djvu | 1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7

General

Target

1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
Size

1.2MB
MD5

c25ef68e3f182a258cc00ccc01c985e2
SHA1

498e57ef53f9a5deec7a08edfe8dd881e70a68d2
SHA256

1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7
SHA512

b00c9899a1f0677b7ddeb10472505e4e16b9082c442d00b24e826615211eb77b612656cd246219f336f86b3da19b25259a1056b819ac0743adf6d517cbcabf78

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

C2

http://ring1.ug/As73yhsyU34578hxxx/SDf565g/get.php

Attributes

extension
.coot
offline_id
MRQ5kb5Z12tWuP3e25YoRt4PRDrJd2yuI3coott1
payload_url
http://ring1.ug/files/cost/updatewin1.exe
http://ring1.ug/files/cost/updatewin2.exe
http://ring1.ug/files/cost/updatewin.exe
http://ring1.ug/files/cost/3.exe
http://ring1.ug/files/cost/4.exe
http://ring1.ug/files/cost/5.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-IbdGyCKhdr Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: salesrestoresoftware@firemail.cc Reserve e-mail address to contact us: salesrestoresoftware@gmail.com Your personal ID: 0175Asd374y5iuhld

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5052-131-0x0000000009AF0000-0x0000000009C0A000-memory.dmp	family_djvu
behavioral2/memory/5052-132-0x0000000000400000-0x0000000001400000-memory.dmp	family_djvu
behavioral2/memory/5052-136-0x0000000000400000-0x0000000001400000-memory.dmp	family_djvu
behavioral2/memory/4876-138-0x0000000000400000-0x0000000001400000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

4084 icacls.exe

pid	process
4084	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\bdc7e6da-dc76-4956-b39d-2b4020253ca9\\1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe\" --AutoStart"	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.2ip.ua
6 api.2ip.ua
24 api.2ip.ua
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
5	api.2ip.ua
6	api.2ip.ua
24	api.2ip.ua

Program crash 35 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2000	5052	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
5056	5052	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
3712	5052	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
2624	5052	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
2804	5052	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
3224	5052	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
4832	5052	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
4524	5052	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
4896	5052	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
480	5052	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
1368	5052	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
2908	5052	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
1420	5052	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
308	5052	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
1644	5052	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
2436	5052	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
1280	5052	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
2052	5052	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
2604	4876	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
4372	4876	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
2840	4876	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
3760	4876	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
708	4876	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
752	4876	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
2228	4876	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
4152	4876	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
3756	4876	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
664	4876	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
3216	4876	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
1864	4876	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
4776	4876	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
4792	4876	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
1544	4876	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
3232	4876	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
2648	4876	WerFault.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe

pid	process
5052	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
5052	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
4876	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
4876	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe

description	pid	process	target process
PID 5052 wrote to memory of 4084	5052	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe	icacls.exe
PID 5052 wrote to memory of 4084	5052	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe	icacls.exe
PID 5052 wrote to memory of 4084	5052	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe	icacls.exe
PID 5052 wrote to memory of 4876	5052	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
PID 5052 wrote to memory of 4876	5052	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
PID 5052 wrote to memory of 4876	5052	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe	1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe

C:\Users\Admin\AppData\Local\Temp\1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
"C:\Users\Admin\AppData\Local\Temp\1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 832
2⤵
- Program crash
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 876
2⤵
- Program crash
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 876
2⤵
- Program crash
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 912
2⤵
- Program crash
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 984
2⤵
- Program crash
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1104
2⤵
- Program crash
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1524
2⤵
- Program crash
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1536
2⤵
- Program crash
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1804
2⤵
- Program crash
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1812
2⤵
- Program crash
PID:480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1856
2⤵
- Program crash
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1816
2⤵
- Program crash
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1864
2⤵
- Program crash
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1904
2⤵
- Program crash
PID:308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1824
2⤵
- Program crash
PID:1644

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\bdc7e6da-dc76-4956-b39d-2b4020253ca9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1976
2⤵
- Program crash
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 2232
2⤵
- Program crash
PID:1280

C:\Users\Admin\AppData\Local\Temp\1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
"C:\Users\Admin\AppData\Local\Temp\1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe" --Admin IsNotAutoStart IsNotTask
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 768
3⤵
- Program crash
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 800
3⤵
- Program crash
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 800
3⤵
- Program crash
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 776
3⤵
- Program crash
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 788
3⤵
- Program crash
PID:708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 792
3⤵
- Program crash
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1060
3⤵
- Program crash
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1412
3⤵
- Program crash
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1536
3⤵
- Program crash
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1660
3⤵
- Program crash
PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1608
3⤵
- Program crash
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1688
3⤵
- Program crash
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1060
3⤵
- Program crash
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1520
3⤵
- Program crash
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1520
3⤵
- Program crash
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1784
3⤵
- Program crash
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1712
3⤵
- Program crash
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 2192
2⤵
- Program crash
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5052 -ip 5052
1⤵
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5052 -ip 5052
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5052 -ip 5052
1⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5052 -ip 5052
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 5052 -ip 5052
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5052 -ip 5052
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5052 -ip 5052
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5052 -ip 5052
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5052 -ip 5052
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5052 -ip 5052
1⤵
PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5052 -ip 5052
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5052 -ip 5052
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5052 -ip 5052
1⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5052 -ip 5052
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5052 -ip 5052
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5052 -ip 5052
1⤵
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5052 -ip 5052
1⤵
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5052 -ip 5052
1⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4876 -ip 4876
1⤵
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4876 -ip 4876
1⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4876 -ip 4876
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4876 -ip 4876
1⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4876 -ip 4876
1⤵
PID:460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4876 -ip 4876
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4876 -ip 4876
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4876 -ip 4876
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4876 -ip 4876
1⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4876 -ip 4876
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4876 -ip 4876
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4876 -ip 4876
1⤵
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4876 -ip 4876
1⤵
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4876 -ip 4876
1⤵
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4876 -ip 4876
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4876 -ip 4876
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4876 -ip 4876
1⤵
PID:2908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
727B

MD5
7375cf2afeecf00cdabffa2650c26dce

SHA1
7c07a18406c66c84b2cbf0188b5e917c269cbb53

SHA256
9765460f97e7ec289fe59d89f741b21330fe26d2e869584265ec55ae7333de78

SHA512
46c32e439a874cf32db1ad30079c9f974ef1488a5567e2d2af795a71397de8c4167af3146e142e60e5f8762b89e0ac3e9473d0af7e52cb47ea2ca0f18c065344

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\572BF21E454637C9F000BE1AF9B1E1A9
Filesize
506B

MD5
5880c9429ef549c006b6fbc19a35f808

SHA1
aa58fbf9790839dcd13aad7d00ea475a959f786b

SHA256
04a9c17fa3da0ac72f3295511a0ea356c3e27d68b6fcb5fa0fb014d071b7fa37

SHA512
9d8475509b55e88a97595dbd7d81fe9bc9fb33d3499d44188f806832a6951e932bcf02df38cfda4267605c535099ba421755e9c7369601da0f2c0453be740be2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
402B

MD5
e9278edc91f3892aa4bc1895e2718aba

SHA1
34950e5f1bbce43d4b9b1e2c999675eaf5ebc4e8

SHA256
3a5a92cf5d1cbd9e76092949a92f34fd628d787c32a3121fefae3648af6832bd

SHA512
1a3b9d38e44657970747cd5c4e7bc862e75f44c8fd72780276ef0deeb2c349873c9520e38a109bfbb6c644ef485e5260f712106dcd992f3138d033802aee9ce7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9
Filesize
248B

MD5
d8d0786537bcf702bc6786aceabe84b0

SHA1
8a1835158d4d9b723731be84cab53f1715111d2a

SHA256
084fe78493438cf3708d7276e2d30ea6a398f8bd588928b2bef529e9c357681c

SHA512
c91c42e70d68e10be12e3007d8b869ffbb1944858826b884fc8aaa407df19fe07124e1f1d8f3bf294fa37e83835a27afcaa7588f27e43d7061827f0a53be57d8

Download Submit
C:\Users\Admin\AppData\Local\bdc7e6da-dc76-4956-b39d-2b4020253ca9\1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7.exe
Filesize
1.2MB

MD5
c25ef68e3f182a258cc00ccc01c985e2

SHA1
498e57ef53f9a5deec7a08edfe8dd881e70a68d2

SHA256
1b359f5e2446a66b1e44143fabdfe23de8c237e93eeae0e973646dd205a645a7

SHA512
b00c9899a1f0677b7ddeb10472505e4e16b9082c442d00b24e826615211eb77b612656cd246219f336f86b3da19b25259a1056b819ac0743adf6d517cbcabf78

Download Submit
memory/4084-133-0x0000000000000000-mapping.dmp

Download
memory/4876-137-0x0000000009819000-0x00000000098AA000-memory.dmp

Filesize
580KB

Download
memory/4876-138-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4876-135-0x0000000000000000-mapping.dmp

Download
memory/5052-136-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/5052-130-0x0000000009A24000-0x0000000009AB5000-memory.dmp

Filesize
580KB

Download
memory/5052-132-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/5052-131-0x0000000009AF0000-0x0000000009C0A000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads