djvu | aad6294207c2facfebf440fa5d52804422edbf9c9e9adb4a7aaff0310b1c5d11

Analysis

max time kernel
144s
max time network
142s
platform
windows7_x64
resource
win7-en-20210920
submitted
19-10-2021 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91db4a17206eda8936d0ce1e12eb51a8.exe
Size

810KB
MD5

91db4a17206eda8936d0ce1e12eb51a8
SHA1

ee31cac794e6fdd200f36629bbe8c556c52ae61b
SHA256

aad6294207c2facfebf440fa5d52804422edbf9c9e9adb4a7aaff0310b1c5d11
SHA512

6c01a380d9d56a1eb60e1586bd2c40f32dc732c5802fc0fad9c4ca486a8d44048b40f85bc46792e98eeaad8a2435db5209ec5aca6da8319ab285bea90a5dccae

Score

10^/10

djvu vidar 517 discovery persistence ransomware stealer suricata

Malware Config

Extracted

Family

vidar

Version

41.3

Botnet

517

https://mas.to/@oleg98

Attributes

profile_id
517

Extracted

Family

djvu

http://rlrz.org/lancer

Signatures

Detected Djvu ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/524-54-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/524-55-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/1080-57-0x00000000034E0000-0x00000000035FB000-memory.dmp	family_djvu
behavioral1/memory/524-58-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1280-64-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/1280-66-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1896-78-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar
behavioral1/memory/1896-79-0x00000000004A192D-mapping.dmp	family_vidar
behavioral1/memory/1072-87-0x00000000017B0000-0x0000000001886000-memory.dmp	family_vidar
behavioral1/memory/1896-88-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar

Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

build2.exebuild3.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid process

1072 build2.exe
1776 build3.exe
1896 build2.exe
472 build3.exe
1060 mstsca.exe
1148 mstsca.exe
1596 mstsca.exe
1756 mstsca.exe

pid	process
1072	build2.exe
1776	build3.exe
1896	build2.exe
472	build3.exe
1060	mstsca.exe
1148	mstsca.exe
1596	mstsca.exe
1756	mstsca.exe

Loads dropped DLL 8 IoCs

Processes:

91db4a17206eda8936d0ce1e12eb51a8.exeWerFault.exe

pid	process
1280	91db4a17206eda8936d0ce1e12eb51a8.exe
1280	91db4a17206eda8936d0ce1e12eb51a8.exe
1280	91db4a17206eda8936d0ce1e12eb51a8.exe
1280	91db4a17206eda8936d0ce1e12eb51a8.exe
1476	WerFault.exe
1476	WerFault.exe
1476	WerFault.exe
1476	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1188 icacls.exe

pid	process
1188	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

91db4a17206eda8936d0ce1e12eb51a8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4d59c868-0730-4d48-b04c-b9a6d56db2db\\91db4a17206eda8936d0ce1e12eb51a8.exe\" --AutoStart"	91db4a17206eda8936d0ce1e12eb51a8.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.2ip.ua
5 api.2ip.ua

flow	ioc
4	api.2ip.ua
5	api.2ip.ua

Suspicious use of SetThreadContext 6 IoCs

Processes:

91db4a17206eda8936d0ce1e12eb51a8.exe91db4a17206eda8936d0ce1e12eb51a8.exebuild2.exebuild3.exemstsca.exemstsca.exe

description	pid	process	target process
PID 1080 set thread context of 524	1080	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 1040 set thread context of 1280	1040	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 1072 set thread context of 1896	1072	build2.exe	build2.exe
PID 1776 set thread context of 472	1776	build3.exe	build3.exe
PID 1060 set thread context of 1148	1060	mstsca.exe	mstsca.exe
PID 1596 set thread context of 1756	1596	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1476 1896 WerFault.exe build2.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1700 schtasks.exe
1472 schtasks.exe

pid	pid_target	process	target process
1476	1896	WerFault.exe	build2.exe

pid	process
1700	schtasks.exe
1472	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

91db4a17206eda8936d0ce1e12eb51a8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	91db4a17206eda8936d0ce1e12eb51a8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	91db4a17206eda8936d0ce1e12eb51a8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	91db4a17206eda8936d0ce1e12eb51a8.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

91db4a17206eda8936d0ce1e12eb51a8.exe91db4a17206eda8936d0ce1e12eb51a8.exeWerFault.exe

pid	process
524	91db4a17206eda8936d0ce1e12eb51a8.exe
524	91db4a17206eda8936d0ce1e12eb51a8.exe
1280	91db4a17206eda8936d0ce1e12eb51a8.exe
1280	91db4a17206eda8936d0ce1e12eb51a8.exe
1476	WerFault.exe
1476	WerFault.exe
1476	WerFault.exe
1476	WerFault.exe
1476	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1476 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1476 WerFault.exe

pid	process
1476	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1476	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

91db4a17206eda8936d0ce1e12eb51a8.exe91db4a17206eda8936d0ce1e12eb51a8.exe91db4a17206eda8936d0ce1e12eb51a8.exe91db4a17206eda8936d0ce1e12eb51a8.exebuild2.exebuild3.exebuild3.exebuild2.exe

description	pid	process	target process
PID 1080 wrote to memory of 524	1080	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 1080 wrote to memory of 524	1080	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 1080 wrote to memory of 524	1080	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 1080 wrote to memory of 524	1080	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 1080 wrote to memory of 524	1080	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 1080 wrote to memory of 524	1080	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 1080 wrote to memory of 524	1080	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 1080 wrote to memory of 524	1080	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 1080 wrote to memory of 524	1080	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 1080 wrote to memory of 524	1080	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 1080 wrote to memory of 524	1080	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 524 wrote to memory of 1188	524	91db4a17206eda8936d0ce1e12eb51a8.exe	icacls.exe
PID 524 wrote to memory of 1188	524	91db4a17206eda8936d0ce1e12eb51a8.exe	icacls.exe
PID 524 wrote to memory of 1188	524	91db4a17206eda8936d0ce1e12eb51a8.exe	icacls.exe
PID 524 wrote to memory of 1188	524	91db4a17206eda8936d0ce1e12eb51a8.exe	icacls.exe
PID 524 wrote to memory of 1040	524	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 524 wrote to memory of 1040	524	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 524 wrote to memory of 1040	524	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 524 wrote to memory of 1040	524	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 1040 wrote to memory of 1280	1040	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 1040 wrote to memory of 1280	1040	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 1040 wrote to memory of 1280	1040	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 1040 wrote to memory of 1280	1040	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 1040 wrote to memory of 1280	1040	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 1040 wrote to memory of 1280	1040	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 1040 wrote to memory of 1280	1040	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 1040 wrote to memory of 1280	1040	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 1040 wrote to memory of 1280	1040	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 1040 wrote to memory of 1280	1040	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 1040 wrote to memory of 1280	1040	91db4a17206eda8936d0ce1e12eb51a8.exe	91db4a17206eda8936d0ce1e12eb51a8.exe
PID 1280 wrote to memory of 1072	1280	91db4a17206eda8936d0ce1e12eb51a8.exe	build2.exe
PID 1280 wrote to memory of 1072	1280	91db4a17206eda8936d0ce1e12eb51a8.exe	build2.exe
PID 1280 wrote to memory of 1072	1280	91db4a17206eda8936d0ce1e12eb51a8.exe	build2.exe
PID 1280 wrote to memory of 1072	1280	91db4a17206eda8936d0ce1e12eb51a8.exe	build2.exe
PID 1280 wrote to memory of 1776	1280	91db4a17206eda8936d0ce1e12eb51a8.exe	build3.exe
PID 1280 wrote to memory of 1776	1280	91db4a17206eda8936d0ce1e12eb51a8.exe	build3.exe
PID 1280 wrote to memory of 1776	1280	91db4a17206eda8936d0ce1e12eb51a8.exe	build3.exe
PID 1280 wrote to memory of 1776	1280	91db4a17206eda8936d0ce1e12eb51a8.exe	build3.exe
PID 1072 wrote to memory of 1896	1072	build2.exe	build2.exe
PID 1072 wrote to memory of 1896	1072	build2.exe	build2.exe
PID 1072 wrote to memory of 1896	1072	build2.exe	build2.exe
PID 1072 wrote to memory of 1896	1072	build2.exe	build2.exe
PID 1072 wrote to memory of 1896	1072	build2.exe	build2.exe
PID 1072 wrote to memory of 1896	1072	build2.exe	build2.exe
PID 1072 wrote to memory of 1896	1072	build2.exe	build2.exe
PID 1072 wrote to memory of 1896	1072	build2.exe	build2.exe
PID 1072 wrote to memory of 1896	1072	build2.exe	build2.exe
PID 1776 wrote to memory of 472	1776	build3.exe	build3.exe
PID 1776 wrote to memory of 472	1776	build3.exe	build3.exe
PID 1776 wrote to memory of 472	1776	build3.exe	build3.exe
PID 1776 wrote to memory of 472	1776	build3.exe	build3.exe
PID 1776 wrote to memory of 472	1776	build3.exe	build3.exe
PID 1776 wrote to memory of 472	1776	build3.exe	build3.exe
PID 1776 wrote to memory of 472	1776	build3.exe	build3.exe
PID 1776 wrote to memory of 472	1776	build3.exe	build3.exe
PID 1776 wrote to memory of 472	1776	build3.exe	build3.exe
PID 1776 wrote to memory of 472	1776	build3.exe	build3.exe
PID 472 wrote to memory of 1700	472	build3.exe	schtasks.exe
PID 472 wrote to memory of 1700	472	build3.exe	schtasks.exe
PID 472 wrote to memory of 1700	472	build3.exe	schtasks.exe
PID 472 wrote to memory of 1700	472	build3.exe	schtasks.exe
PID 1896 wrote to memory of 1476	1896	build2.exe	WerFault.exe
PID 1896 wrote to memory of 1476	1896	build2.exe	WerFault.exe
PID 1896 wrote to memory of 1476	1896	build2.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\91db4a17206eda8936d0ce1e12eb51a8.exe
"C:\Users\Admin\AppData\Local\Temp\91db4a17206eda8936d0ce1e12eb51a8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\AppData\Local\Temp\91db4a17206eda8936d0ce1e12eb51a8.exe
"C:\Users\Admin\AppData\Local\Temp\91db4a17206eda8936d0ce1e12eb51a8.exe"
2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\4d59c868-0730-4d48-b04c-b9a6d56db2db" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1188

C:\Users\Admin\AppData\Local\Temp\91db4a17206eda8936d0ce1e12eb51a8.exe
"C:\Users\Admin\AppData\Local\Temp\91db4a17206eda8936d0ce1e12eb51a8.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Local\Temp\91db4a17206eda8936d0ce1e12eb51a8.exe
"C:\Users\Admin\AppData\Local\Temp\91db4a17206eda8936d0ce1e12eb51a8.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\24511db8-f828-47ef-9c79-c57a792885e0\build2.exe
"C:\Users\Admin\AppData\Local\24511db8-f828-47ef-9c79-c57a792885e0\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1072

C:\Users\Admin\AppData\Local\24511db8-f828-47ef-9c79-c57a792885e0\build2.exe
"C:\Users\Admin\AppData\Local\24511db8-f828-47ef-9c79-c57a792885e0\build2.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 888
7⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Users\Admin\AppData\Local\24511db8-f828-47ef-9c79-c57a792885e0\build3.exe
"C:\Users\Admin\AppData\Local\24511db8-f828-47ef-9c79-c57a792885e0\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\AppData\Local\24511db8-f828-47ef-9c79-c57a792885e0\build3.exe
"C:\Users\Admin\AppData\Local\24511db8-f828-47ef-9c79-c57a792885e0\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\taskeng.exe
taskeng.exe {A8264BA9-5914-4A76-8997-58345C893CBF} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:2000

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1060

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1148

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- Creates scheduled task(s)
PID:1472

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1596

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
ab5c36d10261c173c5896f3478cdc6b7

SHA1
87ac53810ad125663519e944bc87ded3979cbee4

SHA256
f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

SHA512
e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
b032ab9428e2126534fbf6102b578126

SHA1
fee19e112cbd1846aaca63f173f337d09b5df811

SHA256
7b06a0be3af192998cab1947d694a0e84672bef728aacd801b98bce9e0f51e33

SHA512
895e20f9a72858525100fcd7d8663cbac38ba34356f79153bc99eebc2a59cdbd245a79f71819da1d98a1a8817cb1b9841069a7949f788c7ea6d4fb94ff0559cd

Download Submit
C:\Users\Admin\AppData\Local\24511db8-f828-47ef-9c79-c57a792885e0\build2.exe
MD5
673a786d98cb5709caaf1797142e0e6e

SHA1
4e2abf2aa7c9418a34815dc02c272a859eea23a6

SHA256
b115531ef23c109fb58c392379b7f55eff11169e1317b263da60edd9ac98f6b1

SHA512
83fcccd08944e8c578482a945d38f756ef7cb959d6796c3830fb3e582205c5924b7bb1fb495aaffeacb2f7ac838730e5e7c01e6dcce54ea624be98635b3e3044

Download Submit
C:\Users\Admin\AppData\Local\24511db8-f828-47ef-9c79-c57a792885e0\build2.exe
MD5
673a786d98cb5709caaf1797142e0e6e

SHA1
4e2abf2aa7c9418a34815dc02c272a859eea23a6

SHA256
b115531ef23c109fb58c392379b7f55eff11169e1317b263da60edd9ac98f6b1

SHA512
83fcccd08944e8c578482a945d38f756ef7cb959d6796c3830fb3e582205c5924b7bb1fb495aaffeacb2f7ac838730e5e7c01e6dcce54ea624be98635b3e3044

Download Submit
C:\Users\Admin\AppData\Local\24511db8-f828-47ef-9c79-c57a792885e0\build2.exe
MD5
673a786d98cb5709caaf1797142e0e6e

SHA1
4e2abf2aa7c9418a34815dc02c272a859eea23a6

SHA256
b115531ef23c109fb58c392379b7f55eff11169e1317b263da60edd9ac98f6b1

SHA512
83fcccd08944e8c578482a945d38f756ef7cb959d6796c3830fb3e582205c5924b7bb1fb495aaffeacb2f7ac838730e5e7c01e6dcce54ea624be98635b3e3044

Download Submit
C:\Users\Admin\AppData\Local\24511db8-f828-47ef-9c79-c57a792885e0\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\24511db8-f828-47ef-9c79-c57a792885e0\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\24511db8-f828-47ef-9c79-c57a792885e0\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\4d59c868-0730-4d48-b04c-b9a6d56db2db\91db4a17206eda8936d0ce1e12eb51a8.exe
MD5
91db4a17206eda8936d0ce1e12eb51a8

SHA1
ee31cac794e6fdd200f36629bbe8c556c52ae61b

SHA256
aad6294207c2facfebf440fa5d52804422edbf9c9e9adb4a7aaff0310b1c5d11

SHA512
6c01a380d9d56a1eb60e1586bd2c40f32dc732c5802fc0fad9c4ca486a8d44048b40f85bc46792e98eeaad8a2435db5209ec5aca6da8319ab285bea90a5dccae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
\Users\Admin\AppData\Local\24511db8-f828-47ef-9c79-c57a792885e0\build2.exe
MD5
673a786d98cb5709caaf1797142e0e6e

SHA1
4e2abf2aa7c9418a34815dc02c272a859eea23a6

SHA256
b115531ef23c109fb58c392379b7f55eff11169e1317b263da60edd9ac98f6b1

SHA512
83fcccd08944e8c578482a945d38f756ef7cb959d6796c3830fb3e582205c5924b7bb1fb495aaffeacb2f7ac838730e5e7c01e6dcce54ea624be98635b3e3044

Download Submit
\Users\Admin\AppData\Local\24511db8-f828-47ef-9c79-c57a792885e0\build2.exe
MD5
673a786d98cb5709caaf1797142e0e6e

SHA1
4e2abf2aa7c9418a34815dc02c272a859eea23a6

SHA256
b115531ef23c109fb58c392379b7f55eff11169e1317b263da60edd9ac98f6b1

SHA512
83fcccd08944e8c578482a945d38f756ef7cb959d6796c3830fb3e582205c5924b7bb1fb495aaffeacb2f7ac838730e5e7c01e6dcce54ea624be98635b3e3044

Download Submit
\Users\Admin\AppData\Local\24511db8-f828-47ef-9c79-c57a792885e0\build2.exe
MD5
673a786d98cb5709caaf1797142e0e6e

SHA1
4e2abf2aa7c9418a34815dc02c272a859eea23a6

SHA256
b115531ef23c109fb58c392379b7f55eff11169e1317b263da60edd9ac98f6b1

SHA512
83fcccd08944e8c578482a945d38f756ef7cb959d6796c3830fb3e582205c5924b7bb1fb495aaffeacb2f7ac838730e5e7c01e6dcce54ea624be98635b3e3044

Download Submit
\Users\Admin\AppData\Local\24511db8-f828-47ef-9c79-c57a792885e0\build2.exe
MD5
673a786d98cb5709caaf1797142e0e6e

SHA1
4e2abf2aa7c9418a34815dc02c272a859eea23a6

SHA256
b115531ef23c109fb58c392379b7f55eff11169e1317b263da60edd9ac98f6b1

SHA512
83fcccd08944e8c578482a945d38f756ef7cb959d6796c3830fb3e582205c5924b7bb1fb495aaffeacb2f7ac838730e5e7c01e6dcce54ea624be98635b3e3044

Download Submit
\Users\Admin\AppData\Local\24511db8-f828-47ef-9c79-c57a792885e0\build2.exe
MD5
673a786d98cb5709caaf1797142e0e6e

SHA1
4e2abf2aa7c9418a34815dc02c272a859eea23a6

SHA256
b115531ef23c109fb58c392379b7f55eff11169e1317b263da60edd9ac98f6b1

SHA512
83fcccd08944e8c578482a945d38f756ef7cb959d6796c3830fb3e582205c5924b7bb1fb495aaffeacb2f7ac838730e5e7c01e6dcce54ea624be98635b3e3044

Download Submit
\Users\Admin\AppData\Local\24511db8-f828-47ef-9c79-c57a792885e0\build2.exe
MD5
673a786d98cb5709caaf1797142e0e6e

SHA1
4e2abf2aa7c9418a34815dc02c272a859eea23a6

SHA256
b115531ef23c109fb58c392379b7f55eff11169e1317b263da60edd9ac98f6b1

SHA512
83fcccd08944e8c578482a945d38f756ef7cb959d6796c3830fb3e582205c5924b7bb1fb495aaffeacb2f7ac838730e5e7c01e6dcce54ea624be98635b3e3044

Download Submit
\Users\Admin\AppData\Local\24511db8-f828-47ef-9c79-c57a792885e0\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
\Users\Admin\AppData\Local\24511db8-f828-47ef-9c79-c57a792885e0\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
memory/472-84-0x0000000000401AFA-mapping.dmp

Download
memory/472-83-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/472-89-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/524-58-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/524-54-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/524-56-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/524-55-0x0000000000424141-mapping.dmp

Download
memory/1040-61-0x0000000000000000-mapping.dmp

Download
memory/1040-62-0x0000000002FA0000-0x0000000003031000-memory.dmp

Filesize
580KB

Download
memory/1060-103-0x00000000036CD000-0x00000000036DE000-memory.dmp

Filesize
68KB

Download
memory/1060-101-0x0000000000000000-mapping.dmp

Download
memory/1072-87-0x00000000017B0000-0x0000000001886000-memory.dmp

Filesize
856KB

Download
memory/1072-69-0x0000000000000000-mapping.dmp

Download
memory/1072-71-0x000000000030B000-0x0000000000388000-memory.dmp

Filesize
500KB

Download
memory/1080-57-0x00000000034E0000-0x00000000035FB000-memory.dmp

Filesize
1.1MB

Download
memory/1080-53-0x00000000032A0000-0x0000000003331000-memory.dmp

Filesize
580KB

Download
memory/1148-105-0x0000000000401AFA-mapping.dmp

Download
memory/1188-59-0x0000000000000000-mapping.dmp

Download
memory/1280-66-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1280-64-0x0000000000424141-mapping.dmp

Download
memory/1472-108-0x0000000000000000-mapping.dmp

Download
memory/1476-99-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1476-94-0x0000000000000000-mapping.dmp

Download
memory/1596-111-0x00000000033BD000-0x00000000033CE000-memory.dmp

Filesize
68KB

Download
memory/1596-109-0x0000000000000000-mapping.dmp

Download
memory/1700-90-0x0000000000000000-mapping.dmp

Download
memory/1756-113-0x0000000000401AFA-mapping.dmp

Download
memory/1776-91-0x00000000001B0000-0x00000000001B4000-memory.dmp

Filesize
16KB

Download
memory/1776-76-0x00000000002ED000-0x00000000002FE000-memory.dmp

Filesize
68KB

Download
memory/1776-74-0x0000000000000000-mapping.dmp

Download
memory/1896-79-0x00000000004A192D-mapping.dmp

Download
memory/1896-78-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1896-88-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download