SysWOW64\icacls.exe
PID 4896 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Windows\SysWOW64\icacls.exe
PID 4896 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 4896 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 4896 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 1940 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 1940 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 1940 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 1940 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 1940 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 1940 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 1940 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 1940 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 1940 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe
PID 1940 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe

"C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe"

C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe

"C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\62ac14a8-fc23-4081-83ac-6d24dfe8d366" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe

"C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe

"C:\Users\Admin\AppData\Local\Temp\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 cajgtus.com udp
KR 211.168.53.110:80 cajgtus.com tcp
KR 220.82.134.210:80 sdfjhuz.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
KR 211.168.53.110:80 cajgtus.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 110.53.168.211.in-addr.arpa udp
US 8.8.8.8:53 210.134.82.220.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
KR 211.168.53.110:80 cajgtus.com tcp
KR 211.168.53.110:80 cajgtus.com tcp
KR 211.168.53.110:80 cajgtus.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp

Files

memory/4896-2-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2688-4-0x0000000004A80000-0x0000000004B9B000-memory.dmp

memory/4896-6-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4896-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4896-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2688-1-0x0000000004920000-0x00000000049B4000-memory.dmp

C:\Users\Admin\AppData\Local\62ac14a8-fc23-4081-83ac-6d24dfe8d366\ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35.exe

MD5 3b8a963e6b19ad273243a1a31c8daca5
SHA1 a1e84e3b6d68892d95427fb0d2602982b0ed3763
SHA256 ed2fd71789f08260d4fee1685ef35e0b1090e4b4b3667851a021c99364a86b35
SHA512 c7560121fa534a6945eca35a395e57683157ce2942e9bfebc69bad16013c2c864e3bf2b8f7b39a6dbdfa4a00d6d63cefbec785b6cdaa844123c97b44999f6561

memory/4896-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4620-20-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 770d21ce6f0c6328b979e96c4c2a7b3e
SHA1 306d4a351f774868c69053a286eef7e279cb4afe
SHA256 2131bfc573c82a81262a92bfb173ff8357c8ab4e64b13e1e1ed19ed258cb6254
SHA512 9d87fcfb182f4e262bbabeb1cd0fd10ffd76a33808f18808a182fa16c1e39d575e6cfc053d9fb8e2f391b84441fa93127fa113413000930d9b7ff9184367da81

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 6728aea2631b86a76c237508d8ba9b55
SHA1 7a670f95cac088313f7558869162fe01c6dc0ec9
SHA256 e1dd7380c6df33cd5702b032e0e359029d3ef7630f06ceb42cfdc154fd0baf7b
SHA512 533080cd1ec40b8530cad5c9914e0a5156d225f7392283ed2607eda4f1db4a6930002274060ed9130a6f634222c2e15818e16a50579cfe7f5274d028d31212f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 4dc5ef10f84496fdbd166fb76286de73
SHA1 4eaef02980b691b3271363f4d3612d9c3d5e957d
SHA256 f7eb18579b848ae508cc3a8673a3d5734757c61dc71105ccdb7c9c35fd0d1bd4
SHA512 80096c9b84f2fedd8013d44d7cacc05c20aa8dc8badc748d7e0d634b374447b35cb8bb4a60558360bfa1549f70e36d61b4a9013c23eb356fd9df943d1b54a1e5

memory/4620-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4620-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4620-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4620-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4620-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4620-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4620-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4620-35-0x0000000000400000-0x0000000000537000-memory.dmp