djvu | 3e4676b65c821a9509ba52b43e12248a75cc8f68b212d9852786cc6424003d60

Analysis

max time kernel
36s
max time network
122s
platform
windows7_x64
resource
win7v20210408
submitted
10-06-2021 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b7829cb6f27c9382e48822f36ce2b03.exe
Size

859KB
MD5

6b7829cb6f27c9382e48822f36ce2b03
SHA1

190cd052a6de77dfa081172a7917dde892632d97
SHA256

3e4676b65c821a9509ba52b43e12248a75cc8f68b212d9852786cc6424003d60
SHA512

3a1f2edd75ed62939cfe4a3becef1cf844fbd9e04786e007f13688812dd8f292561b2092153f1ab19d46fa1a20163805184ddbdea9dda8dbc23963525362909b

Score

10^/10

djvu vidar 517 discovery evasion persistence ransomware stealer

Malware Config

Extracted

Family

vidar

Version

39.3

Botnet

517

https://bandakere.tumblr.com/

Attributes

profile_id
517

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command-Line Interface

T1059

pid	Process
580	mpcmdrun.exe

Detected Djvu ransomeware 6 IoCs

resource	yara_rule
behavioral1/memory/1700-60-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1700-61-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/1644-63-0x0000000001DB0000-0x0000000001ECB000-memory.dmp	family_djvu
behavioral1/memory/1700-64-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1620-69-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/1620-78-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/1104-161-0x0000000000400000-0x000000000049B000-memory.dmp	family_vidar
behavioral1/memory/1656-165-0x0000000000220000-0x00000000002B8000-memory.dmp	family_vidar
behavioral1/memory/1104-162-0x00000000004680AD-mapping.dmp	family_vidar

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	updatewin2.exe

Executes dropped EXE 5 IoCs

pid	Process
964	updatewin1.exe
944	updatewin1.exe
580	updatewin2.exe
1656	5.exe
1104	5.exe

Loads dropped DLL 12 IoCs

pid	Process
1620	6b7829cb6f27c9382e48822f36ce2b03.exe
964	updatewin1.exe
964	updatewin1.exe
964	updatewin1.exe
964	updatewin1.exe
964	updatewin1.exe
944	updatewin1.exe
944	updatewin1.exe
944	updatewin1.exe
1620	6b7829cb6f27c9382e48822f36ce2b03.exe
1620	6b7829cb6f27c9382e48822f36ce2b03.exe
1620	6b7829cb6f27c9382e48822f36ce2b03.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1584	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\30f22ef8-8950-4b66-ba63-da3c8a0b51cb\\6b7829cb6f27c9382e48822f36ce2b03.exe\" --AutoStart"	6b7829cb6f27c9382e48822f36ce2b03.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.2ip.ua
5	api.2ip.ua
13	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1644 set thread context of 1700	1644	6b7829cb6f27c9382e48822f36ce2b03.exe	29
PID 1100 set thread context of 1620	1100	6b7829cb6f27c9382e48822f36ce2b03.exe	34
PID 1656 set thread context of 1104	1656	5.exe	50

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
524	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
328	taskkill.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	6b7829cb6f27c9382e48822f36ce2b03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	6b7829cb6f27c9382e48822f36ce2b03.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	6b7829cb6f27c9382e48822f36ce2b03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	6b7829cb6f27c9382e48822f36ce2b03.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	6b7829cb6f27c9382e48822f36ce2b03.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1700	6b7829cb6f27c9382e48822f36ce2b03.exe
1700	6b7829cb6f27c9382e48822f36ce2b03.exe
1620	6b7829cb6f27c9382e48822f36ce2b03.exe
1620	6b7829cb6f27c9382e48822f36ce2b03.exe
1908	powershell.exe
1908	powershell.exe
1908	powershell.exe
1408	powershell.exe
1408	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 1700	1644	6b7829cb6f27c9382e48822f36ce2b03.exe	29
PID 1644 wrote to memory of 1700	1644	6b7829cb6f27c9382e48822f36ce2b03.exe	29
PID 1644 wrote to memory of 1700	1644	6b7829cb6f27c9382e48822f36ce2b03.exe	29
PID 1644 wrote to memory of 1700	1644	6b7829cb6f27c9382e48822f36ce2b03.exe	29
PID 1644 wrote to memory of 1700	1644	6b7829cb6f27c9382e48822f36ce2b03.exe	29
PID 1644 wrote to memory of 1700	1644	6b7829cb6f27c9382e48822f36ce2b03.exe	29
PID 1644 wrote to memory of 1700	1644	6b7829cb6f27c9382e48822f36ce2b03.exe	29
PID 1644 wrote to memory of 1700	1644	6b7829cb6f27c9382e48822f36ce2b03.exe	29
PID 1644 wrote to memory of 1700	1644	6b7829cb6f27c9382e48822f36ce2b03.exe	29
PID 1644 wrote to memory of 1700	1644	6b7829cb6f27c9382e48822f36ce2b03.exe	29
PID 1644 wrote to memory of 1700	1644	6b7829cb6f27c9382e48822f36ce2b03.exe	29
PID 1700 wrote to memory of 1584	1700	6b7829cb6f27c9382e48822f36ce2b03.exe	32
PID 1700 wrote to memory of 1584	1700	6b7829cb6f27c9382e48822f36ce2b03.exe	32
PID 1700 wrote to memory of 1584	1700	6b7829cb6f27c9382e48822f36ce2b03.exe	32
PID 1700 wrote to memory of 1584	1700	6b7829cb6f27c9382e48822f36ce2b03.exe	32
PID 1700 wrote to memory of 1100	1700	6b7829cb6f27c9382e48822f36ce2b03.exe	33
PID 1700 wrote to memory of 1100	1700	6b7829cb6f27c9382e48822f36ce2b03.exe	33
PID 1700 wrote to memory of 1100	1700	6b7829cb6f27c9382e48822f36ce2b03.exe	33
PID 1700 wrote to memory of 1100	1700	6b7829cb6f27c9382e48822f36ce2b03.exe	33
PID 1100 wrote to memory of 1620	1100	6b7829cb6f27c9382e48822f36ce2b03.exe	34
PID 1100 wrote to memory of 1620	1100	6b7829cb6f27c9382e48822f36ce2b03.exe	34
PID 1100 wrote to memory of 1620	1100	6b7829cb6f27c9382e48822f36ce2b03.exe	34
PID 1100 wrote to memory of 1620	1100	6b7829cb6f27c9382e48822f36ce2b03.exe	34
PID 1100 wrote to memory of 1620	1100	6b7829cb6f27c9382e48822f36ce2b03.exe	34
PID 1100 wrote to memory of 1620	1100	6b7829cb6f27c9382e48822f36ce2b03.exe	34
PID 1100 wrote to memory of 1620	1100	6b7829cb6f27c9382e48822f36ce2b03.exe	34
PID 1100 wrote to memory of 1620	1100	6b7829cb6f27c9382e48822f36ce2b03.exe	34
PID 1100 wrote to memory of 1620	1100	6b7829cb6f27c9382e48822f36ce2b03.exe	34
PID 1100 wrote to memory of 1620	1100	6b7829cb6f27c9382e48822f36ce2b03.exe	34
PID 1100 wrote to memory of 1620	1100	6b7829cb6f27c9382e48822f36ce2b03.exe	34
PID 1620 wrote to memory of 964	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	35
PID 1620 wrote to memory of 964	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	35
PID 1620 wrote to memory of 964	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	35
PID 1620 wrote to memory of 964	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	35
PID 1620 wrote to memory of 964	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	35
PID 1620 wrote to memory of 964	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	35
PID 1620 wrote to memory of 964	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	35
PID 964 wrote to memory of 944	964	updatewin1.exe	37
PID 964 wrote to memory of 944	964	updatewin1.exe	37
PID 964 wrote to memory of 944	964	updatewin1.exe	37
PID 964 wrote to memory of 944	964	updatewin1.exe	37
PID 964 wrote to memory of 944	964	updatewin1.exe	37
PID 964 wrote to memory of 944	964	updatewin1.exe	37
PID 964 wrote to memory of 944	964	updatewin1.exe	37
PID 944 wrote to memory of 1908	944	updatewin1.exe	38
PID 944 wrote to memory of 1908	944	updatewin1.exe	38
PID 944 wrote to memory of 1908	944	updatewin1.exe	38
PID 944 wrote to memory of 1908	944	updatewin1.exe	38
PID 944 wrote to memory of 1908	944	updatewin1.exe	38
PID 944 wrote to memory of 1908	944	updatewin1.exe	38
PID 944 wrote to memory of 1908	944	updatewin1.exe	38
PID 1620 wrote to memory of 580	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	40
PID 1620 wrote to memory of 580	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	40
PID 1620 wrote to memory of 580	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	40
PID 1620 wrote to memory of 580	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	40
PID 1620 wrote to memory of 580	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	40
PID 1620 wrote to memory of 580	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	40
PID 1620 wrote to memory of 580	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	40
PID 944 wrote to memory of 1408	944	updatewin1.exe	41
PID 944 wrote to memory of 1408	944	updatewin1.exe	41
PID 944 wrote to memory of 1408	944	updatewin1.exe	41
PID 944 wrote to memory of 1408	944	updatewin1.exe	41
PID 944 wrote to memory of 1408	944	updatewin1.exe	41
PID 944 wrote to memory of 1408	944	updatewin1.exe	41

C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe
"C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe
  "C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe"
  2⤵
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\30f22ef8-8950-4b66-ba63-da3c8a0b51cb" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:1584
- - C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe
    "C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe
      "C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Loads dropped DLL
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin1.exe
        
        "C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin1.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:964
      - C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin1.exe
        
        "C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin1.exe" --Admin
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
        8⤵
        
        PID:1968
        
        C:\Program Files\Windows Defender\mpcmdrun.exe
        
        "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
        7⤵
        Deletes Windows Defender Definitions
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
        7⤵
        
        PID:820
    - - C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin2.exe
        
        "C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin2.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:580
    - - C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\5.exe
        
        "C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\5.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1656
      - C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\5.exe
        
        "C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\5.exe"
        6⤵
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\5.exe" & del C:\ProgramData\*.dll & exit
        7⤵
        
        PID:884
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im 5.exe /f
        8⤵
        Kills process with taskkill
        
        PID:328
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/580-107-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/944-98-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/964-97-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1104-161-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1408-147-0x00000000062A0000-0x00000000062A1000-memory.dmp

Filesize
4KB

Download
memory/1408-135-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/1408-130-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/1408-131-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/1408-132-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1408-133-0x0000000002090000-0x0000000002CDA000-memory.dmp

Filesize
12.3MB

Download
memory/1620-78-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1644-63-0x0000000001DB0000-0x0000000001ECB000-memory.dmp

Filesize
1.1MB

Download
memory/1656-165-0x0000000000220000-0x00000000002B8000-memory.dmp

Filesize
608KB

Download
memory/1700-64-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1700-62-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/1700-60-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1908-112-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/1908-106-0x0000000004AE2000-0x0000000004AE3000-memory.dmp

Filesize
4KB

Download
memory/1908-100-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/1908-126-0x0000000006360000-0x0000000006361000-memory.dmp

Filesize
4KB

Download
memory/1908-119-0x0000000006240000-0x0000000006241000-memory.dmp

Filesize
4KB

Download
memory/1908-118-0x00000000061C0000-0x00000000061C1000-memory.dmp

Filesize
4KB

Download
memory/1908-99-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/1908-117-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1908-105-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/1908-108-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1908-109-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/1968-152-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/1968-155-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/1968-156-0x0000000004B52000-0x0000000004B53000-memory.dmp

Filesize
4KB

Download