Malware Analysis Report

2024-10-19 01:49

Sample ID 240523-lb278sbh26
Target d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d
SHA256 d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d
Tags
djvu discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d

Threat Level: Known bad

The file d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d was found to be: Known bad.

Malicious Activity Summary

djvu discovery persistence ransomware

Djvu Ransomware

Detected Djvu ransomware

Checks computer location settings

Modifies file permissions

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-23 09:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 09:22

Reported

2024-05-23 09:24

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\dd6c1939-36f3-494f-9a93-4b5934225d5e\\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4332 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4332 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4332 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4332 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4332 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4332 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4332 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4332 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4332 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4332 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4572 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Windows\SysWOW64\icacls.exe
PID 4572 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Windows\SysWOW64\icacls.exe
PID 4572 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Windows\SysWOW64\icacls.exe
PID 4572 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4572 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4572 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 2036 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 2036 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 2036 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 2036 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 2036 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 2036 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 2036 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 2036 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 2036 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 2036 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe

"C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe"

C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe

"C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\dd6c1939-36f3-494f-9a93-4b5934225d5e" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe

"C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe

"C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe" --Admin IsNotAutoStart IsNotTask

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4404,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4368 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 10.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 sdfjhuz.com udp
CO 190.156.239.49:80 sdfjhuz.com tcp
US 8.8.8.8:53 cajgtus.com udp
BR 177.129.90.106:80 cajgtus.com tcp
BR 177.129.90.106:80 cajgtus.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 49.239.156.190.in-addr.arpa udp
US 8.8.8.8:53 106.90.129.177.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
BR 177.129.90.106:80 cajgtus.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
BR 177.129.90.106:80 cajgtus.com tcp
BR 177.129.90.106:80 cajgtus.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/4332-2-0x0000000003DD0000-0x0000000003EEB000-memory.dmp

memory/4332-1-0x00000000020F0000-0x0000000002185000-memory.dmp

memory/4572-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4572-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4572-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4572-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\dd6c1939-36f3-494f-9a93-4b5934225d5e\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe

MD5 5435b6a8f8dabe63910f1e9e4d436e5f
SHA1 a9e66834552de4d90d205d8b7c349e0d64d6f65f
SHA256 d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d
SHA512 748179129dd992654d01f8397f203840bf16fefbe125e09f455c8569b20ccf6c022022cf8188fa9c942c1d515b306300a19fe19388f1a24388b5858d596e7ca6

memory/4572-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1472-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1472-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2036-25-0x0000000000400000-0x0000000002015000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 5c6c1b916a6064cc07dc071f50586284
SHA1 5652ecbff28b9d198a96d44e4674d3e4f5ea21af
SHA256 37d1422572b7033a580ba520cb7dc696a075dd79d13c2df157c36ba8f01e722e
SHA512 079612ebcc78f04d4582ddb260974b2e6e1f6f04b0147e84b95935730dcd67295e48b7a176681c7b7c9e5f0c15afb0be583d9be1adb061825e0655f0123b288b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e4cacc9fa4adc8a6751aaf917c99e447
SHA1 d27c0b41d3fe6627c82ea3e6e762b1474f64ba51
SHA256 6ebb6b38a3cab01ca3d714f8df8b1d1dc0f159922fe9ae5e104dcd27c59eaf30
SHA512 fc104a463bf08270217f88841c8690dcb264abeebf8bd78dfda2dd2bd4fa85231dc7aede74e427483065ef3e6ef3f2c7e73c1c67dc274861da3421ea35927a80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 c882d1be8633b4058dadd059937eedec
SHA1 62ceed4c0af15b79846c85633193e3620d2ff36b
SHA256 f373d4ab078ac1aaaf9f559d1c2706bd1df0e38cd3fe4f4e8b8b1f0f60eb09c8
SHA512 04f5bcff82997d3a7806391c8e631d10d5a29efee9fa357bb00783169bde7dc14fa246f6fd4a6b60051f57566dcf5de2535396cc64ddac193c4fbee00e2f8bb3

memory/1472-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1472-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1472-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1472-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1472-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1472-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2036-39-0x0000000000400000-0x0000000002015000-memory.dmp

memory/1472-40-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1472-41-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 09:22

Reported

2024-05-23 09:24

Platform

win11-20240508-en

Max time kernel

141s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6464a2bf-0536-4758-a18c-38de0c665b6b\\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4068 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4068 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4068 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4068 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4068 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4068 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4068 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4068 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4068 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4068 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4976 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Windows\SysWOW64\icacls.exe
PID 4976 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Windows\SysWOW64\icacls.exe
PID 4976 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Windows\SysWOW64\icacls.exe
PID 4976 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4976 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4976 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4720 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4720 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4720 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4720 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4720 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4720 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4720 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4720 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4720 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe
PID 4720 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe

"C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe"

C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe

"C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\6464a2bf-0536-4758-a18c-38de0c665b6b" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe

"C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe

"C:\Users\Admin\AppData\Local\Temp\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe" --Admin IsNotAutoStart IsNotTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
MX 187.212.249.248:80 cajgtus.com tcp
AR 200.45.93.45:80 sdfjhuz.com tcp
MX 187.212.249.248:80 cajgtus.com tcp
MX 187.212.249.248:80 cajgtus.com tcp
MX 187.212.249.248:80 cajgtus.com tcp
MX 187.212.249.248:80 cajgtus.com tcp
US 52.111.229.43:443 tcp

Files

memory/4068-2-0x0000000003E40000-0x0000000003F5B000-memory.dmp

memory/4068-1-0x0000000002330000-0x00000000023C5000-memory.dmp

memory/4976-5-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4976-4-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4976-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4976-6-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\6464a2bf-0536-4758-a18c-38de0c665b6b\d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d.exe

MD5 5435b6a8f8dabe63910f1e9e4d436e5f
SHA1 a9e66834552de4d90d205d8b7c349e0d64d6f65f
SHA256 d30587fdb3fc7a66dbc5d9f3c33124fe9dd3381bf6b6b3a2a09179902da8168d
SHA512 748179129dd992654d01f8397f203840bf16fefbe125e09f455c8569b20ccf6c022022cf8188fa9c942c1d515b306300a19fe19388f1a24388b5858d596e7ca6

memory/4976-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4080-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e4cacc9fa4adc8a6751aaf917c99e447
SHA1 d27c0b41d3fe6627c82ea3e6e762b1474f64ba51
SHA256 6ebb6b38a3cab01ca3d714f8df8b1d1dc0f159922fe9ae5e104dcd27c59eaf30
SHA512 fc104a463bf08270217f88841c8690dcb264abeebf8bd78dfda2dd2bd4fa85231dc7aede74e427483065ef3e6ef3f2c7e73c1c67dc274861da3421ea35927a80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 ec2848c0de350bdd484b1403dd77f42b
SHA1 b6c165c91898b6cd214881ee8a18648ff42f034f
SHA256 93e7408f4ac30e32be97320e5ecd069fa6461d6a9e861b1ebec925ee6c44523d
SHA512 7a1f4755533cbbb6693f62ccdf962ccb9ae74728aebb0ae891e4a6fa61bbea95297754b53e8dd68374453f43c47764dc5d8c3012c82507c006b65b6fca41e48f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 5e85d0a3ffd5fb14ca1f584159a992b1
SHA1 cf9f2b2ee81713a941373c5a5c411ec4f2399fd9
SHA256 1be4bbef28be98619072f126e4607094807d8600e1a684108b0b6c2b15ea7d10
SHA512 541b9227b2175a2358ea950e95edeeb7ab3057ad16f51a3f952fbafdfdfa76dc2ee4003b988c99a49c34ec9402f1dcbe34c4214b951d22815506f160cff7e25f

memory/4080-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4080-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4080-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4080-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4080-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4080-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4080-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4080-37-0x0000000000400000-0x0000000000537000-memory.dmp