djvu | 7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2025, 02:48 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe
Size

725KB
MD5

e8bbb6d921b79101aea7d906a1798f3d
SHA1

4fd59822cdedd1b194d27d2c01a9cde6222de1bb
SHA256

7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd
SHA512

c525e07c65c7be43aa90568f98253b397919cd0f597b1ba446fed51a578ca1aae4c93fa59e1345b20e3216a676ba35c89c67d6ced6bea68da44a53989fa4d656
SSDEEP

12288:O7q+wuEST6sxwGCwuwn5vE2nyrJppqrNSP9kdrzA9PpXtuRt2BoivOnJztu3vdyB:CqrFvGjF5iZqrQag1t7+nJztuHi

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

http://ring1.ug/As73yhsyU34578hxxx/SDf565g/get.php

Attributes

extension
.coot
offline_id
MRQ5kb5Z12tWuP3e25YoRt4PRDrJd2yuI3coott1
payload_url
http://ring1.ug/files/cost/updatewin1.exe

http://ring1.ug/files/cost/updatewin2.exe

http://ring1.ug/files/cost/updatewin.exe

http://ring1.ug/files/cost/3.exe

http://ring1.ug/files/cost/4.exe

http://ring1.ug/files/cost/5.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-IbdGyCKhdr Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: salesrestoresoftware@firemail.cc Reserve e-mail address to contact us: salesrestoresoftware@gmail.com Your personal ID: 0175Asd374y5iuhld

rsa_pubkey.plain

1
-----BEGIN PUBLIC KEY-----
2
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu7OhmLijbqqHyzB+lok2
3
Bk8o9tC5JaknznFQSZrt3WJHfXHOlCuV/eGeruHXk2YvqJt8sE/jT8/0uFl4FEwy
4
7TxlQf5Wb8b5kFet4Gdl+jFXuK9WYQh+6x7oDyRv654RLLzIovKo6oX+/r3v6gNp
5
Hf3Ea0G+punZcUAzn6jcnkVngYE1ZgJ67lKgEOCEa1LFDeO7IdIRTkTeNFOwZtgl
6
Ni4aOP1FpOvaJGhkYDRkfhfK3a+R+5B23LPNiVCyccEIW3sbQT4i6Bl6uHBz/5Ww
7
z6IbnpUrlHw3WJVltHSZSfzO7wXjVCEi+wKW+PtF9rC12M9O7UaNSzJrPp1BDTW1
8
2wIDAQAB
9
-----END PUBLIC KEY-----

Signatures

Detected Djvu ransomware 8 IoCs

resource	yara_rule
behavioral2/memory/2604-2-0x0000000006DE0000-0x0000000006EFA000-memory.dmp	family_djvu
behavioral2/memory/2604-3-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2604-15-0x0000000006DE0000-0x0000000006EFA000-memory.dmp	family_djvu
behavioral2/memory/2604-16-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2604-14-0x0000000000400000-0x0000000004F0E000-memory.dmp	family_djvu
behavioral2/memory/2928-24-0x0000000000400000-0x0000000004F0E000-memory.dmp	family_djvu
behavioral2/memory/2928-27-0x0000000000400000-0x0000000004F0E000-memory.dmp	family_djvu
behavioral2/memory/2928-28-0x0000000000400000-0x0000000004F0E000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Djvu family
djvu

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
464	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7a95e866-3d3b-42d9-a24d-aa38a54cbe17\\7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe\" --AutoStart"	7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	api.2ip.ua
19	api.2ip.ua
26	api.2ip.ua

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2688	2604	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2604	7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe
2604	7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe
2928	7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe
2928	7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 464	2604	7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe	89
PID 2604 wrote to memory of 464	2604	7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe	89
PID 2604 wrote to memory of 464	2604	7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe	89
PID 2604 wrote to memory of 2928	2604	7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe	90
PID 2604 wrote to memory of 2928	2604	7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe	90
PID 2604 wrote to memory of 2928	2604	7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe	90

C:\Users\Admin\AppData\Local\Temp\7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe
"C:\Users\Admin\AppData\Local\Temp\7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\7a95e866-3d3b-42d9-a24d-aa38a54cbe17" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:464
- C:\Users\Admin\AppData\Local\Temp\7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe
  "C:\Users\Admin\AppData\Local\Temp\7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 1860
  2⤵
  - Program crash
  PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2604 -ip 2604
1⤵
PID:4312

Network

DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

74.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.32.126.40.in-addr.arpa

IN PTR

Response
DNS

5.114.82.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

5.114.82.104.in-addr.arpa

IN PTR

Response

5.114.82.104.in-addr.arpa

IN PTR

a104-82-114-5deploystaticakamaitechnologiescom
DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

api.2ip.ua

7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe

Remote address:

8.8.8.8:53

Request

api.2ip.ua

IN A

Response

api.2ip.ua

IN A

104.21.112.1

api.2ip.ua

IN A

104.21.80.1

api.2ip.ua

IN A

104.21.48.1

api.2ip.ua

IN A

104.21.32.1

api.2ip.ua

IN A

104.21.16.1

api.2ip.ua

IN A

104.21.96.1

api.2ip.ua

IN A

104.21.64.1
GET

https://api.2ip.ua/geo.json

7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe

Remote address:

104.21.112.1:443

Request

GET /geo.json HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: api.2ip.ua

Response

HTTP/1.1 200 OK

Date: Sat, 25 Jan 2025 02:48:41 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
strict-transport-security: max-age=63072000; preload
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
x-xss-protection: 1; mode=block; report=...
access-control-allow-origin: *
access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OyrG4%2FmcOIPsKjnObIZjVnqqfmGO6rvdkhONe%2F8BkTrXyvKQvWXMDu%2B20xvJ%2B24yoeToI1D%2BdnYThZDSLO7qkyljvcA%2BEqOQK0xOlGb%2BSU2qugkoYcPj%2BfZlGFBE"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 9074f21cda328871-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=26116&min_rtt=26010&rtt_var=4224&sent=5&recv=9&lost=0&retrans=0&sent_bytes=3265&recv_bytes=384&delivery_rate=154767&cwnd=244&unsent_bytes=0&cid=80523a9dd708591f&ts=286&x=0"
DNS

c.pki.goog

7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

172.217.16.227
GET

http://c.pki.goog/r/gsr1.crl

7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe

Remote address:

172.217.16.227:80

Request

GET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sat, 25 Jan 2025 02:20:29 GMT
Expires: Sat, 25 Jan 2025 03:10:29 GMT
Cache-Control: public, max-age=3000
Age: 1692
Last-Modified: Tue, 07 Jan 2025 07:28:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://c.pki.goog/r/r4.crl

7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe

Remote address:

172.217.16.227:80

Request

GET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sat, 25 Jan 2025 02:41:51 GMT
Expires: Sat, 25 Jan 2025 03:31:51 GMT
Cache-Control: public, max-age=3000
Age: 410
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

1.112.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.21.104.in-addr.arpa

IN PTR

Response
DNS

227.16.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

227.16.217.172.in-addr.arpa

IN PTR

Response

227.16.217.172.in-addr.arpa

IN PTR

lhr48s28-in-f31e100net

227.16.217.172.in-addr.arpa

IN PTR

mad08s04-in-f3�H
GET

https://api.2ip.ua/geo.json

7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe

Remote address:

104.21.112.1:443

Request

GET /geo.json HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: api.2ip.ua

Response

HTTP/1.1 200 OK

Date: Sat, 25 Jan 2025 02:48:57 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
strict-transport-security: max-age=63072000; preload
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
x-xss-protection: 1; mode=block; report=...
access-control-allow-origin: *
access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ys2ShrZkRIv7c4BE6R9GGCqwIjlzmIQBFebZMh5%2Bc2vHNjNRvwg9BYbyrirDWDf8pWDyv%2ByG3Pw1bN8%2FvB1pIj6tXTVc2bSqg84uOEfkTycQ8KsuEa1hd3GZVpmk"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 9074f27d3986ee96-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=26357&min_rtt=26269&rtt_var=4215&sent=5&recv=9&lost=0&retrans=0&sent_bytes=3265&recv_bytes=384&delivery_rate=153587&cwnd=253&unsent_bytes=0&cid=f020351ba3881331&ts=121&x=0"
DNS

ring1.ug

7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe

Remote address:

8.8.8.8:53

Request

ring1.ug

IN A

Response
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

241.42.69.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.42.69.40.in-addr.arpa

IN PTR

Response
DNS

92.12.20.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

92.12.20.2.in-addr.arpa

IN PTR

Response

92.12.20.2.in-addr.arpa

IN PTR

a2-20-12-92deploystaticakamaitechnologiescom
DNS

ring1.ug

7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe

Remote address:

8.8.8.8:53

Request

ring1.ug

IN A

Response
DNS

ring1.ug

7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe

Remote address:

8.8.8.8:53

Request

ring1.ug

IN A

Response
DNS

ring1.ug

7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe

Remote address:

8.8.8.8:53

Request

ring1.ug

IN A

Response
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response

104.21.112.1:443

https://api.2ip.ua/geo.json

tls, http

7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe

1.0kB
5.4kB
14
10

HTTP Request

GET https://api.2ip.ua/geo.json

HTTP Response

200
172.217.16.227:80

http://c.pki.goog/r/r4.crl

http

7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe

556 B
3.8kB
7
5

HTTP Request

GET http://c.pki.goog/r/gsr1.crl

HTTP Response

200

HTTP Request

GET http://c.pki.goog/r/r4.crl

HTTP Response

200
104.21.112.1:443

https://api.2ip.ua/geo.json

tls, http

7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe

1.1kB
5.5kB
15
11

HTTP Request

GET https://api.2ip.ua/geo.json

HTTP Response

200

8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

74.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

74.32.126.40.in-addr.arpa
8.8.8.8:53

5.114.82.104.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

5.114.82.104.in-addr.arpa
8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

api.2ip.ua

dns

7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe

56 B
168 B
1
1

DNS Request

api.2ip.ua

DNS Response

104.21.112.1

104.21.80.1

104.21.48.1

104.21.32.1

104.21.16.1

104.21.96.1

104.21.64.1
8.8.8.8:53

c.pki.goog

dns

7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

172.217.16.227
8.8.8.8:53

1.112.21.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

1.112.21.104.in-addr.arpa
8.8.8.8:53

227.16.217.172.in-addr.arpa

dns

73 B
140 B
1
1

DNS Request

227.16.217.172.in-addr.arpa
8.8.8.8:53

ring1.ug

dns

7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe

54 B
118 B
1
1

DNS Request

ring1.ug
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

241.42.69.40.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

241.42.69.40.in-addr.arpa
8.8.8.8:53

92.12.20.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

92.12.20.2.in-addr.arpa
8.8.8.8:53

ring1.ug

dns

7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe

54 B
118 B
1
1

DNS Request

ring1.ug
8.8.8.8:53

ring1.ug

dns

7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe

54 B
118 B
1
1

DNS Request

ring1.ug
8.8.8.8:53

ring1.ug

dns

7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe

54 B
118 B
1
1

DNS Request

ring1.ug
8.8.8.8:53

30.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
c9be626e9715952e9b70f92f912b9787

SHA1
aa2e946d9ad9027172d0d321917942b7562d6abe

SHA256
c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4

SHA512
7581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
f09c19e7169b089e342c019b2736b39b

SHA1
0598012e37e50deeebd04ae279c2daae7986009b

SHA256
cffdf73da2af4adf569cea74fc198585618dde2ff997bb35c37853a50f6f05c6

SHA512
a714a46199b00b0531327a2963020e81f2e83600734726f03867a4a8aef9d710e60ac21d66a30f78971254a73a73e0345b68c6cc61c7e77b85a38290bb172270

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
ea2fba5338881716f52f1a68623b57b1

SHA1
b3bb438f9cc9997e5cea73eaca7505741417d079

SHA256
11c9ec9a0e9a374741b7a657c080b9a3592d0786a274683ab64b905491476d12

SHA512
e9a1166b18e007e9d24370d230b7c693d22030aa497fb8e2ea73c33ca6f6ec07d6c6608748238460a47095cab607133bb6d747d893d4004660cfa84a38e35f45

Download Submit
C:\Users\Admin\AppData\Local\7a95e866-3d3b-42d9-a24d-aa38a54cbe17\7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd.exe

Filesize
725KB

MD5
e8bbb6d921b79101aea7d906a1798f3d

SHA1
4fd59822cdedd1b194d27d2c01a9cde6222de1bb

SHA256
7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd

SHA512
c525e07c65c7be43aa90568f98253b397919cd0f597b1ba446fed51a578ca1aae4c93fa59e1345b20e3216a676ba35c89c67d6ced6bea68da44a53989fa4d656

Download Submit
memory/2604-16-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2604-14-0x0000000000400000-0x0000000004F0E000-memory.dmp

Filesize
75.1MB

Download
memory/2604-15-0x0000000006DE0000-0x0000000006EFA000-memory.dmp

Filesize
1.1MB

Download
memory/2604-1-0x0000000006CD0000-0x0000000006D68000-memory.dmp

Filesize
608KB

Download
memory/2604-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2604-2-0x0000000006DE0000-0x0000000006EFA000-memory.dmp

Filesize
1.1MB

Download
memory/2928-24-0x0000000000400000-0x0000000004F0E000-memory.dmp

Filesize
75.1MB

Download
memory/2928-27-0x0000000000400000-0x0000000004F0E000-memory.dmp

Filesize
75.1MB

Download
memory/2928-28-0x0000000000400000-0x0000000004F0E000-memory.dmp

Filesize
75.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.