Analysis
-
max time kernel
108s -
max time network
110s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
07/01/2023, 06:56
Static task
static1
Behavioral task
behavioral1
Sample
b34a693e486f217e7c360c93172619fa.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b34a693e486f217e7c360c93172619fa.exe
Resource
win10v2004-20221111-en
General
-
Target
b34a693e486f217e7c360c93172619fa.exe
-
Size
799KB
-
MD5
b34a693e486f217e7c360c93172619fa
-
SHA1
227197f9958681327ab817e67f0a29e3e5d54c09
-
SHA256
8d826c169a854f9b36f0635e8e1a2f27989d4e35dcab2fafa9d0b82b7621149d
-
SHA512
57aa9c81f27a3fa66394e48cd2a08a64d5bfa9c719fc72146e50005d4d6f898d0827f5c8165b2fd2526a503d4fef410ac4cfa6da0d56080bf056fbb814ecbd7d
-
SSDEEP
24576:rwe7W12QK8nDGffydauOvcApIqYEU/E0i+sKS:rwFe8ifyQZ3U/RixX
Malware Config
Extracted
djvu
http://spaceris.com/test1/get.php
-
extension
.bpsm
-
offline_id
pu5TgkFNAS5fWQ2rCzdamsmMrE5wSlTupdTI0pt1
-
payload_url
http://uaery.top/dl/build2.exe
http://spaceris.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-rmxjMZAZBJ Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0626JOsie
Extracted
vidar
1.8
19
https://t.me/year2023start
https://steamcommunity.com/profiles/76561199467421923
-
profile_id
19
Signatures
-
Detected Djvu ransomware 10 IoCs
resource yara_rule behavioral1/memory/1172-55-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1616-59-0x0000000004560000-0x000000000467B000-memory.dmp family_djvu behavioral1/memory/1172-56-0x0000000000424141-mapping.dmp family_djvu behavioral1/memory/1172-61-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1172-62-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1172-66-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1948-69-0x0000000000424141-mapping.dmp family_djvu behavioral1/memory/1948-73-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1948-78-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1948-99-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 1624 build2.exe 1728 build3.exe 1788 build2.exe 540 mstsca.exe -
Loads dropped DLL 4 IoCs
pid Process 1948 b34a693e486f217e7c360c93172619fa.exe 1948 b34a693e486f217e7c360c93172619fa.exe 1948 b34a693e486f217e7c360c93172619fa.exe 1948 b34a693e486f217e7c360c93172619fa.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 396 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c6cae283-403b-4854-a999-8a5e0031062b\\b34a693e486f217e7c360c93172619fa.exe\" --AutoStart" b34a693e486f217e7c360c93172619fa.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.2ip.ua 4 api.2ip.ua 15 api.2ip.ua -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1616 set thread context of 1172 1616 b34a693e486f217e7c360c93172619fa.exe 28 PID 1448 set thread context of 1948 1448 b34a693e486f217e7c360c93172619fa.exe 33 PID 1624 set thread context of 1788 1624 build2.exe 39 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1844 schtasks.exe 2016 schtasks.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 b34a693e486f217e7c360c93172619fa.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e b34a693e486f217e7c360c93172619fa.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e b34a693e486f217e7c360c93172619fa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 b34a693e486f217e7c360c93172619fa.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e b34a693e486f217e7c360c93172619fa.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1172 b34a693e486f217e7c360c93172619fa.exe 1172 b34a693e486f217e7c360c93172619fa.exe 1948 b34a693e486f217e7c360c93172619fa.exe 1948 b34a693e486f217e7c360c93172619fa.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 1616 wrote to memory of 1172 1616 b34a693e486f217e7c360c93172619fa.exe 28 PID 1616 wrote to memory of 1172 1616 b34a693e486f217e7c360c93172619fa.exe 28 PID 1616 wrote to memory of 1172 1616 b34a693e486f217e7c360c93172619fa.exe 28 PID 1616 wrote to memory of 1172 1616 b34a693e486f217e7c360c93172619fa.exe 28 PID 1616 wrote to memory of 1172 1616 b34a693e486f217e7c360c93172619fa.exe 28 PID 1616 wrote to memory of 1172 1616 b34a693e486f217e7c360c93172619fa.exe 28 PID 1616 wrote to memory of 1172 1616 b34a693e486f217e7c360c93172619fa.exe 28 PID 1616 wrote to memory of 1172 1616 b34a693e486f217e7c360c93172619fa.exe 28 PID 1616 wrote to memory of 1172 1616 b34a693e486f217e7c360c93172619fa.exe 28 PID 1616 wrote to memory of 1172 1616 b34a693e486f217e7c360c93172619fa.exe 28 PID 1616 wrote to memory of 1172 1616 b34a693e486f217e7c360c93172619fa.exe 28 PID 1172 wrote to memory of 396 1172 b34a693e486f217e7c360c93172619fa.exe 31 PID 1172 wrote to memory of 396 1172 b34a693e486f217e7c360c93172619fa.exe 31 PID 1172 wrote to memory of 396 1172 b34a693e486f217e7c360c93172619fa.exe 31 PID 1172 wrote to memory of 396 1172 b34a693e486f217e7c360c93172619fa.exe 31 PID 1172 wrote to memory of 1448 1172 b34a693e486f217e7c360c93172619fa.exe 32 PID 1172 wrote to memory of 1448 1172 b34a693e486f217e7c360c93172619fa.exe 32 PID 1172 wrote to memory of 1448 1172 b34a693e486f217e7c360c93172619fa.exe 32 PID 1172 wrote to memory of 1448 1172 b34a693e486f217e7c360c93172619fa.exe 32 PID 1448 wrote to memory of 1948 1448 b34a693e486f217e7c360c93172619fa.exe 33 PID 1448 wrote to memory of 1948 1448 b34a693e486f217e7c360c93172619fa.exe 33 PID 1448 wrote to memory of 1948 1448 b34a693e486f217e7c360c93172619fa.exe 33 PID 1448 wrote to memory of 1948 1448 b34a693e486f217e7c360c93172619fa.exe 33 PID 1448 wrote to memory of 1948 1448 b34a693e486f217e7c360c93172619fa.exe 33 PID 1448 wrote to memory of 1948 1448 b34a693e486f217e7c360c93172619fa.exe 33 PID 1448 wrote to memory of 1948 1448 b34a693e486f217e7c360c93172619fa.exe 33 PID 1448 wrote to memory of 1948 1448 b34a693e486f217e7c360c93172619fa.exe 33 PID 1448 wrote to memory of 1948 1448 b34a693e486f217e7c360c93172619fa.exe 33 PID 1448 wrote to memory of 1948 1448 b34a693e486f217e7c360c93172619fa.exe 33 PID 1448 wrote to memory of 1948 1448 b34a693e486f217e7c360c93172619fa.exe 33 PID 1948 wrote to memory of 1624 1948 b34a693e486f217e7c360c93172619fa.exe 34 PID 1948 wrote to memory of 1624 1948 b34a693e486f217e7c360c93172619fa.exe 34 PID 1948 wrote to memory of 1624 1948 b34a693e486f217e7c360c93172619fa.exe 34 PID 1948 wrote to memory of 1624 1948 b34a693e486f217e7c360c93172619fa.exe 34 PID 1948 wrote to memory of 1728 1948 b34a693e486f217e7c360c93172619fa.exe 35 PID 1948 wrote to memory of 1728 1948 b34a693e486f217e7c360c93172619fa.exe 35 PID 1948 wrote to memory of 1728 1948 b34a693e486f217e7c360c93172619fa.exe 35 PID 1948 wrote to memory of 1728 1948 b34a693e486f217e7c360c93172619fa.exe 35 PID 1728 wrote to memory of 2016 1728 build3.exe 37 PID 1728 wrote to memory of 2016 1728 build3.exe 37 PID 1728 wrote to memory of 2016 1728 build3.exe 37 PID 1728 wrote to memory of 2016 1728 build3.exe 37 PID 1624 wrote to memory of 1788 1624 build2.exe 39 PID 1624 wrote to memory of 1788 1624 build2.exe 39 PID 1624 wrote to memory of 1788 1624 build2.exe 39 PID 1624 wrote to memory of 1788 1624 build2.exe 39 PID 1624 wrote to memory of 1788 1624 build2.exe 39 PID 1624 wrote to memory of 1788 1624 build2.exe 39 PID 1624 wrote to memory of 1788 1624 build2.exe 39 PID 1624 wrote to memory of 1788 1624 build2.exe 39 PID 1624 wrote to memory of 1788 1624 build2.exe 39 PID 1624 wrote to memory of 1788 1624 build2.exe 39 PID 1532 wrote to memory of 540 1532 taskeng.exe 41 PID 1532 wrote to memory of 540 1532 taskeng.exe 41 PID 1532 wrote to memory of 540 1532 taskeng.exe 41 PID 1532 wrote to memory of 540 1532 taskeng.exe 41 PID 540 wrote to memory of 1844 540 mstsca.exe 42 PID 540 wrote to memory of 1844 540 mstsca.exe 42 PID 540 wrote to memory of 1844 540 mstsca.exe 42 PID 540 wrote to memory of 1844 540 mstsca.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\b34a693e486f217e7c360c93172619fa.exe"C:\Users\Admin\AppData\Local\Temp\b34a693e486f217e7c360c93172619fa.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\b34a693e486f217e7c360c93172619fa.exe"C:\Users\Admin\AppData\Local\Temp\b34a693e486f217e7c360c93172619fa.exe"2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\c6cae283-403b-4854-a999-8a5e0031062b" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:396
-
-
C:\Users\Admin\AppData\Local\Temp\b34a693e486f217e7c360c93172619fa.exe"C:\Users\Admin\AppData\Local\Temp\b34a693e486f217e7c360c93172619fa.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\b34a693e486f217e7c360c93172619fa.exe"C:\Users\Admin\AppData\Local\Temp\b34a693e486f217e7c360c93172619fa.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Local\c9c9f926-6786-4402-b1a5-e9b8d7264e71\build2.exe"C:\Users\Admin\AppData\Local\c9c9f926-6786-4402-b1a5-e9b8d7264e71\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\c9c9f926-6786-4402-b1a5-e9b8d7264e71\build2.exe"C:\Users\Admin\AppData\Local\c9c9f926-6786-4402-b1a5-e9b8d7264e71\build2.exe"6⤵
- Executes dropped EXE
PID:1788
-
-
-
C:\Users\Admin\AppData\Local\c9c9f926-6786-4402-b1a5-e9b8d7264e71\build3.exe"C:\Users\Admin\AppData\Local\c9c9f926-6786-4402-b1a5-e9b8d7264e71\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"6⤵
- Creates scheduled task(s)
PID:2016
-
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {DCF8BBF9-2D23-476A-A021-0F26E69A9DFF} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"3⤵
- Creates scheduled task(s)
PID:1844
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize2KB
MD5411cd537dcecbf901759b8e6c1bdb076
SHA1655df9870867a1760ad1a2c967b330c61767437a
SHA256aa9e441c6cf813efd9ba76fe4ae52d884a5c7d222ed221903c42f09bc14eb7db
SHA512ea780f875c86f8694f67d236a0af066b952862356edb681375e6c387103a91ce085345359f8fe83dd630d310ee6b7637512e5868951c4c257daa411ab9c03e71
-
Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize488B
MD5e75519e043aa5e4c2314799b806765e9
SHA1fcb8417454e559678ac89b040bc37432224718a0
SHA25671b42f9f1ea06c34aeca6c34b73d1fb01ec2c11f4383cd15d4e012ae42d723f6
SHA51257f6c5710a1a7db40f7bf35a462307ee59110c20d1642fdc717a44b637f9f864bcbd64ddde99f71c9e7f69cf24e49f35ad50114d57be340a720c05a5d4be1071
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53e25c17466001d44ab9ed0dd05c959cd
SHA1da7fb75abfdc790a7c0582725c7527928371012e
SHA2569098b645a4db5ee3f31ab95ab6b1570b74a1ecca73458ac030bee69f7319a649
SHA5122588c33b59c20323a08d8d2295f9ab86a41a6bc28cc43708f993b2d20b5e9c98e1dc9bbc3ad1fabacbae34ae94b8caec119352890e6a5d8626944c78189a0d08
-
C:\Users\Admin\AppData\Local\c6cae283-403b-4854-a999-8a5e0031062b\b34a693e486f217e7c360c93172619fa.exe
Filesize799KB
MD5b34a693e486f217e7c360c93172619fa
SHA1227197f9958681327ab817e67f0a29e3e5d54c09
SHA2568d826c169a854f9b36f0635e8e1a2f27989d4e35dcab2fafa9d0b82b7621149d
SHA51257aa9c81f27a3fa66394e48cd2a08a64d5bfa9c719fc72146e50005d4d6f898d0827f5c8165b2fd2526a503d4fef410ac4cfa6da0d56080bf056fbb814ecbd7d
-
Filesize
429KB
MD58c14bb1505244971374a88f37a4ec22a
SHA1cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0
SHA256f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962
SHA5125e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e
-
Filesize
429KB
MD58c14bb1505244971374a88f37a4ec22a
SHA1cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0
SHA256f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962
SHA5125e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e
-
Filesize
429KB
MD58c14bb1505244971374a88f37a4ec22a
SHA1cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0
SHA256f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962
SHA5125e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
429KB
MD58c14bb1505244971374a88f37a4ec22a
SHA1cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0
SHA256f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962
SHA5125e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e
-
Filesize
429KB
MD58c14bb1505244971374a88f37a4ec22a
SHA1cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0
SHA256f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962
SHA5125e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a