6b7829cb6f27c9382e48822f36ce2b03.exe

General
Target

6b7829cb6f27c9382e48822f36ce2b03.exe

Filesize

859KB

Completed

10-06-2021 14:10

Score
10 /10
MD5

6b7829cb6f27c9382e48822f36ce2b03

SHA1

190cd052a6de77dfa081172a7917dde892632d97

SHA256

3e4676b65c821a9509ba52b43e12248a75cc8f68b212d9852786cc6424003d60

Malware Config

Extracted

Family vidar
Version 39.3
Botnet 517
C2

https://bandakere.tumblr.com/

Attributes
profile_id
517
Signatures 26

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Execution
Persistence
  • Deletes Windows Defender Definitions
    mpcmdrun.exe

    Description

    Uses mpcmdrun utility to delete all AV definitions.

    Tags

    TTPs

    Command-Line Interface

    Reported IOCs

    pidprocess
    2084mpcmdrun.exe
  • Detected Djvu ransomeware

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3692-114-0x0000000000400000-0x0000000000537000-memory.dmpfamily_djvu
    behavioral2/memory/3692-115-0x0000000000424141-mapping.dmpfamily_djvu
    behavioral2/memory/4056-116-0x0000000002250000-0x000000000236B000-memory.dmpfamily_djvu
    behavioral2/memory/3692-117-0x0000000000400000-0x0000000000537000-memory.dmpfamily_djvu
    behavioral2/memory/1868-122-0x0000000000424141-mapping.dmpfamily_djvu
    behavioral2/memory/1868-128-0x0000000000400000-0x0000000000537000-memory.dmpfamily_djvu
  • Djvu Ransomware

    Description

    Ransomware which is a variant of the STOP family.

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

  • Vidar Stealer

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3808-147-0x0000000000400000-0x000000000049B000-memory.dmpfamily_vidar
    behavioral2/memory/3808-148-0x00000000004680AD-mapping.dmpfamily_vidar
    behavioral2/memory/4092-156-0x0000000002170000-0x0000000002208000-memory.dmpfamily_vidar
    behavioral2/memory/3808-157-0x0000000000400000-0x000000000049B000-memory.dmpfamily_vidar
  • Disables Task Manager via registry modification

    Tags

  • Downloads MZ/PE file
  • Drops file in Drivers directory
    updatewin2.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\System32\drivers\etc\hostsupdatewin2.exe
  • Executes dropped EXE
    updatewin1.exeupdatewin2.exeupdatewin1.exe5.exe5.exe

    Reported IOCs

    pidprocess
    3568updatewin1.exe
    2392updatewin2.exe
    2444updatewin1.exe
    40925.exe
    38085.exe
  • Loads dropped DLL
    5.exe

    Reported IOCs

    pidprocess
    38085.exe
    38085.exe
  • Modifies file permissions
    icacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    2068icacls.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses 2FA software files, possible credential harvesting

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    6b7829cb6f27c9382e48822f36ce2b03.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\aeca3fbb-7ce2-4980-ad83-eb269b28c93a\\6b7829cb6f27c9382e48822f36ce2b03.exe\" --AutoStart"6b7829cb6f27c9382e48822f36ce2b03.exe
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    9api.2ip.ua
    10api.2ip.ua
    21api.2ip.ua
  • Suspicious use of SetThreadContext
    6b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe5.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4056 set thread context of 369240566b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 2428 set thread context of 186824286b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 4092 set thread context of 380840925.exe5.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Checks processor information in registry
    5.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString5.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\05.exe
  • Delays execution with timeout.exe
    timeout.exe

    Tags

    Reported IOCs

    pidprocess
    2236timeout.exe
  • Kills process with taskkill
    taskkill.exe

    Tags

    Reported IOCs

    pidprocess
    364taskkill.exe
  • Modifies system certificate store
    6b7829cb6f27c9382e48822f36ce2b03.exe

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e6b7829cb6f27c9382e48822f36ce2b03.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E3496b7829cb6f27c9382e48822f36ce2b03.exe
  • Suspicious behavior: EnumeratesProcesses
    6b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exepowershell.exe5.exepowershell.exepowershell.exe

    Reported IOCs

    pidprocess
    36926b7829cb6f27c9382e48822f36ce2b03.exe
    36926b7829cb6f27c9382e48822f36ce2b03.exe
    18686b7829cb6f27c9382e48822f36ce2b03.exe
    18686b7829cb6f27c9382e48822f36ce2b03.exe
    1292powershell.exe
    1292powershell.exe
    1292powershell.exe
    38085.exe
    38085.exe
    38085.exe
    38085.exe
    38085.exe
    38085.exe
    38085.exe
    38085.exe
    1292powershell.exe
    2340powershell.exe
    2340powershell.exe
    2340powershell.exe
    1556powershell.exe
    1556powershell.exe
    1556powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exepowershell.exepowershell.exetaskkill.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1292powershell.exe
    Token: SeDebugPrivilege2340powershell.exe
    Token: SeDebugPrivilege1556powershell.exe
    Token: SeDebugPrivilege364taskkill.exe
  • Suspicious use of WriteProcessMemory
    6b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exeupdatewin1.exeupdatewin1.exe5.exepowershell.exe5.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4056 wrote to memory of 369240566b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 4056 wrote to memory of 369240566b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 4056 wrote to memory of 369240566b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 4056 wrote to memory of 369240566b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 4056 wrote to memory of 369240566b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 4056 wrote to memory of 369240566b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 4056 wrote to memory of 369240566b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 4056 wrote to memory of 369240566b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 4056 wrote to memory of 369240566b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 4056 wrote to memory of 369240566b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 3692 wrote to memory of 206836926b7829cb6f27c9382e48822f36ce2b03.exeicacls.exe
    PID 3692 wrote to memory of 206836926b7829cb6f27c9382e48822f36ce2b03.exeicacls.exe
    PID 3692 wrote to memory of 206836926b7829cb6f27c9382e48822f36ce2b03.exeicacls.exe
    PID 3692 wrote to memory of 242836926b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 3692 wrote to memory of 242836926b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 3692 wrote to memory of 242836926b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 2428 wrote to memory of 186824286b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 2428 wrote to memory of 186824286b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 2428 wrote to memory of 186824286b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 2428 wrote to memory of 186824286b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 2428 wrote to memory of 186824286b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 2428 wrote to memory of 186824286b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 2428 wrote to memory of 186824286b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 2428 wrote to memory of 186824286b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 2428 wrote to memory of 186824286b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 2428 wrote to memory of 186824286b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe
    PID 1868 wrote to memory of 356818686b7829cb6f27c9382e48822f36ce2b03.exeupdatewin1.exe
    PID 1868 wrote to memory of 356818686b7829cb6f27c9382e48822f36ce2b03.exeupdatewin1.exe
    PID 1868 wrote to memory of 356818686b7829cb6f27c9382e48822f36ce2b03.exeupdatewin1.exe
    PID 1868 wrote to memory of 239218686b7829cb6f27c9382e48822f36ce2b03.exeupdatewin2.exe
    PID 1868 wrote to memory of 239218686b7829cb6f27c9382e48822f36ce2b03.exeupdatewin2.exe
    PID 1868 wrote to memory of 239218686b7829cb6f27c9382e48822f36ce2b03.exeupdatewin2.exe
    PID 3568 wrote to memory of 24443568updatewin1.exeupdatewin1.exe
    PID 3568 wrote to memory of 24443568updatewin1.exeupdatewin1.exe
    PID 3568 wrote to memory of 24443568updatewin1.exeupdatewin1.exe
    PID 1868 wrote to memory of 409218686b7829cb6f27c9382e48822f36ce2b03.exe5.exe
    PID 1868 wrote to memory of 409218686b7829cb6f27c9382e48822f36ce2b03.exe5.exe
    PID 1868 wrote to memory of 409218686b7829cb6f27c9382e48822f36ce2b03.exe5.exe
    PID 2444 wrote to memory of 12922444updatewin1.exepowershell.exe
    PID 2444 wrote to memory of 12922444updatewin1.exepowershell.exe
    PID 2444 wrote to memory of 12922444updatewin1.exepowershell.exe
    PID 4092 wrote to memory of 380840925.exe5.exe
    PID 4092 wrote to memory of 380840925.exe5.exe
    PID 4092 wrote to memory of 380840925.exe5.exe
    PID 4092 wrote to memory of 380840925.exe5.exe
    PID 4092 wrote to memory of 380840925.exe5.exe
    PID 4092 wrote to memory of 380840925.exe5.exe
    PID 4092 wrote to memory of 380840925.exe5.exe
    PID 4092 wrote to memory of 380840925.exe5.exe
    PID 2444 wrote to memory of 23402444updatewin1.exepowershell.exe
    PID 2444 wrote to memory of 23402444updatewin1.exepowershell.exe
    PID 2444 wrote to memory of 23402444updatewin1.exepowershell.exe
    PID 2340 wrote to memory of 15562340powershell.exepowershell.exe
    PID 2340 wrote to memory of 15562340powershell.exepowershell.exe
    PID 2340 wrote to memory of 15562340powershell.exepowershell.exe
    PID 2444 wrote to memory of 20842444updatewin1.exempcmdrun.exe
    PID 2444 wrote to memory of 20842444updatewin1.exempcmdrun.exe
    PID 2444 wrote to memory of 19642444updatewin1.execmd.exe
    PID 2444 wrote to memory of 19642444updatewin1.execmd.exe
    PID 2444 wrote to memory of 19642444updatewin1.execmd.exe
    PID 3808 wrote to memory of 389638085.execmd.exe
    PID 3808 wrote to memory of 389638085.execmd.exe
    PID 3808 wrote to memory of 389638085.execmd.exe
    PID 3896 wrote to memory of 3643896cmd.exetaskkill.exe
Processes 18
  • C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe
    "C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:4056
    • C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe
      "C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe"
      Adds Run key to start application
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3692
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\aeca3fbb-7ce2-4980-ad83-eb269b28c93a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        Modifies file permissions
        PID:2068
      • C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe
        "C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe" --Admin IsNotAutoStart IsNotTask
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe
          "C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe" --Admin IsNotAutoStart IsNotTask
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of WriteProcessMemory
          PID:1868
          • C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin1.exe
            "C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin1.exe"
            Executes dropped EXE
            Suspicious use of WriteProcessMemory
            PID:3568
            • C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin1.exe
              "C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin1.exe" --Admin
              Executes dropped EXE
              Suspicious use of WriteProcessMemory
              PID:2444
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
                Suspicious behavior: EnumeratesProcesses
                Suspicious use of AdjustPrivilegeToken
                PID:1292
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
                Suspicious behavior: EnumeratesProcesses
                Suspicious use of AdjustPrivilegeToken
                Suspicious use of WriteProcessMemory
                PID:2340
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
                  Suspicious behavior: EnumeratesProcesses
                  Suspicious use of AdjustPrivilegeToken
                  PID:1556
              • C:\Program Files\Windows Defender\mpcmdrun.exe
                "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
                Deletes Windows Defender Definitions
                PID:2084
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
                PID:1964
          • C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin2.exe
            "C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin2.exe"
            Drops file in Drivers directory
            Executes dropped EXE
            PID:2392
          • C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\5.exe
            "C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\5.exe"
            Executes dropped EXE
            Suspicious use of SetThreadContext
            Suspicious use of WriteProcessMemory
            PID:4092
            • C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\5.exe
              "C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\5.exe"
              Executes dropped EXE
              Loads dropped DLL
              Checks processor information in registry
              Suspicious behavior: EnumeratesProcesses
              Suspicious use of WriteProcessMemory
              PID:3808
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\5.exe" & del C:\ProgramData\*.dll & exit
                Suspicious use of WriteProcessMemory
                PID:3896
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /im 5.exe /f
                  Kills process with taskkill
                  Suspicious use of AdjustPrivilegeToken
                  PID:364
                • C:\Windows\SysWOW64\timeout.exe
                  timeout /t 6
                  Delays execution with timeout.exe
                  PID:2236
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Exfiltration
      Impact
        Initial Access
          Lateral Movement
            Privilege Escalation
              Replay Monitor
              00:00 00:00
              Downloads
              • C:\ProgramData\freebl3.dll

                MD5

                ef2834ac4ee7d6724f255beaf527e635

                SHA1

                5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

                SHA256

                a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

                SHA512

                c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

              • C:\ProgramData\mozglue.dll

                MD5

                8f73c08a9660691143661bf7332c3c27

                SHA1

                37fa65dd737c50fda710fdbde89e51374d0c204a

                SHA256

                3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

                SHA512

                0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

              • C:\ProgramData\msvcp140.dll

                MD5

                109f0f02fd37c84bfc7508d4227d7ed5

                SHA1

                ef7420141bb15ac334d3964082361a460bfdb975

                SHA256

                334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

                SHA512

                46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

              • C:\ProgramData\nss3.dll

                MD5

                bfac4e3c5908856ba17d41edcd455a51

                SHA1

                8eec7e888767aa9e4cca8ff246eb2aacb9170428

                SHA256

                e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

                SHA512

                2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

              • C:\ProgramData\softokn3.dll

                MD5

                a2ee53de9167bf0d6c019303b7ca84e5

                SHA1

                2a3c737fa1157e8483815e98b666408a18c0db42

                SHA256

                43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

                SHA512

                45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

              • C:\ProgramData\vcruntime140.dll

                MD5

                7587bf9cb4147022cd5681b015183046

                SHA1

                f2106306a8f6f0da5afb7fc765cfa0757ad5a628

                SHA256

                c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

                SHA512

                0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

                MD5

                6c9d7335581aad68a97c8651f474f247

                SHA1

                c85ceebbfc152ee38955e1e677c6c0529383d442

                SHA256

                1ced81b3342e00024e68783e8c12177553655371248312d887410b1069734d37

                SHA512

                db983e883dbe5ac06482f54460d8395fbe11cb7fc22aa78d6cfe239f3c45316f8024655ab7a8dd7fd8f28d881150fe1bb8611a21b36af869b5a1fecdb89538ac

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

                MD5

                6eec4fd7b63862772cd27236afa8df42

                SHA1

                3e88ba24bd67164a7a23b12479bb2240d9bbe396

                SHA256

                c8dbf29a64bd19425d670fa773a0de234fe3af8eac26d1b87e3ac2afa7cd938d

                SHA512

                6a160db1c792e72b3571248d1f0c47f2ebcbc23edb64546b201a2f27655e560532e85c3515b93619062333c261e8fefb40384fb548546f016f2776b3819da940

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

                MD5

                8c9b40b364e0817ebd499fee58a7e39d

                SHA1

                b50e93027db2d335e0af0e90475d9071a94ce61a

                SHA256

                5d9bb504a5482ecaa8b2c0f47aa792518b364319f7f7be00c51f9638cef0c1f7

                SHA512

                234170ee4b7dd920fd631f06abfb1c66752d412f55da70764209e3313a5ed0296a5dcf081c6c0b57c361f30ecdcebf2d1ecc620c2aad77a32b748fd84d4b36d7

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

                MD5

                e9eecfd64c815ddfe23fad796cff81b5

                SHA1

                e8d4b8da4864818905b98a18cd00ca39f8e3126a

                SHA256

                4cb4df2390020699a0598a1f12260577a6c62bfc15382d5351ca7859d455ccb7

                SHA512

                0dbd53640553901f713323dd0c13e41596f3aa3000fd6e63c3247f9f56dca412834260fe4ed710f42f700a8b2691527168086e85142f1e1f7585985b3d870e64

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                MD5

                13151583954f0def829054cc3eae25ec

                SHA1

                2a2b013e8d4201ddc8a80f9680931873702d0213

                SHA256

                eb542ae9c791940e8e74833eb50543dbbcbc8bf8485698fad82a8b079546c8a7

                SHA512

                3f7a6d0e5ca29de7b02f5cb993c508ce0c0df12c3d970a3ad6da95149b4cb5cc7a138e7ed6f83e910cb39120f199b3f74fc0ec1a14ca86435a52f247c2514aaf

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                MD5

                001d628ef2372dd6abfa8599ac1aeb1e

                SHA1

                4567696501a7368e5336bb44f5b840418a889f1c

                SHA256

                918954548305fba3dce393c12c0bdd69568855587456767f02d68b11615317e4

                SHA512

                ad01d01afb31d4960608f2139daa6e0e1aceac4e34fd4c727a6f821ced9e8626570e0275b2ea07b4be7d7e7f609604d66379887b8c92c9bb4d687bf3ef78a52a

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                MD5

                f5170b12ec2a7c7f165f35e0c33c725d

                SHA1

                49047e5179084bf7d405d1e386422f4c52bf69c6

                SHA256

                37d6f881b419a0f04f954aa28803abdd3d8b456d391ef0d013145fa0be775a1c

                SHA512

                091b70f5827cf3d66c9102ff0d4781e250fb0ee231f66cbd48e84c73d4d3b005bba0f8fc7ba99c5e8ec410bd4f1e364c454b3d65c3940d75a297c00d968bce98

              • C:\Users\Admin\AppData\Local\Temp\delself.bat

                MD5

                755365344ad0ebe2499459e836871c2d

                SHA1

                41e59d0600407e93552cad4946115a0c6bdd1ef8

                SHA256

                bd3d0b24c7a682218bbc18c87b19fc97e9e0613a6a735c51f328d1ec176f996d

                SHA512

                9c839d469740fda0f6a2fa9c85a060bccaffd0a56ae15aeb02303d09aaed813d092150215c5989c8ae85095527a88e9987af89e33db2e5bf1973b424ee330357

              • C:\Users\Admin\AppData\Local\aeca3fbb-7ce2-4980-ad83-eb269b28c93a\6b7829cb6f27c9382e48822f36ce2b03.exe

                MD5

                6b7829cb6f27c9382e48822f36ce2b03

                SHA1

                190cd052a6de77dfa081172a7917dde892632d97

                SHA256

                3e4676b65c821a9509ba52b43e12248a75cc8f68b212d9852786cc6424003d60

                SHA512

                3a1f2edd75ed62939cfe4a3becef1cf844fbd9e04786e007f13688812dd8f292561b2092153f1ab19d46fa1a20163805184ddbdea9dda8dbc23963525362909b

              • C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\5.exe

                MD5

                a9b0f21cb30e239e1f3af96eb376a0ba

                SHA1

                d72a31a0f8ade8bddab2f4bbc4b0c65886f09b92

                SHA256

                18076f163aef93f57db14eece15b18ca68f344da2f4c59a329de178752f14e2c

                SHA512

                8cee0ff718455d5d157f74ba2fda9e73d26b33319f9d98df2f9049910f5fe0c25aacdc066df3b65e5adbe22e2fb470498304481b440e15a487d1411ba69c429f

              • C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\5.exe

                MD5

                a9b0f21cb30e239e1f3af96eb376a0ba

                SHA1

                d72a31a0f8ade8bddab2f4bbc4b0c65886f09b92

                SHA256

                18076f163aef93f57db14eece15b18ca68f344da2f4c59a329de178752f14e2c

                SHA512

                8cee0ff718455d5d157f74ba2fda9e73d26b33319f9d98df2f9049910f5fe0c25aacdc066df3b65e5adbe22e2fb470498304481b440e15a487d1411ba69c429f

              • C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\5.exe

                MD5

                a9b0f21cb30e239e1f3af96eb376a0ba

                SHA1

                d72a31a0f8ade8bddab2f4bbc4b0c65886f09b92

                SHA256

                18076f163aef93f57db14eece15b18ca68f344da2f4c59a329de178752f14e2c

                SHA512

                8cee0ff718455d5d157f74ba2fda9e73d26b33319f9d98df2f9049910f5fe0c25aacdc066df3b65e5adbe22e2fb470498304481b440e15a487d1411ba69c429f

              • C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin1.exe

                MD5

                5b4bd24d6240f467bfbc74803c9f15b0

                SHA1

                c17f98c182d299845c54069872e8137645768a1a

                SHA256

                14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

                SHA512

                a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

              • C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin1.exe

                MD5

                5b4bd24d6240f467bfbc74803c9f15b0

                SHA1

                c17f98c182d299845c54069872e8137645768a1a

                SHA256

                14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

                SHA512

                a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

              • C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin1.exe

                MD5

                5b4bd24d6240f467bfbc74803c9f15b0

                SHA1

                c17f98c182d299845c54069872e8137645768a1a

                SHA256

                14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

                SHA512

                a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

              • C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin2.exe

                MD5

                996ba35165bb62473d2a6743a5200d45

                SHA1

                52169b0b5cce95c6905873b8d12a759c234bd2e0

                SHA256

                5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

                SHA512

                2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

              • C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin2.exe

                MD5

                996ba35165bb62473d2a6743a5200d45

                SHA1

                52169b0b5cce95c6905873b8d12a759c234bd2e0

                SHA256

                5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

                SHA512

                2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

              • C:\Users\Admin\AppData\Local\script.ps1

                MD5

                f972c62f986b5ed49ad7713d93bf6c9f

                SHA1

                4e157002bdb97e9526ab97bfafbf7c67e1d1efbf

                SHA256

                b47f85974a7ec2fd5aa82d52f08eb0f6cea7e596a98dd29e8b85b5c37beca0a8

                SHA512

                2c9e2e1b8b6cb5ffe3edf5dfbc2c3b917cd15ba6a5e5264207a43b02ce7020f44f5088aca195f7b428699f0d6bd693ce557a0227d67bbb4795e350a97314e9c4

              • \ProgramData\mozglue.dll

                MD5

                8f73c08a9660691143661bf7332c3c27

                SHA1

                37fa65dd737c50fda710fdbde89e51374d0c204a

                SHA256

                3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

                SHA512

                0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

              • \ProgramData\nss3.dll

                MD5

                bfac4e3c5908856ba17d41edcd455a51

                SHA1

                8eec7e888767aa9e4cca8ff246eb2aacb9170428

                SHA256

                e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

                SHA512

                2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

              • memory/364-234-0x0000000000000000-mapping.dmp

              • memory/1292-184-0x000000007F2A0000-0x000000007F2A1000-memory.dmp

              • memory/1292-146-0x0000000006F80000-0x0000000006F81000-memory.dmp

              • memory/1292-185-0x0000000008EB0000-0x0000000008EB1000-memory.dmp

              • memory/1292-151-0x0000000006D10000-0x0000000006D11000-memory.dmp

              • memory/1292-145-0x0000000006780000-0x0000000006781000-memory.dmp

              • memory/1292-150-0x0000000006B90000-0x0000000006B91000-memory.dmp

              • memory/1292-142-0x0000000000000000-mapping.dmp

              • memory/1292-153-0x0000000006940000-0x0000000006941000-memory.dmp

              • memory/1292-154-0x0000000006C30000-0x0000000006C31000-memory.dmp

              • memory/1292-155-0x0000000006942000-0x0000000006943000-memory.dmp

              • memory/1292-178-0x0000000008970000-0x0000000008971000-memory.dmp

              • memory/1292-171-0x0000000008990000-0x00000000089C3000-memory.dmp

              • memory/1292-219-0x0000000006946000-0x0000000006948000-memory.dmp

              • memory/1292-158-0x00000000075B0000-0x00000000075B1000-memory.dmp

              • memory/1292-159-0x0000000007900000-0x0000000007901000-memory.dmp

              • memory/1292-160-0x0000000007920000-0x0000000007921000-memory.dmp

              • memory/1292-161-0x0000000007C90000-0x0000000007C91000-memory.dmp

              • memory/1292-218-0x0000000006943000-0x0000000006944000-memory.dmp

              • memory/1292-183-0x0000000008D20000-0x0000000008D21000-memory.dmp

              • memory/1556-231-0x000000007E100000-0x000000007E101000-memory.dmp

              • memory/1556-222-0x0000000000000000-mapping.dmp

              • memory/1556-229-0x0000000006802000-0x0000000006803000-memory.dmp

              • memory/1556-232-0x0000000006803000-0x0000000006804000-memory.dmp

              • memory/1556-228-0x0000000006800000-0x0000000006801000-memory.dmp

              • memory/1868-128-0x0000000000400000-0x0000000000537000-memory.dmp

              • memory/1868-122-0x0000000000424141-mapping.dmp

              • memory/1964-224-0x0000000000000000-mapping.dmp

              • memory/2068-118-0x0000000000000000-mapping.dmp

              • memory/2084-223-0x0000000000000000-mapping.dmp

              • memory/2236-235-0x0000000000000000-mapping.dmp

              • memory/2340-215-0x0000000000000000-mapping.dmp

              • memory/2340-220-0x0000000001070000-0x0000000001071000-memory.dmp

              • memory/2340-221-0x0000000001072000-0x0000000001073000-memory.dmp

              • memory/2340-227-0x0000000001073000-0x0000000001074000-memory.dmp

              • memory/2392-141-0x0000000000400000-0x000000000044D000-memory.dmp

              • memory/2392-132-0x0000000000000000-mapping.dmp

              • memory/2428-120-0x0000000000000000-mapping.dmp

              • memory/2444-135-0x0000000000000000-mapping.dmp

              • memory/2444-152-0x0000000000400000-0x000000000044D000-memory.dmp

              • memory/3568-137-0x0000000000400000-0x000000000044D000-memory.dmp

              • memory/3568-129-0x0000000000000000-mapping.dmp

              • memory/3692-115-0x0000000000424141-mapping.dmp

              • memory/3692-117-0x0000000000400000-0x0000000000537000-memory.dmp

              • memory/3692-114-0x0000000000400000-0x0000000000537000-memory.dmp

              • memory/3808-148-0x00000000004680AD-mapping.dmp

              • memory/3808-147-0x0000000000400000-0x000000000049B000-memory.dmp

              • memory/3808-157-0x0000000000400000-0x000000000049B000-memory.dmp

              • memory/3896-233-0x0000000000000000-mapping.dmp

              • memory/4056-116-0x0000000002250000-0x000000000236B000-memory.dmp

              • memory/4092-156-0x0000000002170000-0x0000000002208000-memory.dmp

              • memory/4092-138-0x0000000000000000-mapping.dmp