djvu | 0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937

Analysis

max time kernel
122s
max time network
146s
platform
windows10_x64
resource
win10-en-20211014
submitted
23-10-2021 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
Size

854KB
MD5

228acf8b56730bfb5c179817d66b34db
SHA1

c4de1a0f87fce73596463562aa20f634277f8241
SHA256

0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937
SHA512

d737375472ac017d2345de865fb0fb74c37aa3ae129b803437961b57e7813a9529984f461a6f67c4fadfc895e33814f5e88c9e465f6e5f9a1bfa6d9da5c635c9

Score

10^/10

djvu vidar 517 discovery persistence ransomware spyware stealer

Malware Config

Extracted

Family

vidar

Version

41.5

Botnet

517

https://mas.to/@xeroxxx

Attributes

profile_id
517

Extracted

Family

djvu

http://rlrz.org/lancer

Signatures

Detected Djvu ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2816-116-0x0000000000E90000-0x0000000000FAB000-memory.dmp	family_djvu
behavioral1/memory/3100-117-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3100-118-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/3100-119-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/512-125-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/512-126-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1480-139-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar
behavioral1/memory/1480-140-0x00000000004A18CD-mapping.dmp	family_vidar
behavioral1/memory/1480-147-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar
behavioral1/memory/1212-146-0x0000000004C40000-0x0000000004D16000-memory.dmp	family_vidar

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

build2.exebuild3.exebuild2.exebuild3.exe

pid process

1212 build2.exe
680 build3.exe
1480 build2.exe
1468 build3.exe
Loads dropped DLL 2 IoCs

Processes:

build2.exe

pid process

1480 build2.exe
1480 build2.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3240 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1212	build2.exe
680	build3.exe
1480	build2.exe
1468	build3.exe

pid	process
1480	build2.exe
1480	build2.exe

pid	process
3240	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\34c56f52-1db0-479f-91d7-c9917783ccc4\\0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe\" --AutoStart"	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 api.2ip.ua
12 api.2ip.ua
26 api.2ip.ua

flow	ioc
11	api.2ip.ua
12	api.2ip.ua
26	api.2ip.ua

Suspicious use of SetThreadContext 4 IoCs

Processes:

0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exebuild2.exebuild3.exe

description	pid	process	target process
PID 2816 set thread context of 3100	2816	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 688 set thread context of 512	688	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 1212 set thread context of 1480	1212	build2.exe	build2.exe
PID 680 set thread context of 1468	680	build3.exe	build3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3800 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3508 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1992 taskkill.exe

pid	process
3800	schtasks.exe

pid	process
3508	timeout.exe

pid	process
1992	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exebuild2.exe

pid	process
3100	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
3100	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
512	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
512	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
1480	build2.exe
1480	build2.exe
1480	build2.exe
1480	build2.exe
1480	build2.exe
1480	build2.exe
1480	build2.exe
1480	build2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1992 taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1992	taskkill.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exebuild2.exebuild3.exebuild3.exebuild2.execmd.exe

description	pid	process	target process
PID 2816 wrote to memory of 3100	2816	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 2816 wrote to memory of 3100	2816	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 2816 wrote to memory of 3100	2816	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 2816 wrote to memory of 3100	2816	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 2816 wrote to memory of 3100	2816	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 2816 wrote to memory of 3100	2816	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 2816 wrote to memory of 3100	2816	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 2816 wrote to memory of 3100	2816	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 2816 wrote to memory of 3100	2816	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 2816 wrote to memory of 3100	2816	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 3100 wrote to memory of 3240	3100	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	icacls.exe
PID 3100 wrote to memory of 3240	3100	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	icacls.exe
PID 3100 wrote to memory of 3240	3100	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	icacls.exe
PID 3100 wrote to memory of 688	3100	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 3100 wrote to memory of 688	3100	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 3100 wrote to memory of 688	3100	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 688 wrote to memory of 512	688	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 688 wrote to memory of 512	688	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 688 wrote to memory of 512	688	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 688 wrote to memory of 512	688	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 688 wrote to memory of 512	688	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 688 wrote to memory of 512	688	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 688 wrote to memory of 512	688	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 688 wrote to memory of 512	688	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 688 wrote to memory of 512	688	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 688 wrote to memory of 512	688	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
PID 512 wrote to memory of 1212	512	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	build2.exe
PID 512 wrote to memory of 1212	512	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	build2.exe
PID 512 wrote to memory of 1212	512	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	build2.exe
PID 512 wrote to memory of 680	512	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	build3.exe
PID 512 wrote to memory of 680	512	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	build3.exe
PID 512 wrote to memory of 680	512	0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe	build3.exe
PID 1212 wrote to memory of 1480	1212	build2.exe	build2.exe
PID 1212 wrote to memory of 1480	1212	build2.exe	build2.exe
PID 1212 wrote to memory of 1480	1212	build2.exe	build2.exe
PID 1212 wrote to memory of 1480	1212	build2.exe	build2.exe
PID 1212 wrote to memory of 1480	1212	build2.exe	build2.exe
PID 1212 wrote to memory of 1480	1212	build2.exe	build2.exe
PID 1212 wrote to memory of 1480	1212	build2.exe	build2.exe
PID 1212 wrote to memory of 1480	1212	build2.exe	build2.exe
PID 680 wrote to memory of 1468	680	build3.exe	build3.exe
PID 680 wrote to memory of 1468	680	build3.exe	build3.exe
PID 680 wrote to memory of 1468	680	build3.exe	build3.exe
PID 680 wrote to memory of 1468	680	build3.exe	build3.exe
PID 680 wrote to memory of 1468	680	build3.exe	build3.exe
PID 680 wrote to memory of 1468	680	build3.exe	build3.exe
PID 680 wrote to memory of 1468	680	build3.exe	build3.exe
PID 680 wrote to memory of 1468	680	build3.exe	build3.exe
PID 680 wrote to memory of 1468	680	build3.exe	build3.exe
PID 1468 wrote to memory of 3800	1468	build3.exe	schtasks.exe
PID 1468 wrote to memory of 3800	1468	build3.exe	schtasks.exe
PID 1468 wrote to memory of 3800	1468	build3.exe	schtasks.exe
PID 1480 wrote to memory of 1800	1480	build2.exe	cmd.exe
PID 1480 wrote to memory of 1800	1480	build2.exe	cmd.exe
PID 1480 wrote to memory of 1800	1480	build2.exe	cmd.exe
PID 1800 wrote to memory of 1992	1800	cmd.exe	taskkill.exe
PID 1800 wrote to memory of 1992	1800	cmd.exe	taskkill.exe
PID 1800 wrote to memory of 1992	1800	cmd.exe	taskkill.exe
PID 1800 wrote to memory of 3508	1800	cmd.exe	timeout.exe
PID 1800 wrote to memory of 3508	1800	cmd.exe	timeout.exe
PID 1800 wrote to memory of 3508	1800	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
"C:\Users\Admin\AppData\Local\Temp\0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2816

C:\Users\Admin\AppData\Local\Temp\0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
"C:\Users\Admin\AppData\Local\Temp\0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe"
2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\34c56f52-1db0-479f-91d7-c9917783ccc4" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3240

C:\Users\Admin\AppData\Local\Temp\0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
"C:\Users\Admin\AppData\Local\Temp\0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:688

C:\Users\Admin\AppData\Local\Temp\0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
"C:\Users\Admin\AppData\Local\Temp\0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:512

C:\Users\Admin\AppData\Local\124a9576-3974-46ee-9e37-fbfc2cbde63b\build2.exe
"C:\Users\Admin\AppData\Local\124a9576-3974-46ee-9e37-fbfc2cbde63b\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\124a9576-3974-46ee-9e37-fbfc2cbde63b\build2.exe
"C:\Users\Admin\AppData\Local\124a9576-3974-46ee-9e37-fbfc2cbde63b\build2.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\124a9576-3974-46ee-9e37-fbfc2cbde63b\build2.exe" & del C:\ProgramData\*.dll & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:3508

C:\Users\Admin\AppData\Local\124a9576-3974-46ee-9e37-fbfc2cbde63b\build3.exe
"C:\Users\Admin\AppData\Local\124a9576-3974-46ee-9e37-fbfc2cbde63b\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:680

C:\Users\Admin\AppData\Local\124a9576-3974-46ee-9e37-fbfc2cbde63b\build3.exe
"C:\Users\Admin\AppData\Local\124a9576-3974-46ee-9e37-fbfc2cbde63b\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:3800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
50d9d5311b74576fbbb5c9f204fdc16b

SHA1
7dd97b713e33f287440441aa3bb7966a2cb68321

SHA256
d76a71e8dfd6961d4912a23b2fd207f2a93c67523dfcda252358eafa5821b2ad

SHA512
67d02ce79bb8fd641783ba12ab5587900a03416627939084ce87f22b42ca7d50765947e2238b3c6a70a74bce3c9233b486aaa10feb57e714646e4d02c0c926c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\572BF21E454637C9F000BE1AF9B1E1A9
MD5
4eb154f71acf2057b77713e037916ae3

SHA1
5ae3295eceabf7aed389dcf56aea7fe75e13d954

SHA256
bd46c38e3f9cabf82aff86041e4a3b18a8f03172b6717d6679375f39b860138d

SHA512
9ad7c91965f57f8020ba00f54b63cd6e7e934b1e984d4777eafbc4049625085a4e5b3ecf7286a311b741a02092dbe01a5da21bd0a496947a3fc853bcb63948f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
1cf2706ee26a5fafb03ece07570de071

SHA1
7c71b1e6212c935576d3f90b499800e17796b003

SHA256
129174e9a38e87c7e9eac14c8022e11c57e82556dbc225e0b953181a9820b64b

SHA512
3840067dae3aca9fd56b150865461ca8c54ec77e1a3a099b4a3dc27676fdb91af5692790910e9ec88e9dd8b2991d92d6a219a182e59589b5daad331733cd2964

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9
MD5
47ba1a2f4a5a71abaeb5ae047d7787f5

SHA1
799539a543884fe219341d84b850be218a2638b8

SHA256
bcc999df3dc072232f8a2bbd9dc711408cb0e3e4b4140cac5f015a2662c91cf9

SHA512
1d7bbffdee6c8abfe46d5aa7f8e0f28ca1454679074071db071298bb6a33098e74b2266fb364bf55c0e5ff74645fd547293277f0775d08d2019753b65a887fa4

Download Submit
C:\Users\Admin\AppData\Local\124a9576-3974-46ee-9e37-fbfc2cbde63b\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
C:\Users\Admin\AppData\Local\124a9576-3974-46ee-9e37-fbfc2cbde63b\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
C:\Users\Admin\AppData\Local\124a9576-3974-46ee-9e37-fbfc2cbde63b\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
C:\Users\Admin\AppData\Local\124a9576-3974-46ee-9e37-fbfc2cbde63b\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\124a9576-3974-46ee-9e37-fbfc2cbde63b\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\124a9576-3974-46ee-9e37-fbfc2cbde63b\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\34c56f52-1db0-479f-91d7-c9917783ccc4\0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937.exe
MD5
228acf8b56730bfb5c179817d66b34db

SHA1
c4de1a0f87fce73596463562aa20f634277f8241

SHA256
0ec0efd49c9fbf8bbb63a959bf0f683a4d9a57103796a38715275c5e3d635937

SHA512
d737375472ac017d2345de865fb0fb74c37aa3ae129b803437961b57e7813a9529984f461a6f67c4fadfc895e33814f5e88c9e465f6e5f9a1bfa6d9da5c635c9

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
memory/512-126-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/512-125-0x0000000000424141-mapping.dmp

Download
memory/680-138-0x0000000003409000-0x0000000003419000-memory.dmp

Filesize
64KB

Download
memory/680-148-0x00000000032B0000-0x00000000033FA000-memory.dmp

Filesize
1.3MB

Download
memory/680-135-0x0000000000000000-mapping.dmp

Download
memory/688-123-0x0000000000D65000-0x0000000000DF7000-memory.dmp

Filesize
584KB

Download
memory/688-122-0x0000000000000000-mapping.dmp

Download
memory/1212-134-0x0000000002FB9000-0x0000000003035000-memory.dmp

Filesize
496KB

Download
memory/1212-131-0x0000000000000000-mapping.dmp

Download
memory/1212-146-0x0000000004C40000-0x0000000004D16000-memory.dmp

Filesize
856KB

Download
memory/1468-142-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1468-149-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1468-143-0x0000000000401AFA-mapping.dmp

Download
memory/1480-140-0x00000000004A18CD-mapping.dmp

Download
memory/1480-147-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1480-139-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1800-152-0x0000000000000000-mapping.dmp

Download
memory/1992-153-0x0000000000000000-mapping.dmp

Download
memory/2816-115-0x0000000000DDF000-0x0000000000E71000-memory.dmp

Filesize
584KB

Download
memory/2816-116-0x0000000000E90000-0x0000000000FAB000-memory.dmp

Filesize
1.1MB

Download
memory/3100-119-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3100-118-0x0000000000424141-mapping.dmp

Download
memory/3100-117-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3240-120-0x0000000000000000-mapping.dmp

Download
memory/3508-154-0x0000000000000000-mapping.dmp

Download
memory/3800-145-0x0000000000000000-mapping.dmp

Download