Analysis
-
max time kernel
1808s -
max time network
1811s -
platform
windows7_x64 -
resource
win7-fr -
submitted
12-09-2021 07:11
General
-
Target
setup_x86_x64_install.exe
-
Size
3.5MB
-
MD5
1b5154bc65145adba0a58e964265d5f2
-
SHA1
5a96fd55be61222b3e6438712979dc2a18a50b8c
-
SHA256
c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19
-
SHA512
9465da97b0986fef660e3f7725b4d4c034bef677acbe36382d95a8052c54634f004162aa3f105156e503af1b26632e47e44234ef9825b388260a6bcd310a5026
Score
10/10
Malware Config
Extracted
Path
C:\_readme.txt
Family
djvu
Ransom Note
ATTENTION!
Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-CtDpAM1g5f
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
To get this software you need write on our e-mail:
[email protected]
Reserve e-mail address to contact us:
[email protected]
Your personal ID:
0333gSd743dfRiXRqq62TeogIfmpihYZJ6wDmuUVD07WwczX6Bm
URLs
https://we.tl/t-CtDpAM1g5f
Extracted
Family
vidar
Version
40.5
Botnet
706
C2
https://gheorghip.tumblr.com/
Attributes
-
profile_id
706
Extracted
Family
smokeloader
Version
2020
C2
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
rc4.i32
rc4.i32
Extracted
Family
redline
Botnet
pab123
C2
45.14.49.169:22411
Signatures
-
Detected Djvu ransomware 2 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 3 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE 63 IoCs
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 64 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 1 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 12 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 3 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies system certificate store 2 TTPs 7 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 8 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 19 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCF6C2934\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSCF6C2934\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05ac1b0207d3ff3b8.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSCF6C2934\Sun05ac1b0207d3ff3b8.exeSun05ac1b0207d3ff3b8.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Sun05ac1b0207d3ff3b8.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSCF6C2934\Sun05ac1b0207d3ff3b8.exe" & del C:\ProgramData\*.dll & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Sun05ac1b0207d3ff3b8.exe /f7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun052bbd8bebd9.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSCF6C2934\Sun052bbd8bebd9.exeSun052bbd8bebd9.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05532f7abc.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSCF6C2934\Sun05532f7abc.exeSun05532f7abc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05640630a6aa.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSCF6C2934\Sun05640630a6aa.exeSun05640630a6aa.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun059375dac544fc4a.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSCF6C2934\Sun059375dac544fc4a.exeSun059375dac544fc4a.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\6703130.exe"C:\ProgramData\6703130.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2044 -s 17329⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\ProgramData\3975581.exe"C:\ProgramData\3975581.exe"8⤵
- Executes dropped EXE
-
-
C:\ProgramData\908332.exe"C:\ProgramData\908332.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\908332.exe"C:\ProgramData\908332.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 7129⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\ProgramData\4235683.exe"C:\ProgramData\4235683.exe"8⤵
- Executes dropped EXE
-
-
C:\ProgramData\3215890.exe"C:\ProgramData\3215890.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 16929⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2580 -s 13728⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "setup.exe" /f9⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\udptest.exe"C:\Users\Admin\AppData\Local\Temp\udptest.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-8VLUS.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-8VLUS.tmp\setup_2.tmp" /SL5="$20174,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-C298I.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-C298I.tmp\setup_2.tmp" /SL5="$20196,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a8⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"7⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05d60bc3b96248e5.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSCF6C2934\Sun05d60bc3b96248e5.exeSun05d60bc3b96248e5.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 7566⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun050462125c7d35.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSCF6C2934\Sun050462125c7d35.exeSun050462125c7d35.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\1382919.exe"C:\ProgramData\1382919.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2564 -s 17407⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
C:\ProgramData\6825066.exe"C:\ProgramData\6825066.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\ProgramData\5813840.exe"C:\ProgramData\5813840.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\1571294.exe"C:\ProgramData\1571294.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 17127⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05899db881f67fb29.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSCF6C2934\Sun05899db881f67fb29.exeSun05899db881f67fb29.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun054fe19a12cb3.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05fa3b4d2ae56e.exe /mixone4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSCF6C2934\Sun05fa3b4d2ae56e.exeSun05fa3b4d2ae56e.exe /mixone5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sun05fa3b4d2ae56e.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSCF6C2934\Sun05fa3b4d2ae56e.exe" & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sun05fa3b4d2ae56e.exe" /f7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\62C8.exeC:\Users\Admin\AppData\Local\Temp\62C8.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8F26.exeC:\Users\Admin\AppData\Local\Temp\8F26.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\B4EF.exeC:\Users\Admin\AppData\Local\Temp\B4EF.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\B4EF.exeC:\Users\Admin\AppData\Local\Temp\B4EF.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\6c5042f6-6727-4c42-afc7-7e093e0e772b" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\B4EF.exe"C:\Users\Admin\AppData\Local\Temp\B4EF.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\B4EF.exe"C:\Users\Admin\AppData\Local\Temp\B4EF.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\fa608329-eb79-452b-8ae5-91b7eff8cdde\build2.exe"C:\Users\Admin\AppData\Local\fa608329-eb79-452b-8ae5-91b7eff8cdde\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\fa608329-eb79-452b-8ae5-91b7eff8cdde\build2.exe"C:\Users\Admin\AppData\Local\fa608329-eb79-452b-8ae5-91b7eff8cdde\build2.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\fa608329-eb79-452b-8ae5-91b7eff8cdde\build2.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build2.exe /f8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Users\Admin\AppData\Local\fa608329-eb79-452b-8ae5-91b7eff8cdde\build3.exe"C:\Users\Admin\AppData\Local\fa608329-eb79-452b-8ae5-91b7eff8cdde\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\fa608329-eb79-452b-8ae5-91b7eff8cdde\build3.exe"C:\Users\Admin\AppData\Local\fa608329-eb79-452b-8ae5-91b7eff8cdde\build3.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Creates scheduled task(s)
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\F183.exeC:\Users\Admin\AppData\Local\Temp\F183.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\F183.exe"2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\8089.exeC:\Users\Admin\AppData\Local\Temp\8089.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\BE64.exeC:\Users\Admin\AppData\Local\Temp\BE64.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\taskeng.exetaskeng.exe {78AD5874-6B5D-49EA-8456-0FAE241BD062} S-1-5-21-1669990088-476967504-438132596-1000:KJUCCLUP\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- Creates scheduled task(s)
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\sfgegfcC:\Users\Admin\AppData\Roaming\sfgegfc2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\6c5042f6-6727-4c42-afc7-7e093e0e772b\B4EF.exeC:\Users\Admin\AppData\Local\6c5042f6-6727-4c42-afc7-7e093e0e772b\B4EF.exe --Task2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\6c5042f6-6727-4c42-afc7-7e093e0e772b\B4EF.exeC:\Users\Admin\AppData\Local\6c5042f6-6727-4c42-afc7-7e093e0e772b\B4EF.exe --Task3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\sfgegfcC:\Users\Admin\AppData\Roaming\sfgegfc2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\6c5042f6-6727-4c42-afc7-7e093e0e772b\B4EF.exeC:\Users\Admin\AppData\Local\6c5042f6-6727-4c42-afc7-7e093e0e772b\B4EF.exe --Task2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\6c5042f6-6727-4c42-afc7-7e093e0e772b\B4EF.exeC:\Users\Admin\AppData\Local\6c5042f6-6727-4c42-afc7-7e093e0e772b\B4EF.exe --Task3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
File and Directory Permissions Modification
1Install Root Certificate
1Modify Registry
2Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
19.9MB
-
Filesize
19.9MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
1.1MB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
104KB
-
Filesize
1.2MB
-
Filesize
192KB
-
Filesize
39.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
124KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
192KB
-
Filesize
39.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
572KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
19.5MB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
12.3MB
-
Filesize
80KB
-
Filesize
39.4MB
-
Filesize
288KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
19.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
96KB
-
Filesize
19.8MB
-
Filesize
576KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
272KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
108KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
96KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
108KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
39.4MB
-
Filesize
188KB