djvu | 3e4676b65c821a9509ba52b43e12248a75cc8f68b212d9852786cc6424003d60

Analysis

max time kernel
66s
max time network
129s
platform
windows10_x64
resource
win10v20210410
submitted
10-06-2021 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b7829cb6f27c9382e48822f36ce2b03.exe
Size

859KB
MD5

6b7829cb6f27c9382e48822f36ce2b03
SHA1

190cd052a6de77dfa081172a7917dde892632d97
SHA256

3e4676b65c821a9509ba52b43e12248a75cc8f68b212d9852786cc6424003d60
SHA512

3a1f2edd75ed62939cfe4a3becef1cf844fbd9e04786e007f13688812dd8f292561b2092153f1ab19d46fa1a20163805184ddbdea9dda8dbc23963525362909b

Score

10^/10

djvu vidar 517 discovery evasion persistence ransomware spyware stealer

Malware Config

Extracted

Family

vidar

Version

39.3

Botnet

517

https://bandakere.tumblr.com/

Attributes

profile_id
517

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059

Processes:

mpcmdrun.exe

pid process

2084 mpcmdrun.exe

pid	process
2084	mpcmdrun.exe

Detected Djvu ransomeware 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3692-114-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3692-115-0x0000000000424141-mapping.dmp	family_djvu
behavioral2/memory/4056-116-0x0000000002250000-0x000000000236B000-memory.dmp	family_djvu
behavioral2/memory/3692-117-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1868-122-0x0000000000424141-mapping.dmp	family_djvu
behavioral2/memory/1868-128-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3808-147-0x0000000000400000-0x000000000049B000-memory.dmp	family_vidar
behavioral2/memory/3808-148-0x00000000004680AD-mapping.dmp	family_vidar
behavioral2/memory/4092-156-0x0000000002170000-0x0000000002208000-memory.dmp	family_vidar
behavioral2/memory/3808-157-0x0000000000400000-0x000000000049B000-memory.dmp	family_vidar

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

updatewin2.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts updatewin2.exe
Executes dropped EXE 5 IoCs

Processes:

updatewin1.exeupdatewin2.exeupdatewin1.exe5.exe5.exe

pid process

3568 updatewin1.exe
2392 updatewin2.exe
2444 updatewin1.exe
4092 5.exe
3808 5.exe
Loads dropped DLL 2 IoCs

Processes:

5.exe

pid process

3808 5.exe
3808 5.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

2068 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	updatewin2.exe

pid	process
3568	updatewin1.exe
2392	updatewin2.exe
2444	updatewin1.exe
4092	5.exe
3808	5.exe

pid	process
3808	5.exe
3808	5.exe

pid	process
2068	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6b7829cb6f27c9382e48822f36ce2b03.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\aeca3fbb-7ce2-4980-ad83-eb269b28c93a\\6b7829cb6f27c9382e48822f36ce2b03.exe\" --AutoStart"	6b7829cb6f27c9382e48822f36ce2b03.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 api.2ip.ua
10 api.2ip.ua
21 api.2ip.ua

flow	ioc
9	api.2ip.ua
10	api.2ip.ua
21	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

Processes:

6b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe5.exe

description	pid	process	target process
PID 4056 set thread context of 3692	4056	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 2428 set thread context of 1868	2428	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 4092 set thread context of 3808	4092	5.exe	5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2236 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

364 taskkill.exe

pid	process
2236	timeout.exe

pid	process
364	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

6b7829cb6f27c9382e48822f36ce2b03.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	6b7829cb6f27c9382e48822f36ce2b03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	6b7829cb6f27c9382e48822f36ce2b03.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

6b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exepowershell.exe5.exepowershell.exepowershell.exe

pid	process
3692	6b7829cb6f27c9382e48822f36ce2b03.exe
3692	6b7829cb6f27c9382e48822f36ce2b03.exe
1868	6b7829cb6f27c9382e48822f36ce2b03.exe
1868	6b7829cb6f27c9382e48822f36ce2b03.exe
1292	powershell.exe
1292	powershell.exe
1292	powershell.exe
3808	5.exe
3808	5.exe
3808	5.exe
3808	5.exe
3808	5.exe
3808	5.exe
3808	5.exe
3808	5.exe
1292	powershell.exe
2340	powershell.exe
2340	powershell.exe
2340	powershell.exe
1556	powershell.exe
1556	powershell.exe
1556	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	364	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exeupdatewin1.exeupdatewin1.exe5.exepowershell.exe5.execmd.exe

description	pid	process	target process
PID 4056 wrote to memory of 3692	4056	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 4056 wrote to memory of 3692	4056	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 4056 wrote to memory of 3692	4056	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 4056 wrote to memory of 3692	4056	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 4056 wrote to memory of 3692	4056	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 4056 wrote to memory of 3692	4056	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 4056 wrote to memory of 3692	4056	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 4056 wrote to memory of 3692	4056	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 4056 wrote to memory of 3692	4056	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 4056 wrote to memory of 3692	4056	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 3692 wrote to memory of 2068	3692	6b7829cb6f27c9382e48822f36ce2b03.exe	icacls.exe
PID 3692 wrote to memory of 2068	3692	6b7829cb6f27c9382e48822f36ce2b03.exe	icacls.exe
PID 3692 wrote to memory of 2068	3692	6b7829cb6f27c9382e48822f36ce2b03.exe	icacls.exe
PID 3692 wrote to memory of 2428	3692	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 3692 wrote to memory of 2428	3692	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 3692 wrote to memory of 2428	3692	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 2428 wrote to memory of 1868	2428	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 2428 wrote to memory of 1868	2428	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 2428 wrote to memory of 1868	2428	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 2428 wrote to memory of 1868	2428	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 2428 wrote to memory of 1868	2428	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 2428 wrote to memory of 1868	2428	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 2428 wrote to memory of 1868	2428	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 2428 wrote to memory of 1868	2428	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 2428 wrote to memory of 1868	2428	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 2428 wrote to memory of 1868	2428	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1868 wrote to memory of 3568	1868	6b7829cb6f27c9382e48822f36ce2b03.exe	updatewin1.exe
PID 1868 wrote to memory of 3568	1868	6b7829cb6f27c9382e48822f36ce2b03.exe	updatewin1.exe
PID 1868 wrote to memory of 3568	1868	6b7829cb6f27c9382e48822f36ce2b03.exe	updatewin1.exe
PID 1868 wrote to memory of 2392	1868	6b7829cb6f27c9382e48822f36ce2b03.exe	updatewin2.exe
PID 1868 wrote to memory of 2392	1868	6b7829cb6f27c9382e48822f36ce2b03.exe	updatewin2.exe
PID 1868 wrote to memory of 2392	1868	6b7829cb6f27c9382e48822f36ce2b03.exe	updatewin2.exe
PID 3568 wrote to memory of 2444	3568	updatewin1.exe	updatewin1.exe
PID 3568 wrote to memory of 2444	3568	updatewin1.exe	updatewin1.exe
PID 3568 wrote to memory of 2444	3568	updatewin1.exe	updatewin1.exe
PID 1868 wrote to memory of 4092	1868	6b7829cb6f27c9382e48822f36ce2b03.exe	5.exe
PID 1868 wrote to memory of 4092	1868	6b7829cb6f27c9382e48822f36ce2b03.exe	5.exe
PID 1868 wrote to memory of 4092	1868	6b7829cb6f27c9382e48822f36ce2b03.exe	5.exe
PID 2444 wrote to memory of 1292	2444	updatewin1.exe	powershell.exe
PID 2444 wrote to memory of 1292	2444	updatewin1.exe	powershell.exe
PID 2444 wrote to memory of 1292	2444	updatewin1.exe	powershell.exe
PID 4092 wrote to memory of 3808	4092	5.exe	5.exe
PID 4092 wrote to memory of 3808	4092	5.exe	5.exe
PID 4092 wrote to memory of 3808	4092	5.exe	5.exe
PID 4092 wrote to memory of 3808	4092	5.exe	5.exe
PID 4092 wrote to memory of 3808	4092	5.exe	5.exe
PID 4092 wrote to memory of 3808	4092	5.exe	5.exe
PID 4092 wrote to memory of 3808	4092	5.exe	5.exe
PID 4092 wrote to memory of 3808	4092	5.exe	5.exe
PID 2444 wrote to memory of 2340	2444	updatewin1.exe	powershell.exe
PID 2444 wrote to memory of 2340	2444	updatewin1.exe	powershell.exe
PID 2444 wrote to memory of 2340	2444	updatewin1.exe	powershell.exe
PID 2340 wrote to memory of 1556	2340	powershell.exe	powershell.exe
PID 2340 wrote to memory of 1556	2340	powershell.exe	powershell.exe
PID 2340 wrote to memory of 1556	2340	powershell.exe	powershell.exe
PID 2444 wrote to memory of 2084	2444	updatewin1.exe	mpcmdrun.exe
PID 2444 wrote to memory of 2084	2444	updatewin1.exe	mpcmdrun.exe
PID 2444 wrote to memory of 1964	2444	updatewin1.exe	cmd.exe
PID 2444 wrote to memory of 1964	2444	updatewin1.exe	cmd.exe
PID 2444 wrote to memory of 1964	2444	updatewin1.exe	cmd.exe
PID 3808 wrote to memory of 3896	3808	5.exe	cmd.exe
PID 3808 wrote to memory of 3896	3808	5.exe	cmd.exe
PID 3808 wrote to memory of 3896	3808	5.exe	cmd.exe
PID 3896 wrote to memory of 364	3896	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe
"C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4056

C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe
"C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe"
2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\aeca3fbb-7ce2-4980-ad83-eb269b28c93a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2068

C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe
"C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2428

C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe
"C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1868

C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin1.exe
"C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin1.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568

C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin1.exe
"C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin1.exe" --Admin
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Program Files\Windows Defender\mpcmdrun.exe
"C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
7⤵
- Deletes Windows Defender Definitions
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
7⤵
PID:1964

C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin2.exe
"C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin2.exe"
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:2392

C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\5.exe
"C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\5.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4092

C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\5.exe
"C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\5.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\5.exe" & del C:\ProgramData\*.dll & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 5.exe /f
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:2236

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\freebl3.dll
MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll
MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
6c9d7335581aad68a97c8651f474f247

SHA1
c85ceebbfc152ee38955e1e677c6c0529383d442

SHA256
1ced81b3342e00024e68783e8c12177553655371248312d887410b1069734d37

SHA512
db983e883dbe5ac06482f54460d8395fbe11cb7fc22aa78d6cfe239f3c45316f8024655ab7a8dd7fd8f28d881150fe1bb8611a21b36af869b5a1fecdb89538ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
6eec4fd7b63862772cd27236afa8df42

SHA1
3e88ba24bd67164a7a23b12479bb2240d9bbe396

SHA256
c8dbf29a64bd19425d670fa773a0de234fe3af8eac26d1b87e3ac2afa7cd938d

SHA512
6a160db1c792e72b3571248d1f0c47f2ebcbc23edb64546b201a2f27655e560532e85c3515b93619062333c261e8fefb40384fb548546f016f2776b3819da940

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
8c9b40b364e0817ebd499fee58a7e39d

SHA1
b50e93027db2d335e0af0e90475d9071a94ce61a

SHA256
5d9bb504a5482ecaa8b2c0f47aa792518b364319f7f7be00c51f9638cef0c1f7

SHA512
234170ee4b7dd920fd631f06abfb1c66752d412f55da70764209e3313a5ed0296a5dcf081c6c0b57c361f30ecdcebf2d1ecc620c2aad77a32b748fd84d4b36d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
e9eecfd64c815ddfe23fad796cff81b5

SHA1
e8d4b8da4864818905b98a18cd00ca39f8e3126a

SHA256
4cb4df2390020699a0598a1f12260577a6c62bfc15382d5351ca7859d455ccb7

SHA512
0dbd53640553901f713323dd0c13e41596f3aa3000fd6e63c3247f9f56dca412834260fe4ed710f42f700a8b2691527168086e85142f1e1f7585985b3d870e64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
13151583954f0def829054cc3eae25ec

SHA1
2a2b013e8d4201ddc8a80f9680931873702d0213

SHA256
eb542ae9c791940e8e74833eb50543dbbcbc8bf8485698fad82a8b079546c8a7

SHA512
3f7a6d0e5ca29de7b02f5cb993c508ce0c0df12c3d970a3ad6da95149b4cb5cc7a138e7ed6f83e910cb39120f199b3f74fc0ec1a14ca86435a52f247c2514aaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
001d628ef2372dd6abfa8599ac1aeb1e

SHA1
4567696501a7368e5336bb44f5b840418a889f1c

SHA256
918954548305fba3dce393c12c0bdd69568855587456767f02d68b11615317e4

SHA512
ad01d01afb31d4960608f2139daa6e0e1aceac4e34fd4c727a6f821ced9e8626570e0275b2ea07b4be7d7e7f609604d66379887b8c92c9bb4d687bf3ef78a52a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f5170b12ec2a7c7f165f35e0c33c725d

SHA1
49047e5179084bf7d405d1e386422f4c52bf69c6

SHA256
37d6f881b419a0f04f954aa28803abdd3d8b456d391ef0d013145fa0be775a1c

SHA512
091b70f5827cf3d66c9102ff0d4781e250fb0ee231f66cbd48e84c73d4d3b005bba0f8fc7ba99c5e8ec410bd4f1e364c454b3d65c3940d75a297c00d968bce98

Download Submit
C:\Users\Admin\AppData\Local\Temp\delself.bat
MD5
755365344ad0ebe2499459e836871c2d

SHA1
41e59d0600407e93552cad4946115a0c6bdd1ef8

SHA256
bd3d0b24c7a682218bbc18c87b19fc97e9e0613a6a735c51f328d1ec176f996d

SHA512
9c839d469740fda0f6a2fa9c85a060bccaffd0a56ae15aeb02303d09aaed813d092150215c5989c8ae85095527a88e9987af89e33db2e5bf1973b424ee330357

Download Submit
C:\Users\Admin\AppData\Local\aeca3fbb-7ce2-4980-ad83-eb269b28c93a\6b7829cb6f27c9382e48822f36ce2b03.exe
MD5
6b7829cb6f27c9382e48822f36ce2b03

SHA1
190cd052a6de77dfa081172a7917dde892632d97

SHA256
3e4676b65c821a9509ba52b43e12248a75cc8f68b212d9852786cc6424003d60

SHA512
3a1f2edd75ed62939cfe4a3becef1cf844fbd9e04786e007f13688812dd8f292561b2092153f1ab19d46fa1a20163805184ddbdea9dda8dbc23963525362909b

Download Submit
C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\5.exe
MD5
a9b0f21cb30e239e1f3af96eb376a0ba

SHA1
d72a31a0f8ade8bddab2f4bbc4b0c65886f09b92

SHA256
18076f163aef93f57db14eece15b18ca68f344da2f4c59a329de178752f14e2c

SHA512
8cee0ff718455d5d157f74ba2fda9e73d26b33319f9d98df2f9049910f5fe0c25aacdc066df3b65e5adbe22e2fb470498304481b440e15a487d1411ba69c429f

Download Submit
C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\5.exe
MD5
a9b0f21cb30e239e1f3af96eb376a0ba

SHA1
d72a31a0f8ade8bddab2f4bbc4b0c65886f09b92

SHA256
18076f163aef93f57db14eece15b18ca68f344da2f4c59a329de178752f14e2c

SHA512
8cee0ff718455d5d157f74ba2fda9e73d26b33319f9d98df2f9049910f5fe0c25aacdc066df3b65e5adbe22e2fb470498304481b440e15a487d1411ba69c429f

Download Submit
C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\5.exe
MD5
a9b0f21cb30e239e1f3af96eb376a0ba

SHA1
d72a31a0f8ade8bddab2f4bbc4b0c65886f09b92

SHA256
18076f163aef93f57db14eece15b18ca68f344da2f4c59a329de178752f14e2c

SHA512
8cee0ff718455d5d157f74ba2fda9e73d26b33319f9d98df2f9049910f5fe0c25aacdc066df3b65e5adbe22e2fb470498304481b440e15a487d1411ba69c429f

Download Submit
C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin2.exe
MD5
996ba35165bb62473d2a6743a5200d45

SHA1
52169b0b5cce95c6905873b8d12a759c234bd2e0

SHA256
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

SHA512
2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

Download Submit
C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin2.exe
MD5
996ba35165bb62473d2a6743a5200d45

SHA1
52169b0b5cce95c6905873b8d12a759c234bd2e0

SHA256
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

SHA512
2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

Download Submit
C:\Users\Admin\AppData\Local\script.ps1
MD5
f972c62f986b5ed49ad7713d93bf6c9f

SHA1
4e157002bdb97e9526ab97bfafbf7c67e1d1efbf

SHA256
b47f85974a7ec2fd5aa82d52f08eb0f6cea7e596a98dd29e8b85b5c37beca0a8

SHA512
2c9e2e1b8b6cb5ffe3edf5dfbc2c3b917cd15ba6a5e5264207a43b02ce7020f44f5088aca195f7b428699f0d6bd693ce557a0227d67bbb4795e350a97314e9c4

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
memory/364-234-0x0000000000000000-mapping.dmp

Download
memory/1292-145-0x0000000006780000-0x0000000006781000-memory.dmp

Filesize
4KB

Download
memory/1292-160-0x0000000007920000-0x0000000007921000-memory.dmp

Filesize
4KB

Download
memory/1292-219-0x0000000006946000-0x0000000006948000-memory.dmp

Filesize
8KB

Download
memory/1292-218-0x0000000006943000-0x0000000006944000-memory.dmp

Filesize
4KB

Download
memory/1292-142-0x0000000000000000-mapping.dmp

Download
memory/1292-150-0x0000000006B90000-0x0000000006B91000-memory.dmp

Filesize
4KB

Download
memory/1292-185-0x0000000008EB0000-0x0000000008EB1000-memory.dmp

Filesize
4KB

Download
memory/1292-153-0x0000000006940000-0x0000000006941000-memory.dmp

Filesize
4KB

Download
memory/1292-154-0x0000000006C30000-0x0000000006C31000-memory.dmp

Filesize
4KB

Download
memory/1292-155-0x0000000006942000-0x0000000006943000-memory.dmp

Filesize
4KB

Download
memory/1292-184-0x000000007F2A0000-0x000000007F2A1000-memory.dmp

Filesize
4KB

Download
memory/1292-183-0x0000000008D20000-0x0000000008D21000-memory.dmp

Filesize
4KB

Download
memory/1292-151-0x0000000006D10000-0x0000000006D11000-memory.dmp

Filesize
4KB

Download
memory/1292-158-0x00000000075B0000-0x00000000075B1000-memory.dmp

Filesize
4KB

Download
memory/1292-159-0x0000000007900000-0x0000000007901000-memory.dmp

Filesize
4KB

Download
memory/1292-146-0x0000000006F80000-0x0000000006F81000-memory.dmp

Filesize
4KB

Download
memory/1292-161-0x0000000007C90000-0x0000000007C91000-memory.dmp

Filesize
4KB

Download
memory/1292-178-0x0000000008970000-0x0000000008971000-memory.dmp

Filesize
4KB

Download
memory/1292-171-0x0000000008990000-0x00000000089C3000-memory.dmp

Filesize
204KB

Download
memory/1556-232-0x0000000006803000-0x0000000006804000-memory.dmp

Filesize
4KB

Download
memory/1556-231-0x000000007E100000-0x000000007E101000-memory.dmp

Filesize
4KB

Download
memory/1556-228-0x0000000006800000-0x0000000006801000-memory.dmp

Filesize
4KB

Download
memory/1556-229-0x0000000006802000-0x0000000006803000-memory.dmp

Filesize
4KB

Download
memory/1556-222-0x0000000000000000-mapping.dmp

Download
memory/1868-128-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1868-122-0x0000000000424141-mapping.dmp

Download
memory/1964-224-0x0000000000000000-mapping.dmp

Download
memory/2068-118-0x0000000000000000-mapping.dmp

Download
memory/2084-223-0x0000000000000000-mapping.dmp

Download
memory/2236-235-0x0000000000000000-mapping.dmp

Download
memory/2340-220-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/2340-215-0x0000000000000000-mapping.dmp

Download
memory/2340-221-0x0000000001072000-0x0000000001073000-memory.dmp

Filesize
4KB

Download
memory/2340-227-0x0000000001073000-0x0000000001074000-memory.dmp

Filesize
4KB

Download
memory/2392-141-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2392-132-0x0000000000000000-mapping.dmp

Download
memory/2428-120-0x0000000000000000-mapping.dmp

Download
memory/2444-152-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2444-135-0x0000000000000000-mapping.dmp

Download
memory/3568-129-0x0000000000000000-mapping.dmp

Download
memory/3568-137-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3692-114-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3692-117-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3692-115-0x0000000000424141-mapping.dmp

Download
memory/3808-147-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3808-148-0x00000000004680AD-mapping.dmp

Download
memory/3808-157-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3896-233-0x0000000000000000-mapping.dmp

Download
memory/4056-116-0x0000000002250000-0x000000000236B000-memory.dmp

Filesize
1.1MB

Download
memory/4092-138-0x0000000000000000-mapping.dmp

Download
memory/4092-156-0x0000000002170000-0x0000000002208000-memory.dmp

Filesize
608KB

Download