djvu | 539885fc37c58da4b6852e53e741024d30f358517820322c0145d0383494eec6

Analysis

max time kernel
57s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2022 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exe
Size

272KB
MD5

8432e504f078f9319133a9ad826773fc
SHA1

9d913d1aff658215553c79c74ec0cc3030248845
SHA256

160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda
SHA512

809769c7dc53c43de7d9de08f09ca06e286b91cac073fd01a8fc60bd9e3409f1cfbbf876ed69c5215c976a2fedecc5c49971dff93716f2eee073398087f388bc
SSDEEP

6144:+ydAhddLVf6VaM/WSr/hBuzbgwu7wVfU+:+64dhf1cunnS+

Score

10^/10

djvu smokeloader backdoor collection discovery persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

djvu

http://winnlinne.com/lancer/get.php

Attributes

extension
.adww
offline_id
z8lhl4oForVEc7gy9Ra8rSqjYMl3xiFRuIW4not1
payload_url
http://rgyui.top/dl/build2.exe
http://winnlinne.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-g28rVcqA58 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0573Jhyjd

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3480-155-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3480-157-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2636-160-0x0000000002320000-0x000000000243B000-memory.dmp	family_djvu
behavioral2/memory/3480-159-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3480-163-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3480-170-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3480-181-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4320-190-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4320-192-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4320-197-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4928-133-0x0000000000590000-0x0000000000599000-memory.dmp	family_smokeloader
behavioral2/memory/3996-166-0x0000000000560000-0x0000000000569000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

E9E8.exeF032.exeF256.exeE9E8.exeE9E8.exeE9E8.exebuild2.exe

pid process

2636 E9E8.exe
4800 F032.exe
3996 F256.exe
3480 E9E8.exe
796 E9E8.exe
4320 E9E8.exe
3040 build2.exe

pid	process
2636	E9E8.exe
4800	F032.exe
3996	F256.exe
3480	E9E8.exe
796	E9E8.exe
4320	E9E8.exe
3040	build2.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

E9E8.exeE9E8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	E9E8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	E9E8.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

4252 regsvr32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1908 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4252	regsvr32.exe

pid	process
1908	icacls.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

E9E8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a1149413-0a47-482c-a6ea-d82528ddf9eb\\E9E8.exe\" --AutoStart"	E9E8.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 api.2ip.ua
25 api.2ip.ua
41 api.2ip.ua
Suspicious use of SetThreadContext 2 IoCs

Processes:

E9E8.exeE9E8.exe

description pid process target process

PID 2636 set thread context of 3480 2636 E9E8.exe E9E8.exe
PID 796 set thread context of 4320 796 E9E8.exe E9E8.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
24	api.2ip.ua
25	api.2ip.ua
41	api.2ip.ua

description	pid	process	target process
PID 2636 set thread context of 3480	2636	E9E8.exe	E9E8.exe
PID 796 set thread context of 4320	796	E9E8.exe	E9E8.exe

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3520	4800	WerFault.exe	F032.exe
1016	4800	WerFault.exe	F032.exe
380	4800	WerFault.exe	F032.exe
2668	4800	WerFault.exe	F032.exe
1884	4800	WerFault.exe	F032.exe
1312	4800	WerFault.exe	F032.exe
3356	4800	WerFault.exe	F032.exe
508	4800	WerFault.exe	F032.exe
1996	4800	WerFault.exe	F032.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

F256.exe160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F256.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F256.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F256.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exe

pid	process
4928	160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exe
4928	160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exe
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864
2864

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exeF256.exe

pid process

4928 160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exe
2864
2864
2864
2864
3996 F256.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeShutdownPrivilege	2864
Token: SeCreatePagefilePrivilege	2864
Token: SeShutdownPrivilege	2864
Token: SeCreatePagefilePrivilege	2864
Token: SeShutdownPrivilege	2864
Token: SeCreatePagefilePrivilege	2864
Token: SeShutdownPrivilege	2864
Token: SeCreatePagefilePrivilege	2864
Token: SeShutdownPrivilege	2864
Token: SeCreatePagefilePrivilege	2864
Token: SeShutdownPrivilege	2864
Token: SeCreatePagefilePrivilege	2864
Token: SeShutdownPrivilege	2864
Token: SeCreatePagefilePrivilege	2864
Token: SeShutdownPrivilege	2864
Token: SeCreatePagefilePrivilege	2864
Token: SeIncreaseQuotaPrivilege	1272	wmic.exe
Token: SeSecurityPrivilege	1272	wmic.exe
Token: SeTakeOwnershipPrivilege	1272	wmic.exe
Token: SeLoadDriverPrivilege	1272	wmic.exe
Token: SeSystemProfilePrivilege	1272	wmic.exe
Token: SeSystemtimePrivilege	1272	wmic.exe
Token: SeProfSingleProcessPrivilege	1272	wmic.exe
Token: SeIncBasePriorityPrivilege	1272	wmic.exe
Token: SeCreatePagefilePrivilege	1272	wmic.exe
Token: SeBackupPrivilege	1272	wmic.exe
Token: SeRestorePrivilege	1272	wmic.exe
Token: SeShutdownPrivilege	1272	wmic.exe
Token: SeDebugPrivilege	1272	wmic.exe
Token: SeSystemEnvironmentPrivilege	1272	wmic.exe
Token: SeRemoteShutdownPrivilege	1272	wmic.exe
Token: SeUndockPrivilege	1272	wmic.exe
Token: SeManageVolumePrivilege	1272	wmic.exe
Token: 33	1272	wmic.exe
Token: 34	1272	wmic.exe
Token: 35	1272	wmic.exe
Token: 36	1272	wmic.exe
Token: SeShutdownPrivilege	2864
Token: SeCreatePagefilePrivilege	2864
Token: SeIncreaseQuotaPrivilege	1272	wmic.exe
Token: SeSecurityPrivilege	1272	wmic.exe
Token: SeTakeOwnershipPrivilege	1272	wmic.exe
Token: SeLoadDriverPrivilege	1272	wmic.exe
Token: SeSystemProfilePrivilege	1272	wmic.exe
Token: SeSystemtimePrivilege	1272	wmic.exe
Token: SeProfSingleProcessPrivilege	1272	wmic.exe
Token: SeIncBasePriorityPrivilege	1272	wmic.exe
Token: SeCreatePagefilePrivilege	1272	wmic.exe
Token: SeBackupPrivilege	1272	wmic.exe
Token: SeRestorePrivilege	1272	wmic.exe
Token: SeShutdownPrivilege	1272	wmic.exe
Token: SeDebugPrivilege	1272	wmic.exe
Token: SeSystemEnvironmentPrivilege	1272	wmic.exe
Token: SeRemoteShutdownPrivilege	1272	wmic.exe
Token: SeUndockPrivilege	1272	wmic.exe
Token: SeManageVolumePrivilege	1272	wmic.exe
Token: 33	1272	wmic.exe
Token: 34	1272	wmic.exe
Token: 35	1272	wmic.exe
Token: 36	1272	wmic.exe
Token: SeShutdownPrivilege	2864
Token: SeCreatePagefilePrivilege	2864
Token: SeIncreaseQuotaPrivilege	728	WMIC.exe
Token: SeSecurityPrivilege	728	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exeE9E8.exeE9E8.exeF032.execmd.execmd.exeE9E8.exeE9E8.exe

description	pid	process	target process
PID 2864 wrote to memory of 2636	2864		E9E8.exe
PID 2864 wrote to memory of 2636	2864		E9E8.exe
PID 2864 wrote to memory of 2636	2864		E9E8.exe
PID 2864 wrote to memory of 4800	2864		F032.exe
PID 2864 wrote to memory of 4800	2864		F032.exe
PID 2864 wrote to memory of 4800	2864		F032.exe
PID 2864 wrote to memory of 3996	2864		F256.exe
PID 2864 wrote to memory of 3996	2864		F256.exe
PID 2864 wrote to memory of 3996	2864		F256.exe
PID 2864 wrote to memory of 3872	2864		regsvr32.exe
PID 2864 wrote to memory of 3872	2864		regsvr32.exe
PID 3872 wrote to memory of 4252	3872	regsvr32.exe	regsvr32.exe
PID 3872 wrote to memory of 4252	3872	regsvr32.exe	regsvr32.exe
PID 3872 wrote to memory of 4252	3872	regsvr32.exe	regsvr32.exe
PID 2864 wrote to memory of 2348	2864		explorer.exe
PID 2864 wrote to memory of 2348	2864		explorer.exe
PID 2864 wrote to memory of 2348	2864		explorer.exe
PID 2864 wrote to memory of 2348	2864		explorer.exe
PID 2864 wrote to memory of 1048	2864		explorer.exe
PID 2864 wrote to memory of 1048	2864		explorer.exe
PID 2864 wrote to memory of 1048	2864		explorer.exe
PID 2636 wrote to memory of 3480	2636	E9E8.exe	E9E8.exe
PID 2636 wrote to memory of 3480	2636	E9E8.exe	E9E8.exe
PID 2636 wrote to memory of 3480	2636	E9E8.exe	E9E8.exe
PID 2636 wrote to memory of 3480	2636	E9E8.exe	E9E8.exe
PID 2636 wrote to memory of 3480	2636	E9E8.exe	E9E8.exe
PID 2636 wrote to memory of 3480	2636	E9E8.exe	E9E8.exe
PID 2636 wrote to memory of 3480	2636	E9E8.exe	E9E8.exe
PID 2636 wrote to memory of 3480	2636	E9E8.exe	E9E8.exe
PID 2636 wrote to memory of 3480	2636	E9E8.exe	E9E8.exe
PID 2636 wrote to memory of 3480	2636	E9E8.exe	E9E8.exe
PID 3480 wrote to memory of 1908	3480	E9E8.exe	icacls.exe
PID 3480 wrote to memory of 1908	3480	E9E8.exe	icacls.exe
PID 3480 wrote to memory of 1908	3480	E9E8.exe	icacls.exe
PID 3480 wrote to memory of 796	3480	E9E8.exe	E9E8.exe
PID 3480 wrote to memory of 796	3480	E9E8.exe	E9E8.exe
PID 3480 wrote to memory of 796	3480	E9E8.exe	E9E8.exe
PID 4800 wrote to memory of 1272	4800	F032.exe	wmic.exe
PID 4800 wrote to memory of 1272	4800	F032.exe	wmic.exe
PID 4800 wrote to memory of 1272	4800	F032.exe	wmic.exe
PID 4800 wrote to memory of 5000	4800	F032.exe	cmd.exe
PID 4800 wrote to memory of 5000	4800	F032.exe	cmd.exe
PID 4800 wrote to memory of 5000	4800	F032.exe	cmd.exe
PID 5000 wrote to memory of 728	5000	cmd.exe	WMIC.exe
PID 5000 wrote to memory of 728	5000	cmd.exe	WMIC.exe
PID 5000 wrote to memory of 728	5000	cmd.exe	WMIC.exe
PID 4800 wrote to memory of 4092	4800	F032.exe	cmd.exe
PID 4800 wrote to memory of 4092	4800	F032.exe	cmd.exe
PID 4800 wrote to memory of 4092	4800	F032.exe	cmd.exe
PID 4092 wrote to memory of 2136	4092	cmd.exe	WMIC.exe
PID 4092 wrote to memory of 2136	4092	cmd.exe	WMIC.exe
PID 4092 wrote to memory of 2136	4092	cmd.exe	WMIC.exe
PID 796 wrote to memory of 4320	796	E9E8.exe	E9E8.exe
PID 796 wrote to memory of 4320	796	E9E8.exe	E9E8.exe
PID 796 wrote to memory of 4320	796	E9E8.exe	E9E8.exe
PID 796 wrote to memory of 4320	796	E9E8.exe	E9E8.exe
PID 796 wrote to memory of 4320	796	E9E8.exe	E9E8.exe
PID 796 wrote to memory of 4320	796	E9E8.exe	E9E8.exe
PID 796 wrote to memory of 4320	796	E9E8.exe	E9E8.exe
PID 796 wrote to memory of 4320	796	E9E8.exe	E9E8.exe
PID 796 wrote to memory of 4320	796	E9E8.exe	E9E8.exe
PID 796 wrote to memory of 4320	796	E9E8.exe	E9E8.exe
PID 4320 wrote to memory of 3040	4320	E9E8.exe	build2.exe
PID 4320 wrote to memory of 3040	4320	E9E8.exe	build2.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exe
"C:\Users\Admin\AppData\Local\Temp\160c9eb3600d3bf9d2846a09a65218593c5d385b724da7cd44b23a1732157cda.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4928

C:\Users\Admin\AppData\Local\Temp\E9E8.exe
C:\Users\Admin\AppData\Local\Temp\E9E8.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Local\Temp\E9E8.exe
C:\Users\Admin\AppData\Local\Temp\E9E8.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3480

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\a1149413-0a47-482c-a6ea-d82528ddf9eb" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1908

C:\Users\Admin\AppData\Local\Temp\E9E8.exe
"C:\Users\Admin\AppData\Local\Temp\E9E8.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:796

C:\Users\Admin\AppData\Local\Temp\E9E8.exe
"C:\Users\Admin\AppData\Local\Temp\E9E8.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4320

C:\Users\Admin\AppData\Local\b719d7fd-1c2a-4830-a157-7d38e925b57f\build2.exe
"C:\Users\Admin\AppData\Local\b719d7fd-1c2a-4830-a157-7d38e925b57f\build2.exe"
5⤵
- Executes dropped EXE
PID:3040

C:\Users\Admin\AppData\Local\Temp\F032.exe
C:\Users\Admin\AppData\Local\Temp\F032.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 536
2⤵
- Program crash
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 540
2⤵
- Program crash
PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 540
2⤵
- Program crash
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 676
2⤵
- Program crash
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 760
2⤵
- Program crash
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 860
2⤵
- Program crash
PID:1312

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1304
2⤵
- Program crash
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1340
2⤵
- Program crash
PID:508

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:728

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 140
2⤵
- Program crash
PID:1996

C:\Users\Admin\AppData\Local\Temp\F256.exe
C:\Users\Admin\AppData\Local\Temp\F256.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3996

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F574.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\F574.dll
2⤵
- Loads dropped DLL
PID:4252

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2348

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4800 -ip 4800
1⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4800 -ip 4800
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4800 -ip 4800
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4800 -ip 4800
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4800 -ip 4800
1⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4800 -ip 4800
1⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4800 -ip 4800
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4800 -ip 4800
1⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4800 -ip 4800
1⤵
PID:1472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
596d2fdcebb9285d08c83e8c66f21dc9

SHA1
d634a64d292467c4fe9f1b2b80ac3bf82a08d49f

SHA256
0231bc4602667ff24bfa1caab1d56c225a54031c452c9de84b810be18628a3e3

SHA512
fd0399c36455095561381c33ba0f6f98496dc2fd63792f148ec9dfbc06ed6ad24a6bf9aa7f559dba7f257ccd145ee8532418606c2eb282a42ca678de4231d818

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
b6f52795b677b4e2ad47736ffe3704a5

SHA1
945cb962aae5a0986c476650006227debf93b51c

SHA256
c8aff1f15506340e6abd76c8a8382e9caeba4fa8e8483254cf7ab9d22c2a57fe

SHA512
1e241b4c9bf53a97c980dd09bc73abcaf05ed8ccc641d5b0ad1eadc4502b4c1519b62d9c51f8e38c73898c2eca4a4a2e81777763731bf0f36dc5c04a30ae0450

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
92a86bd3ffd9fbb1663c56818ffd5495

SHA1
4a0da29ee9fd29d5db3011e3d86851c22480ea5b

SHA256
dec6e885be5f1530dd8df70698d4f96141f27d49c0757a91e490ad18f64e2898

SHA512
f76fd0c019bfb1e9034b133f08908bc534e8499df53f83b64ee4d710e82536db507db86b264b8acc3c2190473d8dc9ec638f90bb0966bca247b89e46955d308f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
05797fbdcfeb816e423f716d187feb13

SHA1
becee715528610bd14714b44ca88112b928ac2ee

SHA256
7e03492f2e99f226f8aaba4379abedbf2854b5ad3c43864d89d49f8082e0865f

SHA512
73cd1994dbd6bd2c7a1049a9129bd5475aec27ed140487abd8fbb1b523d160fee07589751d4ba35065118addd5a31b79dddd4eba539ec0488b5754b21a9eca96

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9E8.exe
Filesize
791KB

MD5
b8e31e6ad8d3e923f655411ee61abefb

SHA1
9c6aaff5306ba5f936e3ee02e312ae5ad31dd6b9

SHA256
8d8265d898414ce6bced72b8a8827df4f6cad737091e56e596157ce648cb30f7

SHA512
f148c0826dca4e4262dac718ba2191682f599e93968e0ff4e2b826c2adfaa25500e6feb88d6cb41d61aa115f352d783de5551f872a6547dca17694d096fa1cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9E8.exe
Filesize
791KB

MD5
b8e31e6ad8d3e923f655411ee61abefb

SHA1
9c6aaff5306ba5f936e3ee02e312ae5ad31dd6b9

SHA256
8d8265d898414ce6bced72b8a8827df4f6cad737091e56e596157ce648cb30f7

SHA512
f148c0826dca4e4262dac718ba2191682f599e93968e0ff4e2b826c2adfaa25500e6feb88d6cb41d61aa115f352d783de5551f872a6547dca17694d096fa1cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9E8.exe
Filesize
791KB

MD5
b8e31e6ad8d3e923f655411ee61abefb

SHA1
9c6aaff5306ba5f936e3ee02e312ae5ad31dd6b9

SHA256
8d8265d898414ce6bced72b8a8827df4f6cad737091e56e596157ce648cb30f7

SHA512
f148c0826dca4e4262dac718ba2191682f599e93968e0ff4e2b826c2adfaa25500e6feb88d6cb41d61aa115f352d783de5551f872a6547dca17694d096fa1cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9E8.exe
Filesize
791KB

MD5
b8e31e6ad8d3e923f655411ee61abefb

SHA1
9c6aaff5306ba5f936e3ee02e312ae5ad31dd6b9

SHA256
8d8265d898414ce6bced72b8a8827df4f6cad737091e56e596157ce648cb30f7

SHA512
f148c0826dca4e4262dac718ba2191682f599e93968e0ff4e2b826c2adfaa25500e6feb88d6cb41d61aa115f352d783de5551f872a6547dca17694d096fa1cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9E8.exe
Filesize
791KB

MD5
b8e31e6ad8d3e923f655411ee61abefb

SHA1
9c6aaff5306ba5f936e3ee02e312ae5ad31dd6b9

SHA256
8d8265d898414ce6bced72b8a8827df4f6cad737091e56e596157ce648cb30f7

SHA512
f148c0826dca4e4262dac718ba2191682f599e93968e0ff4e2b826c2adfaa25500e6feb88d6cb41d61aa115f352d783de5551f872a6547dca17694d096fa1cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\F032.exe
Filesize
4.7MB

MD5
f82e733fd7852c5143178e0665cfe0e4

SHA1
d20a424dc1ae2bd6bd38a42b15b6c6805e54ce0f

SHA256
0660a4343785eb72d375da179986e06adbb452aff45268965e5159ce36ace2b7

SHA512
915120a9c164a189d3a83260731f0429571f74840a0b2e6470c424761f2309b6a2db80da26afd0fd091b6e055d376285dd0fa181fe93bc0bfa46cee82d3f5c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\F032.exe
Filesize
4.7MB

MD5
f82e733fd7852c5143178e0665cfe0e4

SHA1
d20a424dc1ae2bd6bd38a42b15b6c6805e54ce0f

SHA256
0660a4343785eb72d375da179986e06adbb452aff45268965e5159ce36ace2b7

SHA512
915120a9c164a189d3a83260731f0429571f74840a0b2e6470c424761f2309b6a2db80da26afd0fd091b6e055d376285dd0fa181fe93bc0bfa46cee82d3f5c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\F256.exe
Filesize
272KB

MD5
40a0a6c5e1e1740c65df2422bc8bfa68

SHA1
3df83e4ce8c6a63be7455e25dae444e28e6bdc4a

SHA256
bbc376e926f6d2218f5b0ec97c402c54f888dedf6fe438b6fddbd0358e69606f

SHA512
70c7e894aec4b8de391f6f7ac93ab841bdc735b69acf6b3ec8a34aacd6bf640803178c50a04d17050f0a94fdab4038953aa7522aa34e334e738a1cadea88e9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\F256.exe
Filesize
272KB

MD5
40a0a6c5e1e1740c65df2422bc8bfa68

SHA1
3df83e4ce8c6a63be7455e25dae444e28e6bdc4a

SHA256
bbc376e926f6d2218f5b0ec97c402c54f888dedf6fe438b6fddbd0358e69606f

SHA512
70c7e894aec4b8de391f6f7ac93ab841bdc735b69acf6b3ec8a34aacd6bf640803178c50a04d17050f0a94fdab4038953aa7522aa34e334e738a1cadea88e9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\F574.dll
Filesize
2.0MB

MD5
9d92c298bce081adbc27970066117179

SHA1
6edbb822af723e4dbe7905ef569d510d0baf4491

SHA256
7ea496fa0b759993e1dcb0a359a3cd94e07ee3782bf259ba50ea12a1abb16af3

SHA512
9f1fa84f683af8b98225c9ff0044c4d85dbab8a19b0ae402a4214fa1b98c101e076111f7fb87d0e76000c9f3ac18e986544d1cae0d4331521bfdf9b34bbf5c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F574.dll
Filesize
2.0MB

MD5
9d92c298bce081adbc27970066117179

SHA1
6edbb822af723e4dbe7905ef569d510d0baf4491

SHA256
7ea496fa0b759993e1dcb0a359a3cd94e07ee3782bf259ba50ea12a1abb16af3

SHA512
9f1fa84f683af8b98225c9ff0044c4d85dbab8a19b0ae402a4214fa1b98c101e076111f7fb87d0e76000c9f3ac18e986544d1cae0d4331521bfdf9b34bbf5c2e

Download Submit
C:\Users\Admin\AppData\Local\a1149413-0a47-482c-a6ea-d82528ddf9eb\E9E8.exe
Filesize
791KB

MD5
b8e31e6ad8d3e923f655411ee61abefb

SHA1
9c6aaff5306ba5f936e3ee02e312ae5ad31dd6b9

SHA256
8d8265d898414ce6bced72b8a8827df4f6cad737091e56e596157ce648cb30f7

SHA512
f148c0826dca4e4262dac718ba2191682f599e93968e0ff4e2b826c2adfaa25500e6feb88d6cb41d61aa115f352d783de5551f872a6547dca17694d096fa1cd2

Download Submit
C:\Users\Admin\AppData\Local\b719d7fd-1c2a-4830-a157-7d38e925b57f\build2.exe
Filesize
255KB

MD5
9c3d4324a153c6438f48083bc333a962

SHA1
033e80e2008f4f62d2716ce0473bb0d763d52277

SHA256
5ee57d85a41b825060864ae85981253f28148d15586a5f6274d562dfeae93e98

SHA512
8cce276e59b2fcdb333fecaaa1e3ab9d0b24e25c54a6fc959b6c190441061fab67ea0d35e7077cf910b557b6a60b90c1d2260352b11789bbcd430814fcff51cd

Download Submit
C:\Users\Admin\AppData\Local\b719d7fd-1c2a-4830-a157-7d38e925b57f\build2.exe
Filesize
255KB

MD5
9c3d4324a153c6438f48083bc333a962

SHA1
033e80e2008f4f62d2716ce0473bb0d763d52277

SHA256
5ee57d85a41b825060864ae85981253f28148d15586a5f6274d562dfeae93e98

SHA512
8cce276e59b2fcdb333fecaaa1e3ab9d0b24e25c54a6fc959b6c190441061fab67ea0d35e7077cf910b557b6a60b90c1d2260352b11789bbcd430814fcff51cd

Download Submit
memory/728-184-0x0000000000000000-mapping.dmp

Download
memory/796-178-0x0000000000000000-mapping.dmp

Download
memory/796-191-0x000000000211B000-0x00000000021AC000-memory.dmp

Filesize
580KB

Download
memory/1048-151-0x0000000000000000-mapping.dmp

Download
memory/1048-152-0x0000000000F10000-0x0000000000F1C000-memory.dmp

Filesize
48KB

Download
memory/1272-182-0x0000000000000000-mapping.dmp

Download
memory/1908-168-0x0000000000000000-mapping.dmp

Download
memory/2136-186-0x0000000000000000-mapping.dmp

Download
memory/2348-153-0x00000000012E0000-0x000000000134B000-memory.dmp

Filesize
428KB

Download
memory/2348-150-0x0000000001350000-0x00000000013C5000-memory.dmp

Filesize
468KB

Download
memory/2348-148-0x0000000000000000-mapping.dmp

Download
memory/2348-164-0x00000000012E0000-0x000000000134B000-memory.dmp

Filesize
428KB

Download
memory/2636-160-0x0000000002320000-0x000000000243B000-memory.dmp

Filesize
1.1MB

Download
memory/2636-158-0x000000000216D000-0x00000000021FE000-memory.dmp

Filesize
580KB

Download
memory/2636-136-0x0000000000000000-mapping.dmp

Download
memory/3040-199-0x0000000000000000-mapping.dmp

Download
memory/3480-163-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3480-159-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3480-170-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3480-154-0x0000000000000000-mapping.dmp

Download
memory/3480-155-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3480-157-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3480-181-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3872-145-0x0000000000000000-mapping.dmp

Download
memory/3996-166-0x0000000000560000-0x0000000000569000-memory.dmp

Filesize
36KB

Download
memory/3996-169-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3996-165-0x00000000005AF000-0x00000000005C0000-memory.dmp

Filesize
68KB

Download
memory/3996-142-0x0000000000000000-mapping.dmp

Download
memory/3996-167-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4092-185-0x0000000000000000-mapping.dmp

Download
memory/4252-147-0x0000000000000000-mapping.dmp

Download
memory/4252-179-0x0000000002D00000-0x0000000002E2D000-memory.dmp

Filesize
1.2MB

Download
memory/4252-162-0x0000000002D00000-0x0000000002E2D000-memory.dmp

Filesize
1.2MB

Download
memory/4252-161-0x0000000002A60000-0x0000000002BCE000-memory.dmp

Filesize
1.4MB

Download
memory/4252-175-0x0000000002F20000-0x0000000002FCC000-memory.dmp

Filesize
688KB

Download
memory/4252-174-0x0000000002E40000-0x0000000002F02000-memory.dmp

Filesize
776KB

Download
memory/4320-197-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4320-187-0x0000000000000000-mapping.dmp

Download
memory/4320-190-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4320-192-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4800-172-0x0000000002F70000-0x00000000033B7000-memory.dmp

Filesize
4.3MB

Download
memory/4800-173-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/4800-139-0x0000000000000000-mapping.dmp

Download
memory/4800-198-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/4928-132-0x00000000006DF000-0x00000000006F0000-memory.dmp

Filesize
68KB

Download
memory/4928-135-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4928-134-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4928-133-0x0000000000590000-0x0000000000599000-memory.dmp

Filesize
36KB

Download
memory/5000-183-0x0000000000000000-mapping.dmp

Download