djvu | eb8de87523800e3aa747857a06938f3af3856fbd42be025688e2ff50248ac197

Analysis

max time kernel
31s
max time network
46s
platform
windows7_x64
resource
win7v20201028
submitted
13-02-2021 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95C8.exe
Size

684KB
MD5

7efdbcd2dda98974f89290ce0a02cdc7
SHA1

cbae61ac09fe75b570bee392aa70310ef4d94362
SHA256

eb8de87523800e3aa747857a06938f3af3856fbd42be025688e2ff50248ac197
SHA512

b9d334d10bc4c02007efcdd789a4fb91bffa3790c8d8357f438cd167c86097acc0b6d4889c1b81de77c42e8b7d5f04f3a8dffca80adc2a9148051b68d1215adc

Score

10^/10

djvu taurus_stealer vidar discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command-Line Interface

T1059

pid	Process
1896	mpcmdrun.exe

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Taurus Stealer
Taurus is an infostealer first seen in June 2020.
trojan stealer taurus_stealer
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	updatewin2.exe

Executes dropped EXE 5 IoCs

pid	Process
560	updatewin1.exe
1596	updatewin1.exe
776	updatewin2.exe
1080	updatewin.exe
1236	5.exe

Loads dropped DLL 20 IoCs

pid	Process
1804	95C8.exe
560	updatewin1.exe
560	updatewin1.exe
560	updatewin1.exe
560	updatewin1.exe
560	updatewin1.exe
1596	updatewin1.exe
1596	updatewin1.exe
1596	updatewin1.exe
1804	95C8.exe
1804	95C8.exe
1080	updatewin.exe
1080	updatewin.exe
1080	updatewin.exe
1804	95C8.exe
1804	95C8.exe
1236	5.exe
1236	5.exe
1236	5.exe
1236	5.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1108	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4ff6071e-57d7-4912-aae7-6d434acf18d6\\95C8.exe\" --AutoStart"	95C8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.2ip.ua
6	api.2ip.ua
14	api.2ip.ua

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1000	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1724	taskkill.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	95C8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	95C8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	95C8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	95C8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	95C8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	5.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
776	95C8.exe
776	95C8.exe
1804	95C8.exe
1804	95C8.exe
756	powershell.exe
756	powershell.exe
756	powershell.exe
1524	powershell.exe
1524	powershell.exe
1152	powershell.exe
1236	5.exe
1236	5.exe
1236	5.exe
1236	5.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	756	powershell.exe
Token: SeRestorePrivilege	1080	updatewin.exe
Token: SeBackupPrivilege	1080	updatewin.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	1724	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 1108	776	95C8.exe	31
PID 776 wrote to memory of 1108	776	95C8.exe	31
PID 776 wrote to memory of 1108	776	95C8.exe	31
PID 776 wrote to memory of 1108	776	95C8.exe	31
PID 776 wrote to memory of 1804	776	95C8.exe	32
PID 776 wrote to memory of 1804	776	95C8.exe	32
PID 776 wrote to memory of 1804	776	95C8.exe	32
PID 776 wrote to memory of 1804	776	95C8.exe	32
PID 1804 wrote to memory of 560	1804	95C8.exe	33
PID 1804 wrote to memory of 560	1804	95C8.exe	33
PID 1804 wrote to memory of 560	1804	95C8.exe	33
PID 1804 wrote to memory of 560	1804	95C8.exe	33
PID 1804 wrote to memory of 560	1804	95C8.exe	33
PID 1804 wrote to memory of 560	1804	95C8.exe	33
PID 1804 wrote to memory of 560	1804	95C8.exe	33
PID 560 wrote to memory of 1596	560	updatewin1.exe	34
PID 560 wrote to memory of 1596	560	updatewin1.exe	34
PID 560 wrote to memory of 1596	560	updatewin1.exe	34
PID 560 wrote to memory of 1596	560	updatewin1.exe	34
PID 560 wrote to memory of 1596	560	updatewin1.exe	34
PID 560 wrote to memory of 1596	560	updatewin1.exe	34
PID 560 wrote to memory of 1596	560	updatewin1.exe	34
PID 1596 wrote to memory of 756	1596	updatewin1.exe	35
PID 1596 wrote to memory of 756	1596	updatewin1.exe	35
PID 1596 wrote to memory of 756	1596	updatewin1.exe	35
PID 1596 wrote to memory of 756	1596	updatewin1.exe	35
PID 1596 wrote to memory of 756	1596	updatewin1.exe	35
PID 1596 wrote to memory of 756	1596	updatewin1.exe	35
PID 1596 wrote to memory of 756	1596	updatewin1.exe	35
PID 1804 wrote to memory of 776	1804	95C8.exe	38
PID 1804 wrote to memory of 776	1804	95C8.exe	38
PID 1804 wrote to memory of 776	1804	95C8.exe	38
PID 1804 wrote to memory of 776	1804	95C8.exe	38
PID 1804 wrote to memory of 776	1804	95C8.exe	38
PID 1804 wrote to memory of 776	1804	95C8.exe	38
PID 1804 wrote to memory of 776	1804	95C8.exe	38
PID 1804 wrote to memory of 1080	1804	95C8.exe	39
PID 1804 wrote to memory of 1080	1804	95C8.exe	39
PID 1804 wrote to memory of 1080	1804	95C8.exe	39
PID 1804 wrote to memory of 1080	1804	95C8.exe	39
PID 1804 wrote to memory of 1080	1804	95C8.exe	39
PID 1804 wrote to memory of 1080	1804	95C8.exe	39
PID 1804 wrote to memory of 1080	1804	95C8.exe	39
PID 1080 wrote to memory of 1600	1080	updatewin.exe	40
PID 1080 wrote to memory of 1600	1080	updatewin.exe	40
PID 1080 wrote to memory of 1600	1080	updatewin.exe	40
PID 1080 wrote to memory of 1600	1080	updatewin.exe	40
PID 1080 wrote to memory of 1600	1080	updatewin.exe	40
PID 1080 wrote to memory of 1600	1080	updatewin.exe	40
PID 1080 wrote to memory of 1600	1080	updatewin.exe	40
PID 1600 wrote to memory of 1000	1600	cmd.exe	42
PID 1600 wrote to memory of 1000	1600	cmd.exe	42
PID 1600 wrote to memory of 1000	1600	cmd.exe	42
PID 1600 wrote to memory of 1000	1600	cmd.exe	42
PID 1600 wrote to memory of 1000	1600	cmd.exe	42
PID 1600 wrote to memory of 1000	1600	cmd.exe	42
PID 1600 wrote to memory of 1000	1600	cmd.exe	42
PID 1804 wrote to memory of 1236	1804	95C8.exe	43
PID 1804 wrote to memory of 1236	1804	95C8.exe	43
PID 1804 wrote to memory of 1236	1804	95C8.exe	43
PID 1804 wrote to memory of 1236	1804	95C8.exe	43
PID 1596 wrote to memory of 1524	1596	updatewin1.exe	44
PID 1596 wrote to memory of 1524	1596	updatewin1.exe	44
PID 1596 wrote to memory of 1524	1596	updatewin1.exe	44

C:\Users\Admin\AppData\Local\Temp\95C8.exe
"C:\Users\Admin\AppData\Local\Temp\95C8.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:776
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\4ff6071e-57d7-4912-aae7-6d434acf18d6" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:1108
- C:\Users\Admin\AppData\Local\Temp\95C8.exe
  "C:\Users\Admin\AppData\Local\Temp\95C8.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Users\Admin\AppData\Local\81c1b351-f278-49b7-ac53-6eeb2da8383c\updatewin1.exe
    "C:\Users\Admin\AppData\Local\81c1b351-f278-49b7-ac53-6eeb2da8383c\updatewin1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Users\Admin\AppData\Local\81c1b351-f278-49b7-ac53-6eeb2da8383c\updatewin1.exe
      "C:\Users\Admin\AppData\Local\81c1b351-f278-49b7-ac53-6eeb2da8383c\updatewin1.exe" --Admin
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1596
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
    - - C:\Program Files\Windows Defender\mpcmdrun.exe
        
        "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
        5⤵
        Deletes Windows Defender Definitions
        
        PID:1896
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
        5⤵
        
        PID:1356
- - C:\Users\Admin\AppData\Local\81c1b351-f278-49b7-ac53-6eeb2da8383c\updatewin2.exe
    "C:\Users\Admin\AppData\Local\81c1b351-f278-49b7-ac53-6eeb2da8383c\updatewin2.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    PID:776
- - C:\Users\Admin\AppData\Local\81c1b351-f278-49b7-ac53-6eeb2da8383c\updatewin.exe
    "C:\Users\Admin\AppData\Local\81c1b351-f278-49b7-ac53-6eeb2da8383c\updatewin.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Windows\SysWOW64\cmd.exe
      /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\81c1b351-f278-49b7-ac53-6eeb2da8383c\updatewin.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1600
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1000
- - C:\Users\Admin\AppData\Local\81c1b351-f278-49b7-ac53-6eeb2da8383c\5.exe
    "C:\Users\Admin\AppData\Local\81c1b351-f278-49b7-ac53-6eeb2da8383c\5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:1236
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\81c1b351-f278-49b7-ac53-6eeb2da8383c\5.exe & exit
      4⤵
      PID:1596
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im 5.exe /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/560-46-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/560-28-0x0000000001F90000-0x0000000001FA1000-memory.dmp

Filesize
68KB

Download
memory/756-47-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/756-59-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/756-62-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/756-40-0x0000000073200000-0x00000000738EE000-memory.dmp

Filesize
6.9MB

Download
memory/756-95-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/756-60-0x0000000004B72000-0x0000000004B73000-memory.dmp

Filesize
4KB

Download
memory/756-48-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/756-50-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/756-91-0x00000000063B0000-0x00000000063B1000-memory.dmp

Filesize
4KB

Download
memory/756-84-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/756-83-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/756-78-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/776-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/776-61-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/776-45-0x0000000001CD0000-0x0000000001CE1000-memory.dmp

Filesize
68KB

Download
memory/776-4-0x0000000000A70000-0x0000000000B8A000-memory.dmp

Filesize
1.1MB

Download
memory/776-2-0x0000000000A70000-0x0000000000A81000-memory.dmp

Filesize
68KB

Download
memory/776-3-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/1152-120-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/1152-148-0x00000000065F0000-0x00000000065F1000-memory.dmp

Filesize
4KB

Download
memory/1152-147-0x00000000065E0000-0x00000000065E1000-memory.dmp

Filesize
4KB

Download
memory/1152-145-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/1152-130-0x0000000006450000-0x0000000006451000-memory.dmp

Filesize
4KB

Download
memory/1152-127-0x0000000005A40000-0x0000000005A41000-memory.dmp

Filesize
4KB

Download
memory/1152-118-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/1152-119-0x0000000004C12000-0x0000000004C13000-memory.dmp

Filesize
4KB

Download
memory/1152-115-0x0000000073200000-0x00000000738EE000-memory.dmp

Filesize
6.9MB

Download
memory/1152-116-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download
memory/1236-74-0x0000000000220000-0x00000000002A8000-memory.dmp

Filesize
544KB

Download
memory/1236-75-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1236-71-0x0000000003C60000-0x0000000003C71000-memory.dmp

Filesize
68KB

Download
memory/1524-97-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/1524-100-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/1524-102-0x0000000004B32000-0x0000000004B33000-memory.dmp

Filesize
4KB

Download
memory/1524-96-0x0000000072B10000-0x00000000731FE000-memory.dmp

Filesize
6.9MB

Download
memory/1524-99-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1524-110-0x00000000061E0000-0x00000000061E1000-memory.dmp

Filesize
4KB

Download
memory/1524-101-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/1524-98-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/1596-37-0x0000000001E70000-0x0000000001E81000-memory.dmp

Filesize
68KB

Download
memory/1692-6-0x000007FEF74B0000-0x000007FEF772A000-memory.dmp

Filesize
2.5MB

Download
memory/1804-10-0x0000000000B70000-0x0000000000B81000-memory.dmp

Filesize
68KB

Download
memory/1804-17-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download