General
Target

c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe

Filesize

823KB

Completed

21-05-2022 07:15

Task

behavioral1

Score
10/10
MD5

eee7d75d98bb405f19224241fdc63c66

SHA1

80f225f35e1345b576117c9f964f6c7b83fbb156

SHA256

c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d

SHA256

d9fe73593fcedc49e98612cdc1594eeb57fad15628b10a2bbac2ac9726f731163961e42410400304305b764f795092ac54ff26f178a47eac461d57e40bb32122

Malware Config

Extracted

Family

djvu

C2

http://ugll.org/test1/get.php

Attributes
extension
.dfwe
offline_id
eBNgvyGQV1Hmt9DBdxVRs8qPi1agsS7OaohPmit1
payload_url
http://zerit.top/dl/build2.exe
http://ugll.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-j3AdKrnQie Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: admin@helpdata.top Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0480JIjdm
rsa_pubkey.plain

Extracted

Family

vidar

Version

52.1

Botnet

517

C2

https://t.me/verstappenf1r

https://climatejustice.social/@ronxik312

Attributes
profile_id
517
Signatures 26

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • Detected Djvu ransomware

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/4068-131-0x0000000002210000-0x000000000232B000-memory.dmpfamily_djvu
    behavioral1/memory/2516-133-0x0000000000400000-0x0000000000537000-memory.dmpfamily_djvu
    behavioral1/memory/2516-134-0x0000000000400000-0x0000000000537000-memory.dmpfamily_djvu
    behavioral1/memory/2516-135-0x0000000000400000-0x0000000000537000-memory.dmpfamily_djvu
    behavioral1/memory/2516-136-0x0000000000400000-0x0000000000537000-memory.dmpfamily_djvu
    behavioral1/memory/4864-142-0x0000000000400000-0x0000000000537000-memory.dmpfamily_djvu
    behavioral1/memory/4864-144-0x0000000000400000-0x0000000000537000-memory.dmpfamily_djvu
    behavioral1/memory/4864-149-0x0000000000400000-0x0000000000537000-memory.dmpfamily_djvu
  • Djvu Ransomware

    Description

    Ransomware which is a variant of the STOP family.

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    Description

    suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    Tags

  • suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

    Description

    suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

    Tags

  • suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download

    Description

    suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download

    Tags

  • suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key

    Description

    suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key

    Tags

  • suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload

    Description

    suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload

    Tags

  • Vidar Stealer

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1556-154-0x0000000000400000-0x000000000044C000-memory.dmpfamily_vidar
    behavioral1/memory/1556-156-0x0000000000400000-0x000000000044C000-memory.dmpfamily_vidar
    behavioral1/memory/3540-158-0x0000000000920000-0x0000000000969000-memory.dmpfamily_vidar
    behavioral1/memory/1556-159-0x0000000000400000-0x000000000044C000-memory.dmpfamily_vidar
    behavioral1/memory/1556-160-0x0000000000400000-0x000000000044C000-memory.dmpfamily_vidar
  • Downloads MZ/PE file
  • Executes dropped EXE
    build2.exebuild2.exe

    Reported IOCs

    pidprocess
    3540build2.exe
    1556build2.exe
  • Checks computer location settings
    c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nationc1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    Key value queried\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nationc1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
  • Loads dropped DLL
    build2.exe

    Reported IOCs

    pidprocess
    1556build2.exe
    1556build2.exe
  • Modifies file permissions
    icacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    4300icacls.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses 2FA software files, possible credential harvesting

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\260eeeb6-885c-435b-b6bc-b24cb2b18793\\c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe\" --AutoStart"c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    11api.2ip.ua
    12api.2ip.ua
    17api.2ip.ua
  • Suspicious use of SetThreadContext
    c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exebuild2.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4068 set thread context of 25164068c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 3552 set thread context of 48643552c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 3540 set thread context of 15563540build2.exebuild2.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Checks processor information in registry
    build2.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0build2.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringbuild2.exe
  • Modifies system certificate store
    c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986ec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
  • Suspicious behavior: EnumeratesProcesses
    c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exebuild2.exe

    Reported IOCs

    pidprocess
    2516c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    2516c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    4864c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    4864c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    1556build2.exe
    1556build2.exe
    1556build2.exe
    1556build2.exe
    1556build2.exe
    1556build2.exe
    1556build2.exe
    1556build2.exe
  • Suspicious use of WriteProcessMemory
    c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exebuild2.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4068 wrote to memory of 25164068c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 4068 wrote to memory of 25164068c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 4068 wrote to memory of 25164068c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 4068 wrote to memory of 25164068c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 4068 wrote to memory of 25164068c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 4068 wrote to memory of 25164068c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 4068 wrote to memory of 25164068c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 4068 wrote to memory of 25164068c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 4068 wrote to memory of 25164068c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 4068 wrote to memory of 25164068c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 2516 wrote to memory of 43002516c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exeicacls.exe
    PID 2516 wrote to memory of 43002516c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exeicacls.exe
    PID 2516 wrote to memory of 43002516c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exeicacls.exe
    PID 2516 wrote to memory of 35522516c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 2516 wrote to memory of 35522516c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 2516 wrote to memory of 35522516c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 3552 wrote to memory of 48643552c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 3552 wrote to memory of 48643552c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 3552 wrote to memory of 48643552c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 3552 wrote to memory of 48643552c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 3552 wrote to memory of 48643552c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 3552 wrote to memory of 48643552c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 3552 wrote to memory of 48643552c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 3552 wrote to memory of 48643552c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 3552 wrote to memory of 48643552c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 3552 wrote to memory of 48643552c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exec1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    PID 4864 wrote to memory of 35404864c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exebuild2.exe
    PID 4864 wrote to memory of 35404864c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exebuild2.exe
    PID 4864 wrote to memory of 35404864c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exebuild2.exe
    PID 3540 wrote to memory of 15563540build2.exebuild2.exe
    PID 3540 wrote to memory of 15563540build2.exebuild2.exe
    PID 3540 wrote to memory of 15563540build2.exebuild2.exe
    PID 3540 wrote to memory of 15563540build2.exebuild2.exe
    PID 3540 wrote to memory of 15563540build2.exebuild2.exe
    PID 3540 wrote to memory of 15563540build2.exebuild2.exe
    PID 3540 wrote to memory of 15563540build2.exebuild2.exe
    PID 3540 wrote to memory of 15563540build2.exebuild2.exe
Processes 7
  • C:\Users\Admin\AppData\Local\Temp\c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
    "C:\Users\Admin\AppData\Local\Temp\c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Users\Admin\AppData\Local\Temp\c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
      "C:\Users\Admin\AppData\Local\Temp\c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe"
      Checks computer location settings
      Adds Run key to start application
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\260eeeb6-885c-435b-b6bc-b24cb2b18793" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        Modifies file permissions
        PID:4300
      • C:\Users\Admin\AppData\Local\Temp\c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
        "C:\Users\Admin\AppData\Local\Temp\c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe" --Admin IsNotAutoStart IsNotTask
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        PID:3552
        • C:\Users\Admin\AppData\Local\Temp\c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe
          "C:\Users\Admin\AppData\Local\Temp\c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe" --Admin IsNotAutoStart IsNotTask
          Checks computer location settings
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of WriteProcessMemory
          PID:4864
          • C:\Users\Admin\AppData\Local\4e170150-8058-4b7e-986f-609b603ed755\build2.exe
            "C:\Users\Admin\AppData\Local\4e170150-8058-4b7e-986f-609b603ed755\build2.exe"
            Executes dropped EXE
            Suspicious use of SetThreadContext
            Suspicious use of WriteProcessMemory
            PID:3540
            • C:\Users\Admin\AppData\Local\4e170150-8058-4b7e-986f-609b603ed755\build2.exe
              "C:\Users\Admin\AppData\Local\4e170150-8058-4b7e-986f-609b603ed755\build2.exe"
              Executes dropped EXE
              Loads dropped DLL
              Checks processor information in registry
              Suspicious behavior: EnumeratesProcesses
              PID:1556
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\ProgramData\mozglue.dll

                  MD5

                  8f73c08a9660691143661bf7332c3c27

                  SHA1

                  37fa65dd737c50fda710fdbde89e51374d0c204a

                  SHA256

                  3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

                  SHA512

                  0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

                • C:\ProgramData\nss3.dll

                  MD5

                  bfac4e3c5908856ba17d41edcd455a51

                  SHA1

                  8eec7e888767aa9e4cca8ff246eb2aacb9170428

                  SHA256

                  e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

                  SHA512

                  2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

                  MD5

                  93995ad095112907cfc088998c161574

                  SHA1

                  518c7127e11809bb74ff0f68ea7e86ea5aebc798

                  SHA256

                  fd16d238bcac3441688e7ca940c27bb02df8f0bf43b26d8e551414a18748c1cc

                  SHA512

                  c2a3153c65f0acbc821bf663b38591821402d9a00680e2e22f410bf1735752194c08b96f77b7e6712082584a8b6605f7ab9552ad2f6c193fbd13c90bb60436e9

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

                  MD5

                  c04f441d0220712231531a90823834db

                  SHA1

                  68dd18f1e0c51f1fdc4621394091a2dad08e4a08

                  SHA256

                  055641d3987ae98e2dd627d3214ea8084ae773a3df9592191b86977c752a29e7

                  SHA512

                  3156cf79585a45d919d4b27da4fe860f06e3206961fe1d20347ad74ef17de81c47857f35acd5cda3fae5ade28ab9747529ea3e8e79ca80aaf98e1f0e852bed53

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

                  MD5

                  b60f3a1dde35bc1fe73d86cebf37b834

                  SHA1

                  ad0f650273bccd8aaf6d627609f55bc5824cc5c6

                  SHA256

                  b49f18af1fbd41c9283d4eebff619b5c08fdb4b31e199328c50979578eb806b0

                  SHA512

                  ccf8b09c8863a78ff62ce2079445c831622943cd57797090901ab79c4977edf42603575e61a11cd69867a1c72ff6ea89d7bfc94e69e1918899cda3ec4ac7419e

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

                  MD5

                  7d4f96d2be12bb63c9f575bcbc39b944

                  SHA1

                  7de83f7d7b95dd90e8fcb1c408f8772bcaa9b731

                  SHA256

                  6a93a740c766b20ba74698e87f173d136286b29dc45b61c6e46d9d25ffa49077

                  SHA512

                  d459732675c50d309be94d392dc223789ca618f062033641880f8b2207f87c070cc3fa35fa384d4033894c418255895ee595387c7c6ab756f69fa798ce306358

                • C:\Users\Admin\AppData\Local\260eeeb6-885c-435b-b6bc-b24cb2b18793\c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d.exe

                  MD5

                  eee7d75d98bb405f19224241fdc63c66

                  SHA1

                  80f225f35e1345b576117c9f964f6c7b83fbb156

                  SHA256

                  c1ca52b41bcd7c2aed75224fa391ded87fc404ffdf64773a1d2aa0d079129d3d

                  SHA512

                  d9fe73593fcedc49e98612cdc1594eeb57fad15628b10a2bbac2ac9726f731163961e42410400304305b764f795092ac54ff26f178a47eac461d57e40bb32122

                • C:\Users\Admin\AppData\Local\4e170150-8058-4b7e-986f-609b603ed755\build2.exe

                  MD5

                  3107999f9600f5f2bc88e17282da2773

                  SHA1

                  8862f9551fdb7dc30e135c556751b973f441e7b4

                  SHA256

                  aacab9cbbf292403a63bcfd1f6f0a9e534ac39aab406f2c9d7aa98b719f3801f

                  SHA512

                  50c66565fc457b848014eaf70b3f7cc408e8a818bd29c80daf53597a44c182d26649c249a6e3fe7e6516fc7ff7e7026f3aff4b25ee48645789fa6cd3d3e2f338

                • C:\Users\Admin\AppData\Local\4e170150-8058-4b7e-986f-609b603ed755\build2.exe

                  MD5

                  3107999f9600f5f2bc88e17282da2773

                  SHA1

                  8862f9551fdb7dc30e135c556751b973f441e7b4

                  SHA256

                  aacab9cbbf292403a63bcfd1f6f0a9e534ac39aab406f2c9d7aa98b719f3801f

                  SHA512

                  50c66565fc457b848014eaf70b3f7cc408e8a818bd29c80daf53597a44c182d26649c249a6e3fe7e6516fc7ff7e7026f3aff4b25ee48645789fa6cd3d3e2f338

                • C:\Users\Admin\AppData\Local\4e170150-8058-4b7e-986f-609b603ed755\build2.exe

                  MD5

                  3107999f9600f5f2bc88e17282da2773

                  SHA1

                  8862f9551fdb7dc30e135c556751b973f441e7b4

                  SHA256

                  aacab9cbbf292403a63bcfd1f6f0a9e534ac39aab406f2c9d7aa98b719f3801f

                  SHA512

                  50c66565fc457b848014eaf70b3f7cc408e8a818bd29c80daf53597a44c182d26649c249a6e3fe7e6516fc7ff7e7026f3aff4b25ee48645789fa6cd3d3e2f338

                • memory/1556-161-0x0000000060900000-0x0000000060992000-memory.dmp

                • memory/1556-160-0x0000000000400000-0x000000000044C000-memory.dmp

                • memory/1556-159-0x0000000000400000-0x000000000044C000-memory.dmp

                • memory/1556-156-0x0000000000400000-0x000000000044C000-memory.dmp

                • memory/1556-154-0x0000000000400000-0x000000000044C000-memory.dmp

                • memory/1556-153-0x0000000000000000-mapping.dmp

                • memory/2516-134-0x0000000000400000-0x0000000000537000-memory.dmp

                • memory/2516-132-0x0000000000000000-mapping.dmp

                • memory/2516-135-0x0000000000400000-0x0000000000537000-memory.dmp

                • memory/2516-136-0x0000000000400000-0x0000000000537000-memory.dmp

                • memory/2516-133-0x0000000000400000-0x0000000000537000-memory.dmp

                • memory/3540-157-0x0000000000566000-0x0000000000591000-memory.dmp

                • memory/3540-158-0x0000000000920000-0x0000000000969000-memory.dmp

                • memory/3540-150-0x0000000000000000-mapping.dmp

                • memory/3552-143-0x00000000007E1000-0x0000000000873000-memory.dmp

                • memory/3552-139-0x0000000000000000-mapping.dmp

                • memory/4068-131-0x0000000002210000-0x000000000232B000-memory.dmp

                • memory/4068-130-0x00000000007D6000-0x0000000000868000-memory.dmp

                • memory/4300-137-0x0000000000000000-mapping.dmp

                • memory/4864-140-0x0000000000000000-mapping.dmp

                • memory/4864-149-0x0000000000400000-0x0000000000537000-memory.dmp

                • memory/4864-144-0x0000000000400000-0x0000000000537000-memory.dmp

                • memory/4864-142-0x0000000000400000-0x0000000000537000-memory.dmp