Analysis Overview
SHA256
01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd
Threat Level: Known bad
The file 01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
Djvu Ransomware
Loads dropped DLL
Modifies file permissions
Checks computer location settings
Executes dropped EXE
ASPack v2.12-2.42
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-25 14:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-25 14:16
Reported
2024-07-25 14:18
Platform
win7-20240705-en
Max time kernel
146s
Max time network
135s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4f1b1f7e-2026-4fba-ba66-0e952de7b293\\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3040 set thread context of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe | C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe |
| PID 1972 set thread context of 2912 | N/A | C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe | C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jre7\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Install\{16435541-C196-4D4E-9379-340CA3D46D1B}\chrome_installer.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\servertool.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\unpack200.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\pingsender.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\crashreporter.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Windows Journal\PDIALOG.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\orbd.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\WinMail.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\jp2launcher.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe
"C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe"
C:\Users\Admin\AppData\Local\Temp\rYp.exe
C:\Users\Admin\AppData\Local\Temp\rYp.exe
C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe
"C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2bc44d72.bat" "
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\4f1b1f7e-2026-4fba-ba66-0e952de7b293" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe
"C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\rYp.exe
C:\Users\Admin\AppData\Local\Temp\rYp.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4b50402b.bat" "
C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe
"C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe" --Admin IsNotAutoStart IsNotTask
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ddos.dnsnb8.net | udp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 172.217.169.3:80 | c.pki.goog | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | zerit.top | udp |
| US | 8.8.8.8:53 | fuyt.org | udp |
| DE | 92.246.89.93:80 | fuyt.org | tcp |
| DE | 92.246.89.93:80 | fuyt.org | tcp |
| DE | 92.246.89.93:80 | fuyt.org | tcp |
| DE | 92.246.89.93:80 | fuyt.org | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.16.170.123:80 | crl.microsoft.com | tcp |
| DE | 92.246.89.93:80 | fuyt.org | tcp |
| DE | 92.246.89.93:80 | fuyt.org | tcp |
| DE | 92.246.89.93:80 | fuyt.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\rYp.exe
| MD5 | f7d21de5c4e81341eccd280c11ddcc9a |
| SHA1 | d4e9ef10d7685d491583c6fa93ae5d9105d815bd |
| SHA256 | 4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794 |
| SHA512 | e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3 |
memory/588-12-0x0000000000960000-0x0000000000969000-memory.dmp
memory/3040-11-0x00000000001B0000-0x00000000001B9000-memory.dmp
memory/3040-10-0x00000000001B0000-0x00000000001B9000-memory.dmp
memory/3040-9-0x0000000000400000-0x0000000000575000-memory.dmp
memory/3040-14-0x0000000000580000-0x0000000000612000-memory.dmp
memory/2696-19-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2696-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3040-16-0x0000000000580000-0x0000000000612000-memory.dmp
memory/3040-24-0x0000000000400000-0x0000000000575000-memory.dmp
memory/2696-25-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2696-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3040-22-0x00000000020D0000-0x0000000002245000-memory.dmp
memory/3040-20-0x0000000001E30000-0x0000000001F4B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WK27LCMU\k2[1].rar
| MD5 | d3b07384d113edec49eaa6238ad5ff00 |
| SHA1 | f1d2d2f924e986ac86fdf7b36c94bcdf32beec15 |
| SHA256 | b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c |
| SHA512 | 0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6 |
C:\Users\Admin\AppData\Local\Temp\2C761F76.exe
| MD5 | 20879c987e2f9a916e578386d499f629 |
| SHA1 | c7b33ddcc42361fdb847036fc07e880b81935d5d |
| SHA256 | 9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31 |
| SHA512 | bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f |
C:\Users\Admin\AppData\Local\Temp\2bc44d72.bat
| MD5 | 6e52e076108b57bd7163b72879a9512d |
| SHA1 | 0519ddfd067ddd2cbc7f40ae7c7dbde22afb4e69 |
| SHA256 | 38ee0e80c3550b272d840b6b8b23ad318182ce156da30612f90f9ac56383c09d |
| SHA512 | be1431f178ec3456ffb27da5a10aa8a599cbafba14027992d6364f94d8eab86187af206a064dcefe55bbae151ae480429aa99ce0c13ec265fa55f0f329599b9c |
memory/588-52-0x0000000000960000-0x0000000000969000-memory.dmp
C:\Users\Admin\AppData\Local\4f1b1f7e-2026-4fba-ba66-0e952de7b293\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe
| MD5 | de2d29373ade9c3b8b13c8ef6798ffc0 |
| SHA1 | 0f4b8c0b9f0c9dbe972303a2072321d45ecc2ab8 |
| SHA256 | 01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd |
| SHA512 | 6530b6cbee303621ae356e238dae6f800288609b58bf06028dc7784bf42ea7489c4713296b8988011970934c84a4cd562f1b44420531f1188e95f8534a2ed11c |
memory/2696-69-0x0000000003A10000-0x0000000003B85000-memory.dmp
memory/2696-72-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1972-74-0x0000000000400000-0x0000000000575000-memory.dmp
memory/2032-84-0x00000000000F0000-0x00000000000F9000-memory.dmp
memory/1972-83-0x0000000000220000-0x0000000000229000-memory.dmp
memory/1972-82-0x0000000000220000-0x0000000000229000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4b50402b.bat
| MD5 | 7b0cada8bc72320d269ad5490b5bcd23 |
| SHA1 | 0892ac75d9b7465ad0da8641ddbc8a9c89289aeb |
| SHA256 | da100423b2e25d5a1f657746c5a503454394d6e7780f66f297b37fc8cd5d5401 |
| SHA512 | 3a5dcfbf3f73501f8e0013d7cd3b70d094c4bd78089a50c2b5ffe63064bbdb03a9ba13b10c6ca1eaf73b79da2a2a1844df4787b3e413b16184b6881c97d62dcc |
memory/2032-94-0x00000000000F0000-0x00000000000F9000-memory.dmp
memory/1972-97-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/1972-100-0x00000000020F0000-0x0000000002265000-memory.dmp
memory/1972-103-0x0000000000220000-0x0000000000229000-memory.dmp
memory/1972-102-0x0000000000400000-0x0000000000575000-memory.dmp
memory/2912-101-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 514004fa292cf3d30c7b13ccce78e0f6 |
| SHA1 | 34473f02a31bcd2496a62abe15d2fd42e0545e0e |
| SHA256 | 9ff1c54e85074e86ad46e5b929b19f849454e3506c0b69c97f8ded758bbcaff2 |
| SHA512 | bd34cb2a0b2b32a210df18e7db0ededaec1cc9648f4aaebdbffd8ef0723082262bfcbb7519a9ba0c8be8336b83ba014b94638339bc8d1cfb912fa227507dac21 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 7fb5fa1534dcf77f2125b2403b30a0ee |
| SHA1 | 365d96812a69ac0a4611ea4b70a3f306576cc3ea |
| SHA256 | 33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f |
| SHA512 | a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 28cb64e211ac54d3798338bd127c99a8 |
| SHA1 | 6d5c9b4e43bcf9e846f238eb68f37219c3ce04d1 |
| SHA256 | a6d66b664952145ea6c4e5fbc06645c59b7a18c89f84144705c29c80578d8ee1 |
| SHA512 | a634b2c937186a103e25530d1dc3dbf94f3227f234331de07066b0c0ff1a21ecc56c1a689e338ce35a873e1f84683ef0e53717529209103f8dec0138d78ae96e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 1bfe0a81db078ea084ff82fe545176fe |
| SHA1 | 50b116f578bd272922fa8eae94f7b02fd3b88384 |
| SHA256 | 5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f |
| SHA512 | 37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d |
C:\Users\Admin\AppData\Local\Temp\CabEC90.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2912-115-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2912-116-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2912-117-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2912-121-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2912-130-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2912-132-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2912-133-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2912-134-0x0000000000400000-0x0000000000537000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-25 14:16
Reported
2024-07-25 14:18
Platform
win10v2004-20240709-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f5776a11-415d-43be-9ce1-b96dbdc0caa8\\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1448 set thread context of 1884 | N/A | C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe | C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe |
| PID 1192 set thread context of 3404 | N/A | C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe | C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javah.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\servertool.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\msoasb.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Time.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Install\{CEF7DB4F-2246-44A3-A17E-9C5870D211DB}\chrome_installer.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\tnameserv.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\uninstall\helper.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstack.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jdb.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\orbd.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\pingsender.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmic.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\servertool.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\java.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Mail\wabmig.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rYp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe
"C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe"
C:\Users\Admin\AppData\Local\Temp\rYp.exe
C:\Users\Admin\AppData\Local\Temp\rYp.exe
C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe
"C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\f5776a11-415d-43be-9ce1-b96dbdc0caa8" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe
"C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\291435e4.bat" "
C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe
"C:\Users\Admin\AppData\Local\Temp\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe" --Admin IsNotAutoStart IsNotTask
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ddos.dnsnb8.net | udp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 172.217.169.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.169.217.172.in-addr.arpa | udp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zerit.top | udp |
| US | 8.8.8.8:53 | fuyt.org | udp |
| DE | 92.246.89.93:80 | fuyt.org | tcp |
| DE | 92.246.89.93:80 | fuyt.org | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| DE | 92.246.89.93:80 | fuyt.org | tcp |
| DE | 92.246.89.93:80 | fuyt.org | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| DE | 92.246.89.93:80 | fuyt.org | tcp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| DE | 92.246.89.93:80 | fuyt.org | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| DE | 92.246.89.93:80 | fuyt.org | tcp |
Files
memory/1448-0-0x0000000000400000-0x0000000000575000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rYp.exe
| MD5 | f7d21de5c4e81341eccd280c11ddcc9a |
| SHA1 | d4e9ef10d7685d491583c6fa93ae5d9105d815bd |
| SHA256 | 4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794 |
| SHA512 | e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3 |
memory/316-4-0x0000000000D80000-0x0000000000D89000-memory.dmp
memory/1448-15-0x00000000021E0000-0x0000000002279000-memory.dmp
memory/1448-16-0x0000000002280000-0x000000000239B000-memory.dmp
memory/1884-17-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1884-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1884-27-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MQYRE6E5\k2[1].rar
| MD5 | d3b07384d113edec49eaa6238ad5ff00 |
| SHA1 | f1d2d2f924e986ac86fdf7b36c94bcdf32beec15 |
| SHA256 | b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c |
| SHA512 | 0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6 |
C:\Users\Admin\AppData\Local\Temp\6A1E62A6.exe
| MD5 | 20879c987e2f9a916e578386d499f629 |
| SHA1 | c7b33ddcc42361fdb847036fc07e880b81935d5d |
| SHA256 | 9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31 |
| SHA512 | bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f |
memory/1884-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1448-36-0x0000000000400000-0x0000000000575000-memory.dmp
C:\Users\Admin\AppData\Local\f5776a11-415d-43be-9ce1-b96dbdc0caa8\01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd.exe
| MD5 | de2d29373ade9c3b8b13c8ef6798ffc0 |
| SHA1 | 0f4b8c0b9f0c9dbe972303a2072321d45ecc2ab8 |
| SHA256 | 01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd |
| SHA512 | 6530b6cbee303621ae356e238dae6f800288609b58bf06028dc7784bf42ea7489c4713296b8988011970934c84a4cd562f1b44420531f1188e95f8534a2ed11c |
memory/1192-59-0x0000000000400000-0x0000000000575000-memory.dmp
memory/1884-60-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1884-57-0x0000000000540000-0x0000000000609000-memory.dmp
memory/316-73-0x0000000000D80000-0x0000000000D89000-memory.dmp
memory/1192-76-0x0000000000400000-0x0000000000575000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\291435e4.bat
| MD5 | ba0904edb0e93c0595e5045dc2be9e01 |
| SHA1 | 3cede7534ac28a3dfbc663bae07d10b96400e1da |
| SHA256 | acbb25a089a6894a245bf45fca649c90f3754c53f7374896336c29d10f9e12fe |
| SHA512 | 62dac4fc0f3efcea9d66e50846f112d7f72a1ffa9bc7f5a5d32ded5e2ff0c18b39815de89902acc5e541cf78e2e000c3127e7229fdb329b6831681448764b422 |
memory/3404-77-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1192-78-0x0000000000400000-0x0000000000575000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 1bfe0a81db078ea084ff82fe545176fe |
| SHA1 | 50b116f578bd272922fa8eae94f7b02fd3b88384 |
| SHA256 | 5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f |
| SHA512 | 37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 9d1d7e1892028f25ea044f3aa6e4cd81 |
| SHA1 | 93fc5dd89932805b43a7560d028157404aeb3e0d |
| SHA256 | 76fd1932fa65ce69ae2b920e6758d5e1e6f311d7bc1dedfa216ce26612d83745 |
| SHA512 | c6ce04b1929bff50da10aee2bdc8a9ba6ef932f47a65494fce34873329a63d05740bf2a736ed3ae0470411f6f33c5a106a95ff89e891faf5e7abee172a664bad |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 7fb5fa1534dcf77f2125b2403b30a0ee |
| SHA1 | 365d96812a69ac0a4611ea4b70a3f306576cc3ea |
| SHA256 | 33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f |
| SHA512 | a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | f6d6565a8398cb6126015104b2050d6c |
| SHA1 | 365b3ec7a1f705e0ca9fbd23559d94827ddbd8cf |
| SHA256 | ce40eff2503b46945896dfd2d460dddd94e0c2533535b84288b1e83e9e0edf9a |
| SHA512 | ba87c959b1f359ad6597d99c95cc3b391242cfc8f268d4efdcf9afd11b102544f429e0c3541fa3763ea8874a2f4a784f8172ab95b805cf44dd86c50bd887f511 |
memory/3404-83-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3404-84-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3404-85-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3404-89-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3404-98-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3404-101-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3404-100-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3404-102-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3404-103-0x0000000000400000-0x0000000000537000-memory.dmp