Malware Analysis Report

2024-10-19 01:49

Sample ID 240522-xvv4tadc73
Target ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb
SHA256 ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb

Threat Level: Known bad

The file ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Detected Djvu ransomware

Djvu Ransomware

Checks computer location settings

Modifies file permissions

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 19:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 19:10

Reported

2024-05-22 19:13

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\fae8cdb5-c587-4bf9-8f4c-e6c7c3cc7191\\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 2444 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 2444 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 2444 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 2444 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 2444 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 2444 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 2444 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 2444 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 2444 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 3952 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Windows\SysWOW64\icacls.exe
PID 3952 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Windows\SysWOW64\icacls.exe
PID 3952 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Windows\SysWOW64\icacls.exe
PID 3952 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 3952 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 3952 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 4972 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 4972 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 4972 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 4972 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 4972 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 4972 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 4972 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 4972 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 4972 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 4972 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe

"C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe"

C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe

"C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\fae8cdb5-c587-4bf9-8f4c-e6c7c3cc7191" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe

"C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe

"C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 cajgtus.com udp
BO 177.222.41.236:80 cajgtus.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
KR 211.119.84.112:80 sdfjhuz.com tcp
BO 177.222.41.236:80 cajgtus.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 236.41.222.177.in-addr.arpa udp
US 8.8.8.8:53 112.84.119.211.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BO 177.222.41.236:80 cajgtus.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
BO 177.222.41.236:80 cajgtus.com tcp
BO 177.222.41.236:80 cajgtus.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2444-1-0x0000000004850000-0x00000000048F2000-memory.dmp

memory/2444-2-0x0000000004A30000-0x0000000004B4B000-memory.dmp

memory/3952-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3952-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3952-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3952-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\fae8cdb5-c587-4bf9-8f4c-e6c7c3cc7191\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe

MD5 a216e53189aac7badb3801bfb806c058
SHA1 97b338912cb414c2ed6247288cffb46a6f4e63dc
SHA256 ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb
SHA512 5975d23ca8d6469e8877dba219beedf0f1c92a23d65f151b0e835e61f40e05285f91d8ddf48d71699470d161035d9f45791d5e2364f7c71b2683d04a6fea7d34

memory/3952-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1412-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 04473163de5fe1acc9f8960638788d55
SHA1 b55695b692d754123a7855291afae87a0c4f4191
SHA256 2da8973e0f48ce5f0a19a1f0cb3f05fc837faf559e247996f8fd643229f6e795
SHA512 7e3bbfe3b3952e871e4d515bb70c76cb6f158ce9650a3bcc4e24a0560dad08ab3bca2131640a9cc207efc0cd89fd5b600a32f332af9f1438c16a9e50aca693c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 6728aea2631b86a76c237508d8ba9b55
SHA1 7a670f95cac088313f7558869162fe01c6dc0ec9
SHA256 e1dd7380c6df33cd5702b032e0e359029d3ef7630f06ceb42cfdc154fd0baf7b
SHA512 533080cd1ec40b8530cad5c9914e0a5156d225f7392283ed2607eda4f1db4a6930002274060ed9130a6f634222c2e15818e16a50579cfe7f5274d028d31212f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 7e42c714f8eaac6fc3ab98736060ef16
SHA1 b2dd18d39ce7e20e89ae057e4108b7d5bca6a17a
SHA256 b561035e4a83f0a6882fa449d742dd901432bff61d2aa0dce310e1a1227f06fa
SHA512 0f2a45e9f585efc3f8f853e3f0d4f3c9ca99c37047468707fe992a2b792f5266cee9ad6abd5dd0dde55df3a80bd053b20c5bf7705fa97f4ca897d2a1357c824d

memory/1412-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1412-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1412-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1412-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1412-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1412-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1412-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1412-37-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 19:10

Reported

2024-05-22 19:13

Platform

win11-20240508-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\20049a90-f2c5-4a21-a1a8-62d5fbe5ceaf\\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1360 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 1360 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 1360 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 1360 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 1360 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 1360 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 1360 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 1360 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 1360 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 1360 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 2180 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Windows\SysWOW64\icacls.exe
PID 2180 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Windows\SysWOW64\icacls.exe
PID 2180 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Windows\SysWOW64\icacls.exe
PID 2180 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 2180 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 2180 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 5088 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 5088 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 5088 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 5088 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 5088 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 5088 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 5088 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 5088 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 5088 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe
PID 5088 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe

"C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe"

C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe

"C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\20049a90-f2c5-4a21-a1a8-62d5fbe5ceaf" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe

"C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe

"C:\Users\Admin\AppData\Local\Temp\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 217.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
MX 187.170.192.109:80 cajgtus.com tcp
KR 220.82.134.210:80 sdfjhuz.com tcp
MX 187.170.192.109:80 cajgtus.com tcp
MX 187.170.192.109:80 cajgtus.com tcp
MX 187.170.192.109:80 cajgtus.com tcp
MX 187.170.192.109:80 cajgtus.com tcp

Files

memory/1360-1-0x0000000004A40000-0x0000000004AD5000-memory.dmp

memory/2180-2-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2180-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1360-3-0x0000000004AF0000-0x0000000004C0B000-memory.dmp

memory/2180-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2180-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\20049a90-f2c5-4a21-a1a8-62d5fbe5ceaf\ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb.exe

MD5 a216e53189aac7badb3801bfb806c058
SHA1 97b338912cb414c2ed6247288cffb46a6f4e63dc
SHA256 ed07f9e3b592afd64a39fb9e12b52505287ed80e1918a00b0b06acd0313b46cb
SHA512 5975d23ca8d6469e8877dba219beedf0f1c92a23d65f151b0e835e61f40e05285f91d8ddf48d71699470d161035d9f45791d5e2364f7c71b2683d04a6fea7d34

memory/2180-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4376-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 5729be57310bee2de561911aa039df33
SHA1 bf93438bf844db1cfe96ff31b3ac084c1d008257
SHA256 2ffae660b9f5f9aeb680180574bae9246e5c875e222439dc4df6313956258d81
SHA512 c9f0c45a9ef51d7f16a106a2ac771a0aa3ee053f92c865056fc4ae552e438c8cb489fab5e2ffa968c4d3bf4a6ebaa26920c346ee5770571fbce898e4e4f87e9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 6728aea2631b86a76c237508d8ba9b55
SHA1 7a670f95cac088313f7558869162fe01c6dc0ec9
SHA256 e1dd7380c6df33cd5702b032e0e359029d3ef7630f06ceb42cfdc154fd0baf7b
SHA512 533080cd1ec40b8530cad5c9914e0a5156d225f7392283ed2607eda4f1db4a6930002274060ed9130a6f634222c2e15818e16a50579cfe7f5274d028d31212f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 6ada575427d53667a6a98611b71e6d37
SHA1 4722f0c8b889b65329b1ebac2c521d907e71f265
SHA256 35d3e06e664920f607224f6ee41978d32e774d28eb43aabfeeda51c0441ca43a
SHA512 6194086e7c546bdac719d59caa677e4d69ba21cc4d74a86ae1d30e69e53287f1eea1f8c794aa2d348b047272e746af19773d815c391b5e8037fe2c89124bc1ba

memory/4376-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4376-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4376-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4376-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4376-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4376-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4376-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4376-37-0x0000000000400000-0x0000000000537000-memory.dmp