djvu | f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
09-05-2022 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exe
Size

264KB
MD5

27b9b35abc164a0069db22730527cffa
SHA1

fba9d7ee4a5022723ec4514eb8505a1acd7a68e9
SHA256

f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92
SHA512

f041ad173be500b6ab8a06177c7fc97e193fa8acc167510f11a183f05f8559b7595c73e7e079e7820efa744f8aa06d0a5fe30b776b2c8b28724260714761ee66

Score

10^/10

djvu smokeloader vidar 1333 backdoor discovery persistence ransomware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://hanfinvest.at/upload/

http://phunilbeauty.com/upload/

http://spbdg.ru/upload/

http://tnt-az.com/upload/

http://casagenaro.com/upload/

http://girneotel.com/upload/

http://zennclinic.com/upload/

http://mordo.ru/forum/

http://piratia-life.ru/upload/

http://pkodev.net/upload/

http://monsutiur4.com/

http://nusurionuy5ff.at/

http://moroitomo4.net/

http://susuerulianita1.net/

http://cucumbetuturel4.com/

http://nunuslushau.com/

http://linislominyt11.at/

http://luxulixionus.net/

http://lilisjjoer44.com/

http://nikogminut88.at/

rc4.i32

Extracted

Family

djvu

http://ugll.org/lancer/get.php

Attributes

extension
.egfg
offline_id
QcVY9rkapJoL3nQkZAsvfTFVYLmscrM1v1QxGWt1
payload_url
http://zerit.top/dl/build2.exe
http://ugll.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-6Ti2DxXR3I Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: manager@time2mail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0474JIjdm

rsa_pubkey.plain

Extracted

Family

vidar

Version

Botnet

1333

https://t.me/hollandracing

https://busshi.moe/@ronxik321

Attributes

profile_id
1333

Signatures

Detected Djvu ransomware 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3928-171-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3928-173-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4880-176-0x0000000002250000-0x000000000236B000-memory.dmp	family_djvu
behavioral1/memory/3928-175-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3928-178-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2656-180-0x0000000000400000-0x00000000004FB000-memory.dmp	family_vidar
behavioral1/memory/2656-179-0x0000000000870000-0x00000000008BD000-memory.dmp	family_vidar

Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

B1BC.exeE782.exe84EC.exe8E25.exe95B7.exe84EC.exe

pid process

2748 B1BC.exe
3136 E782.exe
4880 84EC.exe
2656 8E25.exe
2340 95B7.exe
3928 84EC.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

932 icacls.exe

pid	process
2748	B1BC.exe
3136	E782.exe
4880	84EC.exe
2656	8E25.exe
2340	95B7.exe
3928	84EC.exe

pid	process
932	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

84EC.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\9a0812e1-e4f2-437a-b877-8e6ff25cd448\\84EC.exe\" --AutoStart"	84EC.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

289 api.2ip.ua
291 api.2ip.ua
Suspicious use of SetThreadContext 1 IoCs

Processes:

84EC.exe

description pid process target process

PID 4880 set thread context of 3928 4880 84EC.exe 84EC.exe

flow	ioc
289	api.2ip.ua
291	api.2ip.ua

description	pid	process	target process
PID 4880 set thread context of 3928	4880	84EC.exe	84EC.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

E782.exeB1BC.exef5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E782.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E782.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B1BC.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B1BC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E782.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B1BC.exe

Modifies registry class 3 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

84EC.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	84EC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	84EC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exe

pid	process
4944	f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exe
4944	f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exe
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148
3148

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3148
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exeB1BC.exeE782.exe

pid process

4944 f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exe
2748 B1BC.exe
3136 E782.exe
3148
3148
3148
3148

pid	process
3148

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeShutdownPrivilege	3148
Token: SeCreatePagefilePrivilege	3148
Token: SeShutdownPrivilege	3148
Token: SeCreatePagefilePrivilege	3148
Token: SeShutdownPrivilege	3148
Token: SeCreatePagefilePrivilege	3148
Token: SeIncreaseQuotaPrivilege	1820	WMIC.exe
Token: SeSecurityPrivilege	1820	WMIC.exe
Token: SeTakeOwnershipPrivilege	1820	WMIC.exe
Token: SeLoadDriverPrivilege	1820	WMIC.exe
Token: SeSystemProfilePrivilege	1820	WMIC.exe
Token: SeSystemtimePrivilege	1820	WMIC.exe
Token: SeProfSingleProcessPrivilege	1820	WMIC.exe
Token: SeIncBasePriorityPrivilege	1820	WMIC.exe
Token: SeCreatePagefilePrivilege	1820	WMIC.exe
Token: SeBackupPrivilege	1820	WMIC.exe
Token: SeRestorePrivilege	1820	WMIC.exe
Token: SeShutdownPrivilege	1820	WMIC.exe
Token: SeDebugPrivilege	1820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1820	WMIC.exe
Token: SeRemoteShutdownPrivilege	1820	WMIC.exe
Token: SeUndockPrivilege	1820	WMIC.exe
Token: SeManageVolumePrivilege	1820	WMIC.exe
Token: 33	1820	WMIC.exe
Token: 34	1820	WMIC.exe
Token: 35	1820	WMIC.exe
Token: 36	1820	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1820	WMIC.exe
Token: SeSecurityPrivilege	1820	WMIC.exe
Token: SeTakeOwnershipPrivilege	1820	WMIC.exe
Token: SeLoadDriverPrivilege	1820	WMIC.exe
Token: SeSystemProfilePrivilege	1820	WMIC.exe
Token: SeSystemtimePrivilege	1820	WMIC.exe
Token: SeProfSingleProcessPrivilege	1820	WMIC.exe
Token: SeIncBasePriorityPrivilege	1820	WMIC.exe
Token: SeCreatePagefilePrivilege	1820	WMIC.exe
Token: SeBackupPrivilege	1820	WMIC.exe
Token: SeRestorePrivilege	1820	WMIC.exe
Token: SeShutdownPrivilege	1820	WMIC.exe
Token: SeDebugPrivilege	1820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1820	WMIC.exe
Token: SeRemoteShutdownPrivilege	1820	WMIC.exe
Token: SeUndockPrivilege	1820	WMIC.exe
Token: SeManageVolumePrivilege	1820	WMIC.exe
Token: 33	1820	WMIC.exe
Token: 34	1820	WMIC.exe
Token: 35	1820	WMIC.exe
Token: 36	1820	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3916	WMIC.exe
Token: SeSecurityPrivilege	3916	WMIC.exe
Token: SeTakeOwnershipPrivilege	3916	WMIC.exe
Token: SeLoadDriverPrivilege	3916	WMIC.exe
Token: SeSystemProfilePrivilege	3916	WMIC.exe
Token: SeSystemtimePrivilege	3916	WMIC.exe
Token: SeProfSingleProcessPrivilege	3916	WMIC.exe
Token: SeIncBasePriorityPrivilege	3916	WMIC.exe
Token: SeCreatePagefilePrivilege	3916	WMIC.exe
Token: SeBackupPrivilege	3916	WMIC.exe
Token: SeRestorePrivilege	3916	WMIC.exe
Token: SeShutdownPrivilege	3916	WMIC.exe
Token: SeDebugPrivilege	3916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3916	WMIC.exe
Token: SeRemoteShutdownPrivilege	3916	WMIC.exe
Token: SeUndockPrivilege	3916	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3148
3148

pid	process
3148
3148

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe84EC.exe84EC.exe

description	pid	process	target process
PID 3148 wrote to memory of 2748	3148		B1BC.exe
PID 3148 wrote to memory of 2748	3148		B1BC.exe
PID 3148 wrote to memory of 2748	3148		B1BC.exe
PID 3148 wrote to memory of 3136	3148		E782.exe
PID 3148 wrote to memory of 3136	3148		E782.exe
PID 3148 wrote to memory of 3136	3148		E782.exe
PID 3148 wrote to memory of 3232	3148		cmd.exe
PID 3148 wrote to memory of 3232	3148		cmd.exe
PID 3232 wrote to memory of 1820	3232	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 1820	3232	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 3916	3232	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 3916	3232	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 4732	3232	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 4732	3232	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 4900	3232	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 4900	3232	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 600	3232	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 600	3232	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 4796	3232	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 4796	3232	cmd.exe	WMIC.exe
PID 3148 wrote to memory of 4880	3148		84EC.exe
PID 3148 wrote to memory of 4880	3148		84EC.exe
PID 3148 wrote to memory of 4880	3148		84EC.exe
PID 3232 wrote to memory of 4784	3232	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 4784	3232	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 444	3232	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 444	3232	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 5060	3232	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 5060	3232	cmd.exe	WMIC.exe
PID 3148 wrote to memory of 2656	3148		8E25.exe
PID 3148 wrote to memory of 2656	3148		8E25.exe
PID 3148 wrote to memory of 2656	3148		8E25.exe
PID 3232 wrote to memory of 4412	3232	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 4412	3232	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 3608	3232	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 3608	3232	cmd.exe	WMIC.exe
PID 3148 wrote to memory of 2340	3148		95B7.exe
PID 3148 wrote to memory of 2340	3148		95B7.exe
PID 3148 wrote to memory of 2340	3148		95B7.exe
PID 4880 wrote to memory of 3928	4880	84EC.exe	84EC.exe
PID 4880 wrote to memory of 3928	4880	84EC.exe	84EC.exe
PID 4880 wrote to memory of 3928	4880	84EC.exe	84EC.exe
PID 4880 wrote to memory of 3928	4880	84EC.exe	84EC.exe
PID 4880 wrote to memory of 3928	4880	84EC.exe	84EC.exe
PID 4880 wrote to memory of 3928	4880	84EC.exe	84EC.exe
PID 4880 wrote to memory of 3928	4880	84EC.exe	84EC.exe
PID 4880 wrote to memory of 3928	4880	84EC.exe	84EC.exe
PID 4880 wrote to memory of 3928	4880	84EC.exe	84EC.exe
PID 4880 wrote to memory of 3928	4880	84EC.exe	84EC.exe
PID 3232 wrote to memory of 3784	3232	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 3784	3232	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 3888	3232	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 3888	3232	cmd.exe	WMIC.exe
PID 3148 wrote to memory of 3672	3148		explorer.exe
PID 3148 wrote to memory of 3672	3148		explorer.exe
PID 3148 wrote to memory of 3672	3148		explorer.exe
PID 3148 wrote to memory of 3672	3148		explorer.exe
PID 3232 wrote to memory of 3812	3232	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 3812	3232	cmd.exe	WMIC.exe
PID 3148 wrote to memory of 4344	3148		explorer.exe
PID 3148 wrote to memory of 4344	3148		explorer.exe
PID 3148 wrote to memory of 4344	3148		explorer.exe
PID 3928 wrote to memory of 932	3928	84EC.exe	icacls.exe
PID 3928 wrote to memory of 932	3928	84EC.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exe
"C:\Users\Admin\AppData\Local\Temp\f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4944

C:\Users\Admin\AppData\Local\Temp\B1BC.exe
C:\Users\Admin\AppData\Local\Temp\B1BC.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2748

C:\Users\Admin\AppData\Local\Temp\E782.exe
C:\Users\Admin\AppData\Local\Temp\E782.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:372

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:4732

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:4900

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:600

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:4796

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:4784

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:444

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:5060

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:4412

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:3608

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:3784

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:3888

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:3812

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\84EC.exe
C:\Users\Admin\AppData\Local\Temp\84EC.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4880

C:\Users\Admin\AppData\Local\Temp\84EC.exe
C:\Users\Admin\AppData\Local\Temp\84EC.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\9a0812e1-e4f2-437a-b877-8e6ff25cd448" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:932

C:\Users\Admin\AppData\Local\Temp\8E25.exe
C:\Users\Admin\AppData\Local\Temp\8E25.exe
1⤵
- Executes dropped EXE
PID:2656

C:\Users\Admin\AppData\Local\Temp\95B7.exe
C:\Users\Admin\AppData\Local\Temp\95B7.exe
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3672

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3672 -ip 3672
1⤵
PID:4856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9a0812e1-e4f2-437a-b877-8e6ff25cd448\84EC.exe
Filesize
793KB

MD5
63af65fe36babc095e343bf05cff70cc

SHA1
97c72008b97c8d043336b76c55dd62b5b16393a8

SHA256
a0cc5a24c9107b52177d612d342172612662287ad8ced1243966cf9ef5a687a3

SHA512
07f65fa77ca068d86435b039a29c3af8f3c61f83d89db1047bb80f4beb6c5755c666e8a1056b23de1cc3557bcc272cabd7e1fb7e6ded17b5dd584c94f51d5cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\84EC.exe
Filesize
793KB

MD5
63af65fe36babc095e343bf05cff70cc

SHA1
97c72008b97c8d043336b76c55dd62b5b16393a8

SHA256
a0cc5a24c9107b52177d612d342172612662287ad8ced1243966cf9ef5a687a3

SHA512
07f65fa77ca068d86435b039a29c3af8f3c61f83d89db1047bb80f4beb6c5755c666e8a1056b23de1cc3557bcc272cabd7e1fb7e6ded17b5dd584c94f51d5cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\84EC.exe
Filesize
793KB

MD5
63af65fe36babc095e343bf05cff70cc

SHA1
97c72008b97c8d043336b76c55dd62b5b16393a8

SHA256
a0cc5a24c9107b52177d612d342172612662287ad8ced1243966cf9ef5a687a3

SHA512
07f65fa77ca068d86435b039a29c3af8f3c61f83d89db1047bb80f4beb6c5755c666e8a1056b23de1cc3557bcc272cabd7e1fb7e6ded17b5dd584c94f51d5cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\84EC.exe
Filesize
793KB

MD5
63af65fe36babc095e343bf05cff70cc

SHA1
97c72008b97c8d043336b76c55dd62b5b16393a8

SHA256
a0cc5a24c9107b52177d612d342172612662287ad8ced1243966cf9ef5a687a3

SHA512
07f65fa77ca068d86435b039a29c3af8f3c61f83d89db1047bb80f4beb6c5755c666e8a1056b23de1cc3557bcc272cabd7e1fb7e6ded17b5dd584c94f51d5cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E25.exe
Filesize
411KB

MD5
4d4aacaaac0146811970c85ce456cc2a

SHA1
bb25d5c6d7a9cc289c5195e13b2a0575289e6134

SHA256
771e19ccac62a39284a2e7e6929b5b3d770c151f0e1e79b54a987e41a02595e9

SHA512
4a0483cb4622240c6d9ad321e3e653f8bb0bc983feb20237473a63865eb5b284710081a06e563af5be69416b0e019c5da22a3bd6fd0dc91f6c009f01032ddef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E25.exe
Filesize
411KB

MD5
4d4aacaaac0146811970c85ce456cc2a

SHA1
bb25d5c6d7a9cc289c5195e13b2a0575289e6134

SHA256
771e19ccac62a39284a2e7e6929b5b3d770c151f0e1e79b54a987e41a02595e9

SHA512
4a0483cb4622240c6d9ad321e3e653f8bb0bc983feb20237473a63865eb5b284710081a06e563af5be69416b0e019c5da22a3bd6fd0dc91f6c009f01032ddef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\95B7.exe
Filesize
407KB

MD5
5ef73af10fb910fc299f3cf06afcb80f

SHA1
16023f3aeb0cb8ae109e4b7426d794a4e528ab53

SHA256
cd0b029bada1e06fb3853c385b45659a318147795643ac8f515735e8fe8993d5

SHA512
df00f89114a22da949f904d89b5037993697dae52d07f21de239f90e5ed34b20995206c0d349932148a8c9fed0d4f70f4629a35be5355a18cb8833efb4199a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\95B7.exe
Filesize
407KB

MD5
5ef73af10fb910fc299f3cf06afcb80f

SHA1
16023f3aeb0cb8ae109e4b7426d794a4e528ab53

SHA256
cd0b029bada1e06fb3853c385b45659a318147795643ac8f515735e8fe8993d5

SHA512
df00f89114a22da949f904d89b5037993697dae52d07f21de239f90e5ed34b20995206c0d349932148a8c9fed0d4f70f4629a35be5355a18cb8833efb4199a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1BC.exe
Filesize
263KB

MD5
e28cd04a78015bdfb321cd01b595d09e

SHA1
1d14781d6a028f9f2b106752bb43c6e9f1fdee41

SHA256
3000a39fd47456cf8b06f1b1d1790ba7102864f8a007f892a4e9f430ac626814

SHA512
f613216b42bfaae20a3fa36f5e98c984c0b7819d4af83580f18b774f9cd5eab7bd60940bf8ea753bedcbad7b5db918c453c19fd25e0b6cad328c6e30246ddad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1BC.exe
Filesize
263KB

MD5
e28cd04a78015bdfb321cd01b595d09e

SHA1
1d14781d6a028f9f2b106752bb43c6e9f1fdee41

SHA256
3000a39fd47456cf8b06f1b1d1790ba7102864f8a007f892a4e9f430ac626814

SHA512
f613216b42bfaae20a3fa36f5e98c984c0b7819d4af83580f18b774f9cd5eab7bd60940bf8ea753bedcbad7b5db918c453c19fd25e0b6cad328c6e30246ddad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E782.exe
Filesize
264KB

MD5
22c3d3f270c4a12fa47bf1ef418d8a93

SHA1
e610e38fb080b8d6953e4df87774f2274f116941

SHA256
8a8d0488e526efaa56e5b9e48d6e4e434926ff60dc7e449c0763380c70da487f

SHA512
96da82e6cacc1248bd576313fbb1a265a747feae5fbbb8311fd2f4e433b708b3ebc9bdc866427449df944edac09c7f5e416495d89e2d9a01554bbe2d6870092a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E782.exe
Filesize
264KB

MD5
22c3d3f270c4a12fa47bf1ef418d8a93

SHA1
e610e38fb080b8d6953e4df87774f2274f116941

SHA256
8a8d0488e526efaa56e5b9e48d6e4e434926ff60dc7e449c0763380c70da487f

SHA512
96da82e6cacc1248bd576313fbb1a265a747feae5fbbb8311fd2f4e433b708b3ebc9bdc866427449df944edac09c7f5e416495d89e2d9a01554bbe2d6870092a

Download Submit
memory/444-160-0x0000000000000000-mapping.dmp

Download
memory/600-154-0x0000000000000000-mapping.dmp

Download
memory/932-186-0x0000000000000000-mapping.dmp

Download
memory/1820-150-0x0000000000000000-mapping.dmp

Download
memory/2340-188-0x00000000009C0000-0x00000000009FA000-memory.dmp

Filesize
232KB

Download
memory/2340-167-0x0000000000000000-mapping.dmp

Download
memory/2340-189-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2340-187-0x00000000006DC000-0x0000000000709000-memory.dmp

Filesize
180KB

Download
memory/2656-179-0x0000000000870000-0x00000000008BD000-memory.dmp

Filesize
308KB

Download
memory/2656-177-0x000000000068C000-0x00000000006BA000-memory.dmp

Filesize
184KB

Download
memory/2656-180-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2656-162-0x0000000000000000-mapping.dmp

Download
memory/2748-139-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2748-138-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/2748-137-0x0000000000657000-0x0000000000667000-memory.dmp

Filesize
64KB

Download
memory/2748-134-0x0000000000000000-mapping.dmp

Download
memory/3136-145-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/3136-141-0x0000000000000000-mapping.dmp

Download
memory/3136-146-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3136-144-0x00000000006B7000-0x00000000006C7000-memory.dmp

Filesize
64KB

Download
memory/3148-147-0x0000000008350000-0x0000000008366000-memory.dmp

Filesize
88KB

Download
memory/3148-133-0x00000000003A0000-0x00000000003B6000-memory.dmp

Filesize
88KB

Download
memory/3148-140-0x0000000002C40000-0x0000000002C56000-memory.dmp

Filesize
88KB

Download
memory/3148-148-0x0000000007FE0000-0x0000000007FEF000-memory.dmp

Filesize
60KB

Download
memory/3232-149-0x0000000000000000-mapping.dmp

Download
memory/3608-166-0x0000000000000000-mapping.dmp

Download
memory/3672-183-0x0000000000000000-mapping.dmp

Download
memory/3784-181-0x0000000000000000-mapping.dmp

Download
memory/3812-184-0x0000000000000000-mapping.dmp

Download
memory/3888-182-0x0000000000000000-mapping.dmp

Download
memory/3916-151-0x0000000000000000-mapping.dmp

Download
memory/3928-178-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3928-173-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3928-170-0x0000000000000000-mapping.dmp

Download
memory/3928-171-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3928-175-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4344-185-0x0000000000000000-mapping.dmp

Download
memory/4412-165-0x0000000000000000-mapping.dmp

Download
memory/4732-152-0x0000000000000000-mapping.dmp

Download
memory/4784-159-0x0000000000000000-mapping.dmp

Download
memory/4796-155-0x0000000000000000-mapping.dmp

Download
memory/4880-176-0x0000000002250000-0x000000000236B000-memory.dmp

Filesize
1.1MB

Download
memory/4880-174-0x0000000002053000-0x00000000020E4000-memory.dmp

Filesize
580KB

Download
memory/4880-156-0x0000000000000000-mapping.dmp

Download
memory/4900-153-0x0000000000000000-mapping.dmp

Download
memory/4944-130-0x00000000005F7000-0x0000000000608000-memory.dmp

Filesize
68KB

Download
memory/4944-132-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4944-131-0x0000000000500000-0x0000000000509000-memory.dmp

Filesize
36KB

Download
memory/5060-161-0x0000000000000000-mapping.dmp

Download