djvu | c041c2a6e4803095086cc704bb84f9c7b377c6c4720bc45f76fc93fb53beb1fd

Analysis

max time kernel
147s
max time network
140s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-06-2023 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

750KB
MD5

03483bad9b960538fe39ff5aab1a907a
SHA1

444d08535d4d700a4259f27a056275d5b0a4610d
SHA256

c041c2a6e4803095086cc704bb84f9c7b377c6c4720bc45f76fc93fb53beb1fd
SHA512

91474555982ac716f407367b5f91e3544a1a877c1f436c1fbeeb24e1fbb5d822588b9d2da767d0179a180313469051cb8cd8169c9df44a0645084cffdc6a2774
SSDEEP

12288:T5fbu5mbzSITzDOR3TgKOl1XHcaeS+lQS4qEuqLMUmLjpLfP+b0:T5fdnSWOXcHBeS+W/qEdMUmRL3+

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

http://zexeq.com/test1/get.php

Attributes

extension
.nerz
offline_id
0vTA6MA1m5nzrdffOCJC7YmAa4Lp6YNN8lOJ4mt1
payload_url
http://colisumy.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-vc50LyB2yb Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0722JOsie

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1996-56-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2012-58-0x0000000004650000-0x000000000476B000-memory.dmp	family_djvu
behavioral1/memory/1996-59-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1996-60-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1996-97-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/896-104-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/896-118-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/896-119-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/896-120-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/896-124-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/896-126-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/896-127-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/896-128-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/896-141-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

build3.exemstsca.exe

pid process

1492 build3.exe
908 mstsca.exe
Loads dropped DLL 2 IoCs

Processes:

file.exe

pid process

896 file.exe
896 file.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1660 icacls.exe

pid	process
1492	build3.exe
908	mstsca.exe

pid	process
896	file.exe
896	file.exe

pid	process
1660	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\421df4fd-0002-40b2-8e74-a8487cf481bb\\file.exe\" --AutoStart"	file.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.2ip.ua
4 api.2ip.ua
12 api.2ip.ua
Suspicious use of SetThreadContext 2 IoCs

Processes:

file.exefile.exe

description pid process target process

PID 2012 set thread context of 1996 2012 file.exe file.exe
PID 844 set thread context of 896 844 file.exe file.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1012 schtasks.exe
1900 schtasks.exe

flow	ioc
3	api.2ip.ua
4	api.2ip.ua
12	api.2ip.ua

description	pid	process	target process
PID 2012 set thread context of 1996	2012	file.exe	file.exe
PID 844 set thread context of 896	844	file.exe	file.exe

pid	process
1012	schtasks.exe
1900	schtasks.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

file.exefile.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

file.exefile.exe

pid process

1996 file.exe
1996 file.exe
896 file.exe
896 file.exe

pid	process
1996	file.exe
1996	file.exe
896	file.exe
896	file.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

file.exefile.exefile.exefile.exebuild3.exetaskeng.exemstsca.exe

description	pid	process	target process
PID 2012 wrote to memory of 1996	2012	file.exe	file.exe
PID 2012 wrote to memory of 1996	2012	file.exe	file.exe
PID 2012 wrote to memory of 1996	2012	file.exe	file.exe
PID 2012 wrote to memory of 1996	2012	file.exe	file.exe
PID 2012 wrote to memory of 1996	2012	file.exe	file.exe
PID 2012 wrote to memory of 1996	2012	file.exe	file.exe
PID 2012 wrote to memory of 1996	2012	file.exe	file.exe
PID 2012 wrote to memory of 1996	2012	file.exe	file.exe
PID 2012 wrote to memory of 1996	2012	file.exe	file.exe
PID 2012 wrote to memory of 1996	2012	file.exe	file.exe
PID 2012 wrote to memory of 1996	2012	file.exe	file.exe
PID 1996 wrote to memory of 1660	1996	file.exe	icacls.exe
PID 1996 wrote to memory of 1660	1996	file.exe	icacls.exe
PID 1996 wrote to memory of 1660	1996	file.exe	icacls.exe
PID 1996 wrote to memory of 1660	1996	file.exe	icacls.exe
PID 1996 wrote to memory of 844	1996	file.exe	file.exe
PID 1996 wrote to memory of 844	1996	file.exe	file.exe
PID 1996 wrote to memory of 844	1996	file.exe	file.exe
PID 1996 wrote to memory of 844	1996	file.exe	file.exe
PID 844 wrote to memory of 896	844	file.exe	file.exe
PID 844 wrote to memory of 896	844	file.exe	file.exe
PID 844 wrote to memory of 896	844	file.exe	file.exe
PID 844 wrote to memory of 896	844	file.exe	file.exe
PID 844 wrote to memory of 896	844	file.exe	file.exe
PID 844 wrote to memory of 896	844	file.exe	file.exe
PID 844 wrote to memory of 896	844	file.exe	file.exe
PID 844 wrote to memory of 896	844	file.exe	file.exe
PID 844 wrote to memory of 896	844	file.exe	file.exe
PID 844 wrote to memory of 896	844	file.exe	file.exe
PID 844 wrote to memory of 896	844	file.exe	file.exe
PID 896 wrote to memory of 1492	896	file.exe	build3.exe
PID 896 wrote to memory of 1492	896	file.exe	build3.exe
PID 896 wrote to memory of 1492	896	file.exe	build3.exe
PID 896 wrote to memory of 1492	896	file.exe	build3.exe
PID 1492 wrote to memory of 1012	1492	build3.exe	schtasks.exe
PID 1492 wrote to memory of 1012	1492	build3.exe	schtasks.exe
PID 1492 wrote to memory of 1012	1492	build3.exe	schtasks.exe
PID 1492 wrote to memory of 1012	1492	build3.exe	schtasks.exe
PID 1976 wrote to memory of 908	1976	taskeng.exe	mstsca.exe
PID 1976 wrote to memory of 908	1976	taskeng.exe	mstsca.exe
PID 1976 wrote to memory of 908	1976	taskeng.exe	mstsca.exe
PID 1976 wrote to memory of 908	1976	taskeng.exe	mstsca.exe
PID 908 wrote to memory of 1900	908	mstsca.exe	schtasks.exe
PID 908 wrote to memory of 1900	908	mstsca.exe	schtasks.exe
PID 908 wrote to memory of 1900	908	mstsca.exe	schtasks.exe
PID 908 wrote to memory of 1900	908	mstsca.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\421df4fd-0002-40b2-8e74-a8487cf481bb" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1660

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:844

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:896

C:\Users\Admin\AppData\Local\4027b610-ae0a-44a7-982d-a8c63fdf7ff2\build3.exe
"C:\Users\Admin\AppData\Local\4027b610-ae0a-44a7-982d-a8c63fdf7ff2\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\taskeng.exe
taskeng.exe {4AC6AEC7-C256-43B8-863D-4811D1CD6D81} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
3⤵
- Creates scheduled task(s)
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
72cce08db064d193dd1c8db96e30a0e7

SHA1
a76ef6bbfb2cadde26e7d713e9a71a8818d68991

SHA256
e904584bfbd2b92b1b9063f660abbe337c58e623ca78df5107f036d272d66c38

SHA512
e1d719a6a5d446c2b3348930cfcea61f85cff76adc38948dfb144aa7f95eac5453d7787706bca70ce75de931724cff7e6e146f9b662e34eb36d948995fbca1f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
e5ef4e3f5fd7934cb9c76b42b58ea45c

SHA1
c76f9fad9a12335d281771454f657036efc5881a

SHA256
3b247db7937565d22f6455fb744771e14de3380d133192e00a8f5fadf6492bdb

SHA512
1f18d5a9aead87cf00682a6fccdfc2896d29a92f808491fb0c1a97a86941734d9c6f1dee6786a9151eba488916d84c220c6ae78a93c1246301de73c2d034373f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
4cb0e8a1980000eb8424c7bc28eb31cb

SHA1
41dba8d473cae67e2d6d3c51c2b82024e63c5830

SHA256
56bc42cda75d4dc8b874dd975bb93c165ef4ec61a4726d3dee33f436a6111df0

SHA512
66c145a79487591145feda3c6d84d822bd0b262caa2d7709168bfaba4b6a44bbc2c5663a6843de5c374c9ee1be1cafa153590684a3e217d471b3905f80210b99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4b4b5ea0bde05666e72c1be0d27bae15

SHA1
9d18c3276cba60b45522e789a28fa8af0510fbca

SHA256
7fbfe505935f934849aef5554d750f6c749c70e634455a6244c927d039a47128

SHA512
18873d786eb2d76064cc0c53bc6f3a837bd6d94916fde84d7dc69fffd834769fc91f3229f6fd45cabc9b3c4c6ca1e1d9f3f82646db7c65e2bc31c71863336802

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
9b56dfdeb67c4ff78d3d618b49328996

SHA1
971fbdf11f0ecfde4b41960b8cf36b46882eac99

SHA256
29ba7bc50f38d078b1ca81606d08ef8b2080e372264c4b174f7d4f706dc2d2d2

SHA512
837afaf522a5d4f2d09bf062f08194d626b4fca75dc5005c4455f67fb17cac1cb86c797064f6ab211014bfec0b5ae8b19fc79f15447e136ff746b9cc70c7e908

Download Submit
C:\Users\Admin\AppData\Local\4027b610-ae0a-44a7-982d-a8c63fdf7ff2\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\4027b610-ae0a-44a7-982d-a8c63fdf7ff2\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\4027b610-ae0a-44a7-982d-a8c63fdf7ff2\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\421df4fd-0002-40b2-8e74-a8487cf481bb\file.exe
Filesize
750KB

MD5
03483bad9b960538fe39ff5aab1a907a

SHA1
444d08535d4d700a4259f27a056275d5b0a4610d

SHA256
c041c2a6e4803095086cc704bb84f9c7b377c6c4720bc45f76fc93fb53beb1fd

SHA512
91474555982ac716f407367b5f91e3544a1a877c1f436c1fbeeb24e1fbb5d822588b9d2da767d0179a180313469051cb8cd8169c9df44a0645084cffdc6a2774

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar43B6.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
\Users\Admin\AppData\Local\4027b610-ae0a-44a7-982d-a8c63fdf7ff2\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
\Users\Admin\AppData\Local\4027b610-ae0a-44a7-982d-a8c63fdf7ff2\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
memory/844-98-0x00000000002B0000-0x0000000000342000-memory.dmp

Filesize
584KB

Download
memory/896-141-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/896-118-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/896-119-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/896-120-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/896-124-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/896-126-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/896-127-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/896-128-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/896-104-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1996-97-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1996-60-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1996-59-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1996-56-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1996-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2012-54-0x00000000002F0000-0x0000000000382000-memory.dmp

Filesize
584KB

Download
memory/2012-58-0x0000000004650000-0x000000000476B000-memory.dmp

Filesize
1.1MB

Download