djvu | 6aae67d87cd2ef23c4b9265c8e83db5142f00154e66e47b1e54219cea794682b

Analysis

max time kernel
121s
max time network
140s
platform
windows7_x64
resource
win7-en-20210920
submitted
19-10-2021 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c81d1895f7472cec079c7f12419feaf0.exe
Size

820KB
MD5

c81d1895f7472cec079c7f12419feaf0
SHA1

729557420c331200cbad77b7f98a0f5841933a63
SHA256

6aae67d87cd2ef23c4b9265c8e83db5142f00154e66e47b1e54219cea794682b
SHA512

9fbb32e99b3a321f5c5ea1c2bea24249ca5b335514f3f6a70342609932a45aab324d71030febbd18b0aa6d63698146a384ba37da17f7a84d4018ab48660d52cc

Score

10^/10

djvu discovery persistence ransomware suricata

Malware Config

Extracted

Family

djvu

http://rlrz.org/fhsgtsspen6

Signatures

Detected Djvu ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/976-54-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/976-55-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/1544-56-0x0000000004760000-0x000000000487B000-memory.dmp	family_djvu
behavioral1/memory/976-58-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1672-64-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/1672-66-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

build3.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid process

1448 build3.exe
1304 build3.exe
1620 mstsca.exe
1544 mstsca.exe
1816 mstsca.exe
1676 mstsca.exe
Loads dropped DLL 2 IoCs

Processes:

c81d1895f7472cec079c7f12419feaf0.exe

pid process

1672 c81d1895f7472cec079c7f12419feaf0.exe
1672 c81d1895f7472cec079c7f12419feaf0.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1216 icacls.exe

pid	process
1448	build3.exe
1304	build3.exe
1620	mstsca.exe
1544	mstsca.exe
1816	mstsca.exe
1676	mstsca.exe

pid	process
1672	c81d1895f7472cec079c7f12419feaf0.exe
1672	c81d1895f7472cec079c7f12419feaf0.exe

pid	process
1216	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c81d1895f7472cec079c7f12419feaf0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\9c42df50-9992-445d-bbfe-f8976fdae13f\\c81d1895f7472cec079c7f12419feaf0.exe\" --AutoStart"	c81d1895f7472cec079c7f12419feaf0.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.2ip.ua
13 api.2ip.ua
4 api.2ip.ua

flow	ioc
5	api.2ip.ua
13	api.2ip.ua
4	api.2ip.ua

Suspicious use of SetThreadContext 5 IoCs

Processes:

c81d1895f7472cec079c7f12419feaf0.exec81d1895f7472cec079c7f12419feaf0.exebuild3.exemstsca.exemstsca.exe

description	pid	process	target process
PID 1544 set thread context of 976	1544	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1944 set thread context of 1672	1944	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1448 set thread context of 1304	1448	build3.exe	build3.exe
PID 1620 set thread context of 1544	1620	mstsca.exe	mstsca.exe
PID 1816 set thread context of 1676	1816	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1076 schtasks.exe
1032 schtasks.exe

pid	process
1076	schtasks.exe
1032	schtasks.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

c81d1895f7472cec079c7f12419feaf0.exec81d1895f7472cec079c7f12419feaf0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	c81d1895f7472cec079c7f12419feaf0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	c81d1895f7472cec079c7f12419feaf0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	c81d1895f7472cec079c7f12419feaf0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	c81d1895f7472cec079c7f12419feaf0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	c81d1895f7472cec079c7f12419feaf0.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

c81d1895f7472cec079c7f12419feaf0.exec81d1895f7472cec079c7f12419feaf0.exe

pid	process
976	c81d1895f7472cec079c7f12419feaf0.exe
976	c81d1895f7472cec079c7f12419feaf0.exe
1672	c81d1895f7472cec079c7f12419feaf0.exe
1672	c81d1895f7472cec079c7f12419feaf0.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c81d1895f7472cec079c7f12419feaf0.exec81d1895f7472cec079c7f12419feaf0.exec81d1895f7472cec079c7f12419feaf0.exec81d1895f7472cec079c7f12419feaf0.exebuild3.exebuild3.exetaskeng.exemstsca.exemstsca.exe

description	pid	process	target process
PID 1544 wrote to memory of 976	1544	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1544 wrote to memory of 976	1544	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1544 wrote to memory of 976	1544	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1544 wrote to memory of 976	1544	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1544 wrote to memory of 976	1544	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1544 wrote to memory of 976	1544	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1544 wrote to memory of 976	1544	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1544 wrote to memory of 976	1544	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1544 wrote to memory of 976	1544	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1544 wrote to memory of 976	1544	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1544 wrote to memory of 976	1544	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 976 wrote to memory of 1216	976	c81d1895f7472cec079c7f12419feaf0.exe	icacls.exe
PID 976 wrote to memory of 1216	976	c81d1895f7472cec079c7f12419feaf0.exe	icacls.exe
PID 976 wrote to memory of 1216	976	c81d1895f7472cec079c7f12419feaf0.exe	icacls.exe
PID 976 wrote to memory of 1216	976	c81d1895f7472cec079c7f12419feaf0.exe	icacls.exe
PID 976 wrote to memory of 1944	976	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 976 wrote to memory of 1944	976	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 976 wrote to memory of 1944	976	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 976 wrote to memory of 1944	976	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1944 wrote to memory of 1672	1944	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1944 wrote to memory of 1672	1944	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1944 wrote to memory of 1672	1944	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1944 wrote to memory of 1672	1944	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1944 wrote to memory of 1672	1944	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1944 wrote to memory of 1672	1944	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1944 wrote to memory of 1672	1944	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1944 wrote to memory of 1672	1944	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1944 wrote to memory of 1672	1944	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1944 wrote to memory of 1672	1944	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1944 wrote to memory of 1672	1944	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1672 wrote to memory of 1448	1672	c81d1895f7472cec079c7f12419feaf0.exe	build3.exe
PID 1672 wrote to memory of 1448	1672	c81d1895f7472cec079c7f12419feaf0.exe	build3.exe
PID 1672 wrote to memory of 1448	1672	c81d1895f7472cec079c7f12419feaf0.exe	build3.exe
PID 1672 wrote to memory of 1448	1672	c81d1895f7472cec079c7f12419feaf0.exe	build3.exe
PID 1448 wrote to memory of 1304	1448	build3.exe	build3.exe
PID 1448 wrote to memory of 1304	1448	build3.exe	build3.exe
PID 1448 wrote to memory of 1304	1448	build3.exe	build3.exe
PID 1448 wrote to memory of 1304	1448	build3.exe	build3.exe
PID 1448 wrote to memory of 1304	1448	build3.exe	build3.exe
PID 1448 wrote to memory of 1304	1448	build3.exe	build3.exe
PID 1448 wrote to memory of 1304	1448	build3.exe	build3.exe
PID 1448 wrote to memory of 1304	1448	build3.exe	build3.exe
PID 1448 wrote to memory of 1304	1448	build3.exe	build3.exe
PID 1448 wrote to memory of 1304	1448	build3.exe	build3.exe
PID 1304 wrote to memory of 1076	1304	build3.exe	schtasks.exe
PID 1304 wrote to memory of 1076	1304	build3.exe	schtasks.exe
PID 1304 wrote to memory of 1076	1304	build3.exe	schtasks.exe
PID 1304 wrote to memory of 1076	1304	build3.exe	schtasks.exe
PID 764 wrote to memory of 1620	764	taskeng.exe	mstsca.exe
PID 764 wrote to memory of 1620	764	taskeng.exe	mstsca.exe
PID 764 wrote to memory of 1620	764	taskeng.exe	mstsca.exe
PID 764 wrote to memory of 1620	764	taskeng.exe	mstsca.exe
PID 1620 wrote to memory of 1544	1620	mstsca.exe	mstsca.exe
PID 1620 wrote to memory of 1544	1620	mstsca.exe	mstsca.exe
PID 1620 wrote to memory of 1544	1620	mstsca.exe	mstsca.exe
PID 1620 wrote to memory of 1544	1620	mstsca.exe	mstsca.exe
PID 1620 wrote to memory of 1544	1620	mstsca.exe	mstsca.exe
PID 1620 wrote to memory of 1544	1620	mstsca.exe	mstsca.exe
PID 1620 wrote to memory of 1544	1620	mstsca.exe	mstsca.exe
PID 1620 wrote to memory of 1544	1620	mstsca.exe	mstsca.exe
PID 1620 wrote to memory of 1544	1620	mstsca.exe	mstsca.exe
PID 1620 wrote to memory of 1544	1620	mstsca.exe	mstsca.exe
PID 1544 wrote to memory of 1032	1544	mstsca.exe	schtasks.exe
PID 1544 wrote to memory of 1032	1544	mstsca.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\c81d1895f7472cec079c7f12419feaf0.exe
"C:\Users\Admin\AppData\Local\Temp\c81d1895f7472cec079c7f12419feaf0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\c81d1895f7472cec079c7f12419feaf0.exe
"C:\Users\Admin\AppData\Local\Temp\c81d1895f7472cec079c7f12419feaf0.exe"
2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\9c42df50-9992-445d-bbfe-f8976fdae13f" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1216

C:\Users\Admin\AppData\Local\Temp\c81d1895f7472cec079c7f12419feaf0.exe
"C:\Users\Admin\AppData\Local\Temp\c81d1895f7472cec079c7f12419feaf0.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\c81d1895f7472cec079c7f12419feaf0.exe
"C:\Users\Admin\AppData\Local\Temp\c81d1895f7472cec079c7f12419feaf0.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\16bdb65c-b1d4-4d29-beca-53b86c5f27e9\build3.exe
"C:\Users\Admin\AppData\Local\16bdb65c-b1d4-4d29-beca-53b86c5f27e9\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Local\16bdb65c-b1d4-4d29-beca-53b86c5f27e9\build3.exe
"C:\Users\Admin\AppData\Local\16bdb65c-b1d4-4d29-beca-53b86c5f27e9\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\taskeng.exe
taskeng.exe {4673ECB9-B205-4104-A28C-C263B8D968F0} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- Creates scheduled task(s)
PID:1032

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1816

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
3183751859498c44f6d0ee8e2aab2c17

SHA1
3948927d001256209b5e4b25003c3c4ccb9ad6bc

SHA256
fd7b40ffbaccd347c4daa2d0530a3b74114fcb55c78423d67750a8be92c70a28

SHA512
88de4b4c2818650f7080a9afdcbe8764f1604bbf77f08f2ce286beb5a00e6cb30352f6180f64e7b5d9790a1e5ebefde6e62d8221e55228942d5652a1e0cd4fa6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
ab5c36d10261c173c5896f3478cdc6b7

SHA1
87ac53810ad125663519e944bc87ded3979cbee4

SHA256
f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

SHA512
e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
98a2414b3a6062f69b5e91e8ef853e60

SHA1
a7c76d8cc77cc535d73bc6b0ee4f64527572145d

SHA256
cea0b3398c3a6ac31f4582a21afb131878dfd3e489d101af94fd3d682000dba3

SHA512
d186ac4f87a04cc56d2a120d1aa7d96f1574ac7353a7d8b237452260f11a3ebfadb556eb46ee894c75ae1bdc6dae480599c6109eb25873074546847d158dddda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
19b7769092c3d9b24f975a16d9e64be5

SHA1
3e87697930f9b4747fbb4352d5c2edf57e4b5b79

SHA256
a9b6735dd397035bccc955c3329c8503c4080ee0051b955b9bb4e80a7374b02a

SHA512
9656c0048b8b9149959b0de4592581c7d8e2954bc5fb4433dd893369f17409ff91e16b2c36d6ef5392b59e1cb86008fa4b807f37bfe7a6393cb23ede4605ca4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
77c1fced711611c894f0f38526819630

SHA1
75122cf618e816c67d24dc9c5fa93bca101b0e38

SHA256
fbef9cec8b1cedbe4f234950d1dc5745756f6eb9f4c9f6af7134880303b7a44a

SHA512
6c7907d5c555e31a438a8245592056eb51a6d34b3927a907558fbbdb41e2a32054fd69699628403f306542f7ee2cbec9810ef841b98e004c1f873363a0185567

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
a98eabd0bd1a5a7d46f7fad7b2f46822

SHA1
bb7d295867b5f10db079126de62a2aaf2408b4ac

SHA256
1c456b5cfe2b2726e8f767566805a99e1c9dec5d792c36c9fd24a388f6410f87

SHA512
b723be7ac4ca0a528847ac9c37725b6dd6051ef2489173d85b8d032325793695da5f35dd87559b6aec1fc98853d62dc9362eff2c3cad0e933261d2b30195ce2e

Download Submit
C:\Users\Admin\AppData\Local\16bdb65c-b1d4-4d29-beca-53b86c5f27e9\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\16bdb65c-b1d4-4d29-beca-53b86c5f27e9\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\16bdb65c-b1d4-4d29-beca-53b86c5f27e9\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\9c42df50-9992-445d-bbfe-f8976fdae13f\c81d1895f7472cec079c7f12419feaf0.exe
MD5
c81d1895f7472cec079c7f12419feaf0

SHA1
729557420c331200cbad77b7f98a0f5841933a63

SHA256
6aae67d87cd2ef23c4b9265c8e83db5142f00154e66e47b1e54219cea794682b

SHA512
9fbb32e99b3a321f5c5ea1c2bea24249ca5b335514f3f6a70342609932a45aab324d71030febbd18b0aa6d63698146a384ba37da17f7a84d4018ab48660d52cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
\Users\Admin\AppData\Local\16bdb65c-b1d4-4d29-beca-53b86c5f27e9\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
\Users\Admin\AppData\Local\16bdb65c-b1d4-4d29-beca-53b86c5f27e9\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
memory/976-58-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/976-57-0x00000000751D1000-0x00000000751D3000-memory.dmp

Filesize
8KB

Download
memory/976-54-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/976-55-0x0000000000424141-mapping.dmp

Download
memory/1032-94-0x0000000000000000-mapping.dmp

Download
memory/1076-83-0x0000000000000000-mapping.dmp

Download
memory/1216-59-0x0000000000000000-mapping.dmp

Download
memory/1304-85-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1304-79-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1304-80-0x0000000000401AFA-mapping.dmp

Download
memory/1448-75-0x0000000000000000-mapping.dmp

Download
memory/1448-84-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/1448-77-0x000000000030D000-0x000000000031E000-memory.dmp

Filesize
68KB

Download
memory/1544-91-0x0000000000401AFA-mapping.dmp

Download
memory/1544-56-0x0000000004760000-0x000000000487B000-memory.dmp

Filesize
1.1MB

Download
memory/1544-53-0x00000000046C0000-0x0000000004751000-memory.dmp

Filesize
580KB

Download
memory/1620-87-0x0000000000000000-mapping.dmp

Download
memory/1620-89-0x00000000032ED000-0x00000000032FE000-memory.dmp

Filesize
68KB

Download
memory/1672-66-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1672-64-0x0000000000424141-mapping.dmp

Download
memory/1676-99-0x0000000000401AFA-mapping.dmp

Download
memory/1816-95-0x0000000000000000-mapping.dmp

Download
memory/1816-97-0x00000000002CD000-0x00000000002DE000-memory.dmp

Filesize
68KB

Download
memory/1944-61-0x0000000000000000-mapping.dmp

Download
memory/1944-62-0x0000000000310000-0x00000000003A1000-memory.dmp

Filesize
580KB

Download