djvu | 028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073

Analysis

max time kernel
25s
max time network
28s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
17-10-2022 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe
Size

751KB
MD5

73e20711117eed146f782623fa6aa1fa
SHA1

b5a09b2c7f7a079e937c2ffe73ba6fdd3a976954
SHA256

028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073
SHA512

ad28e55abc7861e3b05a185f75cad860b693427a0ac538705140fc84d938488d5d28c89c9abd8db2a47e690ebd7811cac8498a8782ef14053ef6de61cc75591c
SSDEEP

12288:LPbCJWh0VI/pRFHQszZULB6JThypEiFPyxRerKjI57io+z0RAuR9gP3R8Idfb2ce:LPWJ+j/HZWoVhsPyxlINNoHuLg/dbVvW

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

http://winnlinne.com/test1/get.php

Attributes

extension
.pohj
offline_id
tHl9RvVtHhFQisMomKMdXzz2soNLhV0cuok85it1
payload_url
http://rgyui.top/dl/build2.exe

http://winnlinne.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-oTIha7SI4s Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0578Jhyjd

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 9 IoCs

resource	yara_rule
behavioral1/memory/1048-56-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/1048-55-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2012-61-0x0000000001D50000-0x0000000001E6B000-memory.dmp	family_djvu
behavioral1/memory/1048-60-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1048-62-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1048-67-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1468-69-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/1468-73-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1468-78-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
996	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\767a362e-f4b4-4219-8064-86e6a0da32b5\\028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe\" --AutoStart"	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.2ip.ua
4	api.2ip.ua
12	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2012 set thread context of 1048	2012	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	27
PID 1072 set thread context of 1468	1072	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1048	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe
1048	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe
1468	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1048	2012	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	27
PID 2012 wrote to memory of 1048	2012	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	27
PID 2012 wrote to memory of 1048	2012	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	27
PID 2012 wrote to memory of 1048	2012	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	27
PID 2012 wrote to memory of 1048	2012	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	27
PID 2012 wrote to memory of 1048	2012	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	27
PID 2012 wrote to memory of 1048	2012	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	27
PID 2012 wrote to memory of 1048	2012	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	27
PID 2012 wrote to memory of 1048	2012	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	27
PID 2012 wrote to memory of 1048	2012	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	27
PID 2012 wrote to memory of 1048	2012	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	27
PID 1048 wrote to memory of 996	1048	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	30
PID 1048 wrote to memory of 996	1048	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	30
PID 1048 wrote to memory of 996	1048	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	30
PID 1048 wrote to memory of 996	1048	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	30
PID 1048 wrote to memory of 1072	1048	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	31
PID 1048 wrote to memory of 1072	1048	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	31
PID 1048 wrote to memory of 1072	1048	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	31
PID 1048 wrote to memory of 1072	1048	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	31
PID 1072 wrote to memory of 1468	1072	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	32
PID 1072 wrote to memory of 1468	1072	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	32
PID 1072 wrote to memory of 1468	1072	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	32
PID 1072 wrote to memory of 1468	1072	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	32
PID 1072 wrote to memory of 1468	1072	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	32
PID 1072 wrote to memory of 1468	1072	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	32
PID 1072 wrote to memory of 1468	1072	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	32
PID 1072 wrote to memory of 1468	1072	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	32
PID 1072 wrote to memory of 1468	1072	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	32
PID 1072 wrote to memory of 1468	1072	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	32
PID 1072 wrote to memory of 1468	1072	028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe	32

C:\Users\Admin\AppData\Local\Temp\028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe
"C:\Users\Admin\AppData\Local\Temp\028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe
  "C:\Users\Admin\AppData\Local\Temp\028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe"
  2⤵
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\767a362e-f4b4-4219-8064-86e6a0da32b5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:996
- - C:\Users\Admin\AppData\Local\Temp\028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe
    "C:\Users\Admin\AppData\Local\Temp\028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Users\Admin\AppData\Local\Temp\028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe
      "C:\Users\Admin\AppData\Local\Temp\028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:1468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
006c98bc42ac1d15f0ec70e3488783c5

SHA1
a8c8302826468c903b511e206d6d058e2c3acdaa

SHA256
e24883740fbed2781e4df4e5387cd95c3345ec9944edeeb36babd2c10135fa00

SHA512
e0caea17f99a18483e0195c5311942c195ef42532f1868bfb5c64b3f6cb72cc0fc58414176a9bfc66452e11d17c2058eafb483a41890f502ec76dc3a6807f2f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
97ab7ffd65186e85f453dc7c02637528

SHA1
f22312a6a44613be85c0370878456a965f869a40

SHA256
630df8e970cc3b1ad508db713dd8be52e0ac7a5826f3f264a266232f9a1c23ee

SHA512
37d90c98e72ad55b2cbb938541c81bac1aa9d2b8a7e19f0fbfaa365b49e7bef2d3199f03e46aa9fbf3055f3701d21860820c451065f7e425d39bf86ca606bfb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
80ecfc432246782430609c370b9611fc

SHA1
12f0b55f7f7a8219b4762f176c9eff1e0c578985

SHA256
01f466c2ffd07f0f252f19933b6a7e2d6eeecafb6dd281ded433af67763f9bf1

SHA512
b247258527d56d34b786113b85068fed86270f3eef839b8ddee04929b59daeb96950a92f085642cab6a8a3fcedcc05e1ca3201b4d8f1008d48a30fd68ac7c706

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5634e753e142788c38697ac80e40d87

SHA1
c3d76993ac3492faaa391c198948f59d14a168e3

SHA256
1b567f3139953efcfa65dc74a37c2860ab1700f6f3ee74bc0ad9a56d23e30899

SHA512
1398a3749704252e799c3b1576f22940ac2f87821149061e2a03f371fe20d39df997c7dd1dd0acfdfba5354880a06360a188b2f42352b2ed8e7c6029215d8f15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
0cf43855a375d079ee5d3c34e4b18ac3

SHA1
34670eb27d65cd609478ddbf56b7470ca69df244

SHA256
7edafd668b6e36eb17d7f1cf89adb550dfd7b5edca58b9b537a7c1d11932d601

SHA512
dc7a7fd7b3c68cfd9e65ae48e7146eaa274a911ede7c14c5e6928353823b6162844ea83b8ac41c467b3f6fa33ea0750f83afa6a067f0cda90ab1bc89d014fc95

Download Submit
C:\Users\Admin\AppData\Local\767a362e-f4b4-4219-8064-86e6a0da32b5\028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073.exe

Filesize
751KB

MD5
73e20711117eed146f782623fa6aa1fa

SHA1
b5a09b2c7f7a079e937c2ffe73ba6fdd3a976954

SHA256
028153fef7ccf21d605cf20d1600663273faf17fc0aa6efe4d5af209f5798073

SHA512
ad28e55abc7861e3b05a185f75cad860b693427a0ac538705140fc84d938488d5d28c89c9abd8db2a47e690ebd7811cac8498a8782ef14053ef6de61cc75591c

Download Submit
memory/996-63-0x0000000000000000-mapping.dmp

Download
memory/1048-59-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/1048-62-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1048-67-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1048-60-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1048-55-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1048-56-0x0000000000424141-mapping.dmp

Download
memory/1072-65-0x0000000000000000-mapping.dmp

Download
memory/1072-66-0x00000000002C0000-0x0000000000351000-memory.dmp

Filesize
580KB

Download
memory/1072-70-0x00000000002C0000-0x0000000000351000-memory.dmp

Filesize
580KB

Download
memory/1468-73-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1468-78-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1468-69-0x0000000000424141-mapping.dmp

Download
memory/2012-54-0x00000000004D0000-0x0000000000561000-memory.dmp

Filesize
580KB

Download
memory/2012-61-0x0000000001D50000-0x0000000001E6B000-memory.dmp

Filesize
1.1MB

Download
memory/2012-58-0x00000000004D0000-0x0000000000561000-memory.dmp

Filesize
580KB

Download