djvu | 0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052

General

Target

0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
Size

853KB
MD5

3fd16b7520f0745f627759902b155046
SHA1

adba005434422ebb6b43636f457772c00c55c3a3
SHA256

0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052
SHA512

88e68df7eb827c261f6aec5c045a84dcfa281fbea990a1de7a15af39fcbbb88643d37da026182f5f3a5a16ac7d7b1464d3cce19f912de255c33ec9c47b935ef5

Score

10^/10

djvu vidar 517 discovery persistence ransomware stealer suricata

Malware Config

Extracted

Family

vidar

Version

41.5

Botnet

517

C2

https://mas.to/@xeroxxx

Attributes

profile_id
517

Extracted

Family

djvu

C2

http://rlrz.org/fhsgtsspen6

Signatures

Detected Djvu ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1444-116-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1444-117-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/3648-118-0x0000000000F90000-0x00000000010AB000-memory.dmp	family_djvu
behavioral1/memory/1444-119-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3976-125-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/3976-126-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1072-131-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar
behavioral1/memory/1072-132-0x00000000004A18CD-mapping.dmp	family_vidar
behavioral1/memory/1072-135-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar
behavioral1/memory/2156-134-0x0000000004CB0000-0x0000000004D86000-memory.dmp	family_vidar

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

build2.exebuild2.exebuild3.exebuild3.exe

pid process

2156 build2.exe
1072 build2.exe
944 build3.exe
1244 build3.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

660 icacls.exe

pid	process
2156	build2.exe
1072	build2.exe
944	build3.exe
1244	build3.exe

pid	process
660	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\74190f66-3d2d-47b6-bfce-683972c2fada\\0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe\" --AutoStart"	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 api.2ip.ua
9 api.2ip.ua

flow	ioc
8	api.2ip.ua
9	api.2ip.ua

Suspicious use of SetThreadContext 4 IoCs

Processes:

0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exebuild2.exebuild3.exe

description	pid	process	target process
PID 3648 set thread context of 1444	3648	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 3944 set thread context of 3976	3944	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 2156 set thread context of 1072	2156	build2.exe	build2.exe
PID 944 set thread context of 1244	944	build3.exe	build3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3032 1072 WerFault.exe build2.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1384 schtasks.exe

pid	pid_target	process	target process
3032	1072	WerFault.exe	build2.exe

pid	process
1384	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exeWerFault.exe

pid	process
1444	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
1444	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
3976	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
3976	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
3032	WerFault.exe
3032	WerFault.exe
3032	WerFault.exe
3032	WerFault.exe
3032	WerFault.exe
3032	WerFault.exe
3032	WerFault.exe
3032	WerFault.exe
3032	WerFault.exe
3032	WerFault.exe
3032	WerFault.exe
3032	WerFault.exe
3032	WerFault.exe
3032	WerFault.exe
3032	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3032 WerFault.exe
Token: SeBackupPrivilege 3032 WerFault.exe
Token: SeDebugPrivilege 3032 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	3032	WerFault.exe
Token: SeBackupPrivilege	3032	WerFault.exe
Token: SeDebugPrivilege	3032	WerFault.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exebuild2.exebuild3.exebuild3.exe

description	pid	process	target process
PID 3648 wrote to memory of 1444	3648	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 3648 wrote to memory of 1444	3648	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 3648 wrote to memory of 1444	3648	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 3648 wrote to memory of 1444	3648	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 3648 wrote to memory of 1444	3648	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 3648 wrote to memory of 1444	3648	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 3648 wrote to memory of 1444	3648	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 3648 wrote to memory of 1444	3648	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 3648 wrote to memory of 1444	3648	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 3648 wrote to memory of 1444	3648	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 1444 wrote to memory of 660	1444	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	icacls.exe
PID 1444 wrote to memory of 660	1444	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	icacls.exe
PID 1444 wrote to memory of 660	1444	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	icacls.exe
PID 1444 wrote to memory of 3944	1444	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 1444 wrote to memory of 3944	1444	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 1444 wrote to memory of 3944	1444	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 3944 wrote to memory of 3976	3944	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 3944 wrote to memory of 3976	3944	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 3944 wrote to memory of 3976	3944	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 3944 wrote to memory of 3976	3944	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 3944 wrote to memory of 3976	3944	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 3944 wrote to memory of 3976	3944	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 3944 wrote to memory of 3976	3944	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 3944 wrote to memory of 3976	3944	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 3944 wrote to memory of 3976	3944	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 3944 wrote to memory of 3976	3944	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
PID 3976 wrote to memory of 2156	3976	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	build2.exe
PID 3976 wrote to memory of 2156	3976	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	build2.exe
PID 3976 wrote to memory of 2156	3976	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	build2.exe
PID 2156 wrote to memory of 1072	2156	build2.exe	build2.exe
PID 2156 wrote to memory of 1072	2156	build2.exe	build2.exe
PID 2156 wrote to memory of 1072	2156	build2.exe	build2.exe
PID 2156 wrote to memory of 1072	2156	build2.exe	build2.exe
PID 2156 wrote to memory of 1072	2156	build2.exe	build2.exe
PID 2156 wrote to memory of 1072	2156	build2.exe	build2.exe
PID 2156 wrote to memory of 1072	2156	build2.exe	build2.exe
PID 2156 wrote to memory of 1072	2156	build2.exe	build2.exe
PID 3976 wrote to memory of 944	3976	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	build3.exe
PID 3976 wrote to memory of 944	3976	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	build3.exe
PID 3976 wrote to memory of 944	3976	0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe	build3.exe
PID 944 wrote to memory of 1244	944	build3.exe	build3.exe
PID 944 wrote to memory of 1244	944	build3.exe	build3.exe
PID 944 wrote to memory of 1244	944	build3.exe	build3.exe
PID 944 wrote to memory of 1244	944	build3.exe	build3.exe
PID 944 wrote to memory of 1244	944	build3.exe	build3.exe
PID 944 wrote to memory of 1244	944	build3.exe	build3.exe
PID 944 wrote to memory of 1244	944	build3.exe	build3.exe
PID 944 wrote to memory of 1244	944	build3.exe	build3.exe
PID 944 wrote to memory of 1244	944	build3.exe	build3.exe
PID 1244 wrote to memory of 1384	1244	build3.exe	schtasks.exe
PID 1244 wrote to memory of 1384	1244	build3.exe	schtasks.exe
PID 1244 wrote to memory of 1384	1244	build3.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
"C:\Users\Admin\AppData\Local\Temp\0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3648

C:\Users\Admin\AppData\Local\Temp\0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
"C:\Users\Admin\AppData\Local\Temp\0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe"
2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\74190f66-3d2d-47b6-bfce-683972c2fada" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:660

C:\Users\Admin\AppData\Local\Temp\0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
"C:\Users\Admin\AppData\Local\Temp\0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Local\Temp\0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
"C:\Users\Admin\AppData\Local\Temp\0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3976

C:\Users\Admin\AppData\Local\751555ec-a224-4408-bdc8-b99a5801e555\build2.exe
"C:\Users\Admin\AppData\Local\751555ec-a224-4408-bdc8-b99a5801e555\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\751555ec-a224-4408-bdc8-b99a5801e555\build2.exe
"C:\Users\Admin\AppData\Local\751555ec-a224-4408-bdc8-b99a5801e555\build2.exe"
6⤵
- Executes dropped EXE
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1080
7⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Users\Admin\AppData\Local\751555ec-a224-4408-bdc8-b99a5801e555\build3.exe
"C:\Users\Admin\AppData\Local\751555ec-a224-4408-bdc8-b99a5801e555\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Local\751555ec-a224-4408-bdc8-b99a5801e555\build3.exe
"C:\Users\Admin\AppData\Local\751555ec-a224-4408-bdc8-b99a5801e555\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\74190f66-3d2d-47b6-bfce-683972c2fada\0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052.exe
MD5
3fd16b7520f0745f627759902b155046

SHA1
adba005434422ebb6b43636f457772c00c55c3a3

SHA256
0be6d1985b2f07f46781a3554ae9fddb1e93b153145dd5cd33035c70e25b0052

SHA512
88e68df7eb827c261f6aec5c045a84dcfa281fbea990a1de7a15af39fcbbb88643d37da026182f5f3a5a16ac7d7b1464d3cce19f912de255c33ec9c47b935ef5

Download Submit
C:\Users\Admin\AppData\Local\751555ec-a224-4408-bdc8-b99a5801e555\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
C:\Users\Admin\AppData\Local\751555ec-a224-4408-bdc8-b99a5801e555\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
C:\Users\Admin\AppData\Local\751555ec-a224-4408-bdc8-b99a5801e555\build2.exe
MD5
a2ef57bbe3a8af95196a419a7962bfaa

SHA1
1a0c42723cd1e2e947f904619de7fcea5ca4a183

SHA256
4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

SHA512
ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

Download Submit
C:\Users\Admin\AppData\Local\751555ec-a224-4408-bdc8-b99a5801e555\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\751555ec-a224-4408-bdc8-b99a5801e555\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\751555ec-a224-4408-bdc8-b99a5801e555\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
memory/660-120-0x0000000000000000-mapping.dmp

Download
memory/944-144-0x0000000003330000-0x0000000003334000-memory.dmp

Filesize
16KB

Download
memory/944-136-0x0000000000000000-mapping.dmp

Download
memory/1072-131-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1072-132-0x00000000004A18CD-mapping.dmp

Download
memory/1072-135-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1244-141-0x0000000000401AFA-mapping.dmp

Download
memory/1244-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1244-145-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1384-143-0x0000000000000000-mapping.dmp

Download
memory/1444-119-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1444-117-0x0000000000424141-mapping.dmp

Download
memory/1444-116-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2156-130-0x0000000003329000-0x00000000033A5000-memory.dmp

Filesize
496KB

Download
memory/2156-134-0x0000000004CB0000-0x0000000004D86000-memory.dmp

Filesize
856KB

Download
memory/2156-127-0x0000000000000000-mapping.dmp

Download
memory/3648-115-0x0000000000EB9000-0x0000000000F4B000-memory.dmp

Filesize
584KB

Download
memory/3648-118-0x0000000000F90000-0x00000000010AB000-memory.dmp

Filesize
1.1MB

Download
memory/3944-123-0x0000000000E35000-0x0000000000EC7000-memory.dmp

Filesize
584KB

Download
memory/3944-122-0x0000000000000000-mapping.dmp

Download
memory/3976-126-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3976-125-0x0000000000424141-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads