djvu | 72cd1426f13a698c7d63a288f4920147812303e8f10a4e66e414cc7c2206381d

Analysis

max time kernel
177s
max time network
194s
platform
windows7_x64
resource
win7-20220414-en
submitted
10-05-2022 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

buildp.exe
Size

841KB
MD5

efed57771cb41fdde63781d1e195912c
SHA1

a71b0545951c99eb6ad4a50c22d02c958003d920
SHA256

72cd1426f13a698c7d63a288f4920147812303e8f10a4e66e414cc7c2206381d
SHA512

6fd84f80ba5f3c53f48a6a0135cedc7b489cca419742e043116468bcda0898398dd7ddff4ac7d0d8b283312d4c411790b8ff74276f14016021597498b306a080

Score

10^/10

djvu vidar 517 discovery persistence ransomware stealer suricata

Malware Config

Extracted

Family

djvu

http://fuyt.org/lancer/get.php

Attributes

extension
.gtys
offline_id
qwVQoIsE2xLety0oNWloOilSDuIBXJGK86LM3ot1
payload_url
http://zerit.top/dl/build2.exe

http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-fnn5kv33Vv Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0439JIjdm

rsa_pubkey.plain

Extracted

Family

vidar

Version

Botnet

517

https://t.me/hollandracing

https://busshi.moe/@ronxik321

Attributes

profile_id
517

Signatures

Detected Djvu ransomware 8 IoCs

resource	yara_rule
behavioral1/memory/912-56-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/912-55-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/916-59-0x0000000001E90000-0x0000000001FAB000-memory.dmp	family_djvu
behavioral1/memory/912-61-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/912-62-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1064-68-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/1064-72-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1064-73-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata

Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral1/memory/1716-79-0x0000000000400000-0x000000000044C000-memory.dmp	family_vidar
behavioral1/memory/1716-80-0x000000000042103C-mapping.dmp	family_vidar
behavioral1/memory/2040-84-0x0000000000220000-0x0000000000269000-memory.dmp	family_vidar
behavioral1/memory/1716-86-0x0000000000400000-0x000000000044C000-memory.dmp	family_vidar
behavioral1/memory/1716-87-0x0000000000400000-0x000000000044C000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2040	build2.exe
1716	build2.exe

Loads dropped DLL 2 IoCs

pid	Process
1064	buildp.exe
1064	buildp.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1732	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4b0534b1-0c4e-486c-a7ff-0d9934def8e9\\buildp.exe\" --AutoStart"	buildp.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.2ip.ua
9	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 916 set thread context of 912	916	buildp.exe	27
PID 876 set thread context of 1064	876	buildp.exe	32
PID 2040 set thread context of 1716	2040	build2.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	buildp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	buildp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	buildp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
912	buildp.exe
1064	buildp.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 912	916	buildp.exe	27
PID 916 wrote to memory of 912	916	buildp.exe	27
PID 916 wrote to memory of 912	916	buildp.exe	27
PID 916 wrote to memory of 912	916	buildp.exe	27
PID 916 wrote to memory of 912	916	buildp.exe	27
PID 916 wrote to memory of 912	916	buildp.exe	27
PID 916 wrote to memory of 912	916	buildp.exe	27
PID 916 wrote to memory of 912	916	buildp.exe	27
PID 916 wrote to memory of 912	916	buildp.exe	27
PID 916 wrote to memory of 912	916	buildp.exe	27
PID 916 wrote to memory of 912	916	buildp.exe	27
PID 912 wrote to memory of 1732	912	buildp.exe	30
PID 912 wrote to memory of 1732	912	buildp.exe	30
PID 912 wrote to memory of 1732	912	buildp.exe	30
PID 912 wrote to memory of 1732	912	buildp.exe	30
PID 912 wrote to memory of 876	912	buildp.exe	31
PID 912 wrote to memory of 876	912	buildp.exe	31
PID 912 wrote to memory of 876	912	buildp.exe	31
PID 912 wrote to memory of 876	912	buildp.exe	31
PID 876 wrote to memory of 1064	876	buildp.exe	32
PID 876 wrote to memory of 1064	876	buildp.exe	32
PID 876 wrote to memory of 1064	876	buildp.exe	32
PID 876 wrote to memory of 1064	876	buildp.exe	32
PID 876 wrote to memory of 1064	876	buildp.exe	32
PID 876 wrote to memory of 1064	876	buildp.exe	32
PID 876 wrote to memory of 1064	876	buildp.exe	32
PID 876 wrote to memory of 1064	876	buildp.exe	32
PID 876 wrote to memory of 1064	876	buildp.exe	32
PID 876 wrote to memory of 1064	876	buildp.exe	32
PID 876 wrote to memory of 1064	876	buildp.exe	32
PID 1064 wrote to memory of 2040	1064	buildp.exe	34
PID 1064 wrote to memory of 2040	1064	buildp.exe	34
PID 1064 wrote to memory of 2040	1064	buildp.exe	34
PID 1064 wrote to memory of 2040	1064	buildp.exe	34
PID 2040 wrote to memory of 1716	2040	build2.exe	35
PID 2040 wrote to memory of 1716	2040	build2.exe	35
PID 2040 wrote to memory of 1716	2040	build2.exe	35
PID 2040 wrote to memory of 1716	2040	build2.exe	35
PID 2040 wrote to memory of 1716	2040	build2.exe	35
PID 2040 wrote to memory of 1716	2040	build2.exe	35
PID 2040 wrote to memory of 1716	2040	build2.exe	35
PID 2040 wrote to memory of 1716	2040	build2.exe	35
PID 2040 wrote to memory of 1716	2040	build2.exe	35

C:\Users\Admin\AppData\Local\Temp\buildp.exe
"C:\Users\Admin\AppData\Local\Temp\buildp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:916
- C:\Users\Admin\AppData\Local\Temp\buildp.exe
  "C:\Users\Admin\AppData\Local\Temp\buildp.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\4b0534b1-0c4e-486c-a7ff-0d9934def8e9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:1732
- - C:\Users\Admin\AppData\Local\Temp\buildp.exe
    "C:\Users\Admin\AppData\Local\Temp\buildp.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Users\Admin\AppData\Local\Temp\buildp.exe
      "C:\Users\Admin\AppData\Local\Temp\buildp.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Loads dropped DLL
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1064
    - - C:\Users\Admin\AppData\Local\120d51e8-8232-4223-8080-77e1ca3cf793\build2.exe
        
        "C:\Users\Admin\AppData\Local\120d51e8-8232-4223-8080-77e1ca3cf793\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2040
      - C:\Users\Admin\AppData\Local\120d51e8-8232-4223-8080-77e1ca3cf793\build2.exe
        
        "C:\Users\Admin\AppData\Local\120d51e8-8232-4223-8080-77e1ca3cf793\build2.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
b9f21d8db36e88831e5352bb82c438b3

SHA1
4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

SHA256
998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

SHA512
d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
110eefc19acb9f828397632b872abfb8

SHA1
ad7a448c535282ca57e73188c0b6b534998a51bf

SHA256
2fc13fe7c1ef84648ecb417a463167c792e7b85d5d84e630b2e391ea72ea074b

SHA512
713ba00c89c929e28f8e07463ed506ddafcf30ed6bc90e09ccd0bbeaf145a6c49a8a28ce454ad4f617d65c851f1bff6df72bf9bc2173da7219cfaec44d5aa23e

Download Submit
C:\Users\Admin\AppData\Local\120d51e8-8232-4223-8080-77e1ca3cf793\build2.exe

Filesize
380KB

MD5
ba5461bef761e4e723c2567cfe710fe3

SHA1
92f94d48482ca2006caf4c50ac387d1b532e837b

SHA256
c9c82de52be77596153f54b192da4e91e671cc5ad01d6bfe0011fd8e9d5723fa

SHA512
24f0e12607ff0672c236e92193b659c5121059b5ae56545790830081835120aca464e003066455227d31ee8445787fdfbf90a8be29af9e837edbe7e808e11149

Download Submit
C:\Users\Admin\AppData\Local\120d51e8-8232-4223-8080-77e1ca3cf793\build2.exe

Filesize
380KB

MD5
ba5461bef761e4e723c2567cfe710fe3

SHA1
92f94d48482ca2006caf4c50ac387d1b532e837b

SHA256
c9c82de52be77596153f54b192da4e91e671cc5ad01d6bfe0011fd8e9d5723fa

SHA512
24f0e12607ff0672c236e92193b659c5121059b5ae56545790830081835120aca464e003066455227d31ee8445787fdfbf90a8be29af9e837edbe7e808e11149

Download Submit
C:\Users\Admin\AppData\Local\120d51e8-8232-4223-8080-77e1ca3cf793\build2.exe

Filesize
380KB

MD5
ba5461bef761e4e723c2567cfe710fe3

SHA1
92f94d48482ca2006caf4c50ac387d1b532e837b

SHA256
c9c82de52be77596153f54b192da4e91e671cc5ad01d6bfe0011fd8e9d5723fa

SHA512
24f0e12607ff0672c236e92193b659c5121059b5ae56545790830081835120aca464e003066455227d31ee8445787fdfbf90a8be29af9e837edbe7e808e11149

Download Submit
C:\Users\Admin\AppData\Local\4b0534b1-0c4e-486c-a7ff-0d9934def8e9\buildp.exe

Filesize
841KB

MD5
efed57771cb41fdde63781d1e195912c

SHA1
a71b0545951c99eb6ad4a50c22d02c958003d920

SHA256
72cd1426f13a698c7d63a288f4920147812303e8f10a4e66e414cc7c2206381d

SHA512
6fd84f80ba5f3c53f48a6a0135cedc7b489cca419742e043116468bcda0898398dd7ddff4ac7d0d8b283312d4c411790b8ff74276f14016021597498b306a080

Download Submit
\Users\Admin\AppData\Local\120d51e8-8232-4223-8080-77e1ca3cf793\build2.exe

Filesize
380KB

MD5
ba5461bef761e4e723c2567cfe710fe3

SHA1
92f94d48482ca2006caf4c50ac387d1b532e837b

SHA256
c9c82de52be77596153f54b192da4e91e671cc5ad01d6bfe0011fd8e9d5723fa

SHA512
24f0e12607ff0672c236e92193b659c5121059b5ae56545790830081835120aca464e003066455227d31ee8445787fdfbf90a8be29af9e837edbe7e808e11149

Download Submit
\Users\Admin\AppData\Local\120d51e8-8232-4223-8080-77e1ca3cf793\build2.exe

Filesize
380KB

MD5
ba5461bef761e4e723c2567cfe710fe3

SHA1
92f94d48482ca2006caf4c50ac387d1b532e837b

SHA256
c9c82de52be77596153f54b192da4e91e671cc5ad01d6bfe0011fd8e9d5723fa

SHA512
24f0e12607ff0672c236e92193b659c5121059b5ae56545790830081835120aca464e003066455227d31ee8445787fdfbf90a8be29af9e837edbe7e808e11149

Download Submit
memory/876-70-0x0000000000520000-0x00000000005B1000-memory.dmp

Filesize
580KB

Download
memory/876-66-0x0000000000520000-0x00000000005B1000-memory.dmp

Filesize
580KB

Download
memory/912-61-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/912-62-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/912-60-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/912-55-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/916-59-0x0000000001E90000-0x0000000001FAB000-memory.dmp

Filesize
1.1MB

Download
memory/916-54-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/916-57-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/1064-72-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1064-73-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1716-79-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1716-86-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1716-87-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2040-82-0x000000000063B000-0x0000000000666000-memory.dmp

Filesize
172KB

Download
memory/2040-84-0x0000000000220000-0x0000000000269000-memory.dmp

Filesize
292KB

Download