djvu | eb8de87523800e3aa747857a06938f3af3856fbd42be025688e2ff50248ac197

Analysis

max time kernel
150s
max time network
92s
platform
windows7_x64
resource
win7v20201028
submitted
13/02/2021, 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

B9B1.exe
Size

684KB
MD5

7efdbcd2dda98974f89290ce0a02cdc7
SHA1

cbae61ac09fe75b570bee392aa70310ef4d94362
SHA256

eb8de87523800e3aa747857a06938f3af3856fbd42be025688e2ff50248ac197
SHA512

b9d334d10bc4c02007efcdd789a4fb91bffa3790c8d8357f438cd167c86097acc0b6d4889c1b81de77c42e8b7d5f04f3a8dffca80adc2a9148051b68d1215adc

Score

10^/10

djvu taurus_stealer vidar discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command-Line Interface

T1059

pid	Process
1768	mpcmdrun.exe

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Taurus Stealer
Taurus is an infostealer first seen in June 2020.
trojan stealer taurus_stealer
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	updatewin2.exe

Executes dropped EXE 5 IoCs

pid	Process
1580	updatewin1.exe
1628	updatewin1.exe
1452	updatewin2.exe
1396	updatewin.exe
704	5.exe

Loads dropped DLL 20 IoCs

pid	Process
1104	B9B1.exe
1580	updatewin1.exe
1580	updatewin1.exe
1580	updatewin1.exe
1580	updatewin1.exe
1580	updatewin1.exe
1628	updatewin1.exe
1628	updatewin1.exe
1628	updatewin1.exe
1104	B9B1.exe
1104	B9B1.exe
1396	updatewin.exe
1396	updatewin.exe
1396	updatewin.exe
1104	B9B1.exe
1104	B9B1.exe
704	5.exe
704	5.exe
704	5.exe
704	5.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
948	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b3b4016d-2de3-4020-8206-f7f4735a7fc2\\B9B1.exe\" --AutoStart"	B9B1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	api.2ip.ua
6	api.2ip.ua
7	api.2ip.ua

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2044	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
624	taskkill.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	B9B1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	B9B1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	B9B1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	B9B1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	B9B1.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1968	B9B1.exe
1968	B9B1.exe
1104	B9B1.exe
1104	B9B1.exe
328	powershell.exe
328	powershell.exe
328	powershell.exe
436	powershell.exe
436	powershell.exe
1376	powershell.exe
704	5.exe
704	5.exe
704	5.exe
704	5.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	328	powershell.exe
Token: SeRestorePrivilege	1396	updatewin.exe
Token: SeBackupPrivilege	1396	updatewin.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	624	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 948	1968	B9B1.exe	31
PID 1968 wrote to memory of 948	1968	B9B1.exe	31
PID 1968 wrote to memory of 948	1968	B9B1.exe	31
PID 1968 wrote to memory of 948	1968	B9B1.exe	31
PID 1968 wrote to memory of 1104	1968	B9B1.exe	32
PID 1968 wrote to memory of 1104	1968	B9B1.exe	32
PID 1968 wrote to memory of 1104	1968	B9B1.exe	32
PID 1968 wrote to memory of 1104	1968	B9B1.exe	32
PID 1104 wrote to memory of 1580	1104	B9B1.exe	33
PID 1104 wrote to memory of 1580	1104	B9B1.exe	33
PID 1104 wrote to memory of 1580	1104	B9B1.exe	33
PID 1104 wrote to memory of 1580	1104	B9B1.exe	33
PID 1104 wrote to memory of 1580	1104	B9B1.exe	33
PID 1104 wrote to memory of 1580	1104	B9B1.exe	33
PID 1104 wrote to memory of 1580	1104	B9B1.exe	33
PID 1580 wrote to memory of 1628	1580	updatewin1.exe	34
PID 1580 wrote to memory of 1628	1580	updatewin1.exe	34
PID 1580 wrote to memory of 1628	1580	updatewin1.exe	34
PID 1580 wrote to memory of 1628	1580	updatewin1.exe	34
PID 1580 wrote to memory of 1628	1580	updatewin1.exe	34
PID 1580 wrote to memory of 1628	1580	updatewin1.exe	34
PID 1580 wrote to memory of 1628	1580	updatewin1.exe	34
PID 1104 wrote to memory of 1452	1104	B9B1.exe	36
PID 1104 wrote to memory of 1452	1104	B9B1.exe	36
PID 1104 wrote to memory of 1452	1104	B9B1.exe	36
PID 1104 wrote to memory of 1452	1104	B9B1.exe	36
PID 1104 wrote to memory of 1452	1104	B9B1.exe	36
PID 1104 wrote to memory of 1452	1104	B9B1.exe	36
PID 1104 wrote to memory of 1452	1104	B9B1.exe	36
PID 1628 wrote to memory of 328	1628	updatewin1.exe	37
PID 1628 wrote to memory of 328	1628	updatewin1.exe	37
PID 1628 wrote to memory of 328	1628	updatewin1.exe	37
PID 1628 wrote to memory of 328	1628	updatewin1.exe	37
PID 1628 wrote to memory of 328	1628	updatewin1.exe	37
PID 1628 wrote to memory of 328	1628	updatewin1.exe	37
PID 1628 wrote to memory of 328	1628	updatewin1.exe	37
PID 1104 wrote to memory of 1396	1104	B9B1.exe	39
PID 1104 wrote to memory of 1396	1104	B9B1.exe	39
PID 1104 wrote to memory of 1396	1104	B9B1.exe	39
PID 1104 wrote to memory of 1396	1104	B9B1.exe	39
PID 1104 wrote to memory of 1396	1104	B9B1.exe	39
PID 1104 wrote to memory of 1396	1104	B9B1.exe	39
PID 1104 wrote to memory of 1396	1104	B9B1.exe	39
PID 1104 wrote to memory of 704	1104	B9B1.exe	40
PID 1104 wrote to memory of 704	1104	B9B1.exe	40
PID 1104 wrote to memory of 704	1104	B9B1.exe	40
PID 1104 wrote to memory of 704	1104	B9B1.exe	40
PID 1396 wrote to memory of 916	1396	updatewin.exe	41
PID 1396 wrote to memory of 916	1396	updatewin.exe	41
PID 1396 wrote to memory of 916	1396	updatewin.exe	41
PID 1396 wrote to memory of 916	1396	updatewin.exe	41
PID 1396 wrote to memory of 916	1396	updatewin.exe	41
PID 1396 wrote to memory of 916	1396	updatewin.exe	41
PID 1396 wrote to memory of 916	1396	updatewin.exe	41
PID 916 wrote to memory of 2044	916	cmd.exe	43
PID 916 wrote to memory of 2044	916	cmd.exe	43
PID 916 wrote to memory of 2044	916	cmd.exe	43
PID 916 wrote to memory of 2044	916	cmd.exe	43
PID 916 wrote to memory of 2044	916	cmd.exe	43
PID 916 wrote to memory of 2044	916	cmd.exe	43
PID 916 wrote to memory of 2044	916	cmd.exe	43
PID 1628 wrote to memory of 436	1628	updatewin1.exe	44
PID 1628 wrote to memory of 436	1628	updatewin1.exe	44
PID 1628 wrote to memory of 436	1628	updatewin1.exe	44

C:\Users\Admin\AppData\Local\Temp\B9B1.exe
"C:\Users\Admin\AppData\Local\Temp\B9B1.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\b3b4016d-2de3-4020-8206-f7f4735a7fc2" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:948
- C:\Users\Admin\AppData\Local\Temp\B9B1.exe
  "C:\Users\Admin\AppData\Local\Temp\B9B1.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin1.exe
    "C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin1.exe
      "C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin1.exe" --Admin
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:436
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
    - - C:\Program Files\Windows Defender\mpcmdrun.exe
        
        "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
        5⤵
        Deletes Windows Defender Definitions
        
        PID:1768
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
        5⤵
        
        PID:624
- - C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin2.exe
    "C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin2.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    PID:1452
- - C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin.exe
    "C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1396
  - - C:\Windows\SysWOW64\cmd.exe
      /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:916
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2044
- - C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\5.exe
    "C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:704
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\5.exe & exit
      4⤵
      PID:436
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im 5.exe /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/328-65-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/328-86-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/328-63-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/328-64-0x0000000001F02000-0x0000000001F03000-memory.dmp

Filesize
4KB

Download
memory/328-104-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/328-99-0x0000000006420000-0x0000000006421000-memory.dmp

Filesize
4KB

Download
memory/328-92-0x0000000006320000-0x0000000006321000-memory.dmp

Filesize
4KB

Download
memory/328-91-0x0000000006220000-0x0000000006221000-memory.dmp

Filesize
4KB

Download
memory/328-61-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/328-52-0x0000000072EC0000-0x00000000735AE000-memory.dmp

Filesize
6.9MB

Download
memory/328-74-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/328-62-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/436-110-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/436-103-0x00000000727D0000-0x0000000072EBE000-memory.dmp

Filesize
6.9MB

Download
memory/436-118-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/436-107-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/436-109-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/436-105-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/436-106-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/436-108-0x00000000029B2000-0x00000000029B3000-memory.dmp

Filesize
4KB

Download
memory/704-82-0x0000000000230000-0x00000000002B8000-memory.dmp

Filesize
544KB

Download
memory/704-83-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/704-75-0x0000000003BB0000-0x0000000003BC1000-memory.dmp

Filesize
68KB

Download
memory/1104-17-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1104-14-0x0000000000A30000-0x0000000000A41000-memory.dmp

Filesize
68KB

Download
memory/1376-131-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/1376-132-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/1376-137-0x00000000059B0000-0x00000000059B1000-memory.dmp

Filesize
4KB

Download
memory/1376-154-0x00000000064E0000-0x00000000064E1000-memory.dmp

Filesize
4KB

Download
memory/1376-155-0x00000000064F0000-0x00000000064F1000-memory.dmp

Filesize
4KB

Download
memory/1376-123-0x0000000072EC0000-0x00000000735AE000-memory.dmp

Filesize
6.9MB

Download
memory/1376-124-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1376-142-0x00000000059E0000-0x00000000059E1000-memory.dmp

Filesize
4KB

Download
memory/1376-129-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/1376-130-0x0000000004C42000-0x0000000004C43000-memory.dmp

Filesize
4KB

Download
memory/1452-51-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1452-47-0x0000000001FB0000-0x0000000001FC1000-memory.dmp

Filesize
68KB

Download
memory/1580-32-0x0000000001E80000-0x0000000001E91000-memory.dmp

Filesize
68KB

Download
memory/1580-49-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1628-41-0x0000000002140000-0x0000000002151000-memory.dmp

Filesize
68KB

Download
memory/1816-6-0x000007FEF5E90000-0x000007FEF610A000-memory.dmp

Filesize
2.5MB

Download
memory/1968-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1968-4-0x0000000000940000-0x0000000000A5A000-memory.dmp

Filesize
1.1MB

Download
memory/1968-2-0x0000000000BF0000-0x0000000000C01000-memory.dmp

Filesize
68KB

Download
memory/1968-3-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download