djvu | 0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78

Analysis

max time kernel
295s
max time network
226s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe
Size

890KB
MD5

a6918e36eed0c82c50e27957b85a0df1
SHA1

152c5b5eed5a80a80ec17390e5f7f866fdcfba6d
SHA256

0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78
SHA512

5eb7937b574bf29f26b706741b9bb6197537307552dffd720030ce66e541fd9b2b4b0d827b536e1caa7fdd3b670355bde81e34aa91308a97d9fb438bc0306e08
SSDEEP

24576:O7sVtaHKaAc0mW9Dn6IcUoY6QPHSvYcrpXGy+xVq7Dov:isVkHKaLGDnKUo9ky14E78v

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

http://zexeq.com/test1/get.php

Attributes

extension
.loqw
offline_id
NrqpaQRhQqq5l2tBPp1QS34I3ME2IKsAlZ0A9pt1
payload_url
http://brusuax.com/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-MhbiRFXgXD Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0838ASdw

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 14 IoCs

resource	yara_rule
behavioral1/memory/2044-2-0x0000000001DF0000-0x0000000001F0B000-memory.dmp	family_djvu
behavioral1/memory/2848-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2848-7-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2848-8-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2848-28-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2208-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2208-38-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2208-53-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2208-54-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2208-58-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2208-60-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2208-61-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2208-62-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2208-224-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

pid	Process
1468	build2.exe
1860	build2.exe
2676	build3.exe
2684	build3.exe
1504	mstsca.exe
1508	mstsca.exe
2336	mstsca.exe
292	mstsca.exe
1952	mstsca.exe
1120	mstsca.exe
2352	mstsca.exe
2432	mstsca.exe

Loads dropped DLL 8 IoCs

pid	Process
2208	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe
2208	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe
1100	WerFault.exe
1100	WerFault.exe
1100	WerFault.exe
1100	WerFault.exe
2208	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe
2208	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2552	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7de8fb50-4313-4c32-a4e7-cbbf9d49c476\\0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe\" --AutoStart"	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.2ip.ua
5	api.2ip.ua
9	api.2ip.ua

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 2044 set thread context of 2848	2044	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	28
PID 2580 set thread context of 2208	2580	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	32
PID 1468 set thread context of 1860	1468	build2.exe	37
PID 2676 set thread context of 2684	2676	build3.exe	42
PID 1504 set thread context of 1508	1504	mstsca.exe	47
PID 2336 set thread context of 292	2336	mstsca.exe	51
PID 1952 set thread context of 1120	1952	mstsca.exe	53
PID 2352 set thread context of 2432	2352	mstsca.exe	55

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1100	1860	WerFault.exe	37

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2524	schtasks.exe
2884	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2848	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe
2848	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe
2208	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe
2208	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2848	2044	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	28
PID 2044 wrote to memory of 2848	2044	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	28
PID 2044 wrote to memory of 2848	2044	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	28
PID 2044 wrote to memory of 2848	2044	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	28
PID 2044 wrote to memory of 2848	2044	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	28
PID 2044 wrote to memory of 2848	2044	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	28
PID 2044 wrote to memory of 2848	2044	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	28
PID 2044 wrote to memory of 2848	2044	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	28
PID 2044 wrote to memory of 2848	2044	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	28
PID 2044 wrote to memory of 2848	2044	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	28
PID 2044 wrote to memory of 2848	2044	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	28
PID 2848 wrote to memory of 2552	2848	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	30
PID 2848 wrote to memory of 2552	2848	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	30
PID 2848 wrote to memory of 2552	2848	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	30
PID 2848 wrote to memory of 2552	2848	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	30
PID 2848 wrote to memory of 2580	2848	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	31
PID 2848 wrote to memory of 2580	2848	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	31
PID 2848 wrote to memory of 2580	2848	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	31
PID 2848 wrote to memory of 2580	2848	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	31
PID 2580 wrote to memory of 2208	2580	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	32
PID 2580 wrote to memory of 2208	2580	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	32
PID 2580 wrote to memory of 2208	2580	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	32
PID 2580 wrote to memory of 2208	2580	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	32
PID 2580 wrote to memory of 2208	2580	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	32
PID 2580 wrote to memory of 2208	2580	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	32
PID 2580 wrote to memory of 2208	2580	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	32
PID 2580 wrote to memory of 2208	2580	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	32
PID 2580 wrote to memory of 2208	2580	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	32
PID 2580 wrote to memory of 2208	2580	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	32
PID 2580 wrote to memory of 2208	2580	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	32
PID 2208 wrote to memory of 1468	2208	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	36
PID 2208 wrote to memory of 1468	2208	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	36
PID 2208 wrote to memory of 1468	2208	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	36
PID 2208 wrote to memory of 1468	2208	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	36
PID 1468 wrote to memory of 1860	1468	build2.exe	37
PID 1468 wrote to memory of 1860	1468	build2.exe	37
PID 1468 wrote to memory of 1860	1468	build2.exe	37
PID 1468 wrote to memory of 1860	1468	build2.exe	37
PID 1468 wrote to memory of 1860	1468	build2.exe	37
PID 1468 wrote to memory of 1860	1468	build2.exe	37
PID 1468 wrote to memory of 1860	1468	build2.exe	37
PID 1468 wrote to memory of 1860	1468	build2.exe	37
PID 1468 wrote to memory of 1860	1468	build2.exe	37
PID 1468 wrote to memory of 1860	1468	build2.exe	37
PID 1860 wrote to memory of 1100	1860	build2.exe	40
PID 1860 wrote to memory of 1100	1860	build2.exe	40
PID 1860 wrote to memory of 1100	1860	build2.exe	40
PID 1860 wrote to memory of 1100	1860	build2.exe	40
PID 2208 wrote to memory of 2676	2208	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	41
PID 2208 wrote to memory of 2676	2208	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	41
PID 2208 wrote to memory of 2676	2208	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	41
PID 2208 wrote to memory of 2676	2208	0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe	41
PID 2676 wrote to memory of 2684	2676	build3.exe	42
PID 2676 wrote to memory of 2684	2676	build3.exe	42
PID 2676 wrote to memory of 2684	2676	build3.exe	42
PID 2676 wrote to memory of 2684	2676	build3.exe	42
PID 2676 wrote to memory of 2684	2676	build3.exe	42
PID 2676 wrote to memory of 2684	2676	build3.exe	42
PID 2676 wrote to memory of 2684	2676	build3.exe	42
PID 2676 wrote to memory of 2684	2676	build3.exe	42
PID 2676 wrote to memory of 2684	2676	build3.exe	42
PID 2676 wrote to memory of 2684	2676	build3.exe	42
PID 2684 wrote to memory of 2524	2684	build3.exe	43
PID 2684 wrote to memory of 2524	2684	build3.exe	43

C:\Users\Admin\AppData\Local\Temp\0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe
"C:\Users\Admin\AppData\Local\Temp\0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe
  "C:\Users\Admin\AppData\Local\Temp\0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\7de8fb50-4313-4c32-a4e7-cbbf9d49c476" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2552
- - C:\Users\Admin\AppData\Local\Temp\0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe
    "C:\Users\Admin\AppData\Local\Temp\0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe
      "C:\Users\Admin\AppData\Local\Temp\0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2208
    - - C:\Users\Admin\AppData\Local\a072aa1c-c540-4a4b-af6f-f90dcbe688ef\build2.exe
        
        "C:\Users\Admin\AppData\Local\a072aa1c-c540-4a4b-af6f-f90dcbe688ef\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1468
      - C:\Users\Admin\AppData\Local\a072aa1c-c540-4a4b-af6f-f90dcbe688ef\build2.exe
        
        "C:\Users\Admin\AppData\Local\a072aa1c-c540-4a4b-af6f-f90dcbe688ef\build2.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1464
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:1100
    - - C:\Users\Admin\AppData\Local\a072aa1c-c540-4a4b-af6f-f90dcbe688ef\build3.exe
        
        "C:\Users\Admin\AppData\Local\a072aa1c-c540-4a4b-af6f-f90dcbe688ef\build3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Users\Admin\AppData\Local\a072aa1c-c540-4a4b-af6f-f90dcbe688ef\build3.exe
        
        "C:\Users\Admin\AppData\Local\a072aa1c-c540-4a4b-af6f-f90dcbe688ef\build3.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:2524

C:\Windows\system32\taskeng.exe
taskeng.exe {D5F2F14B-0E49-4A1D-968A-B4D589ADFA60} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]
1⤵
PID:584
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1504
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:1508
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
      4⤵
      Creates scheduled task(s)
      PID:2884
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2336
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:292
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1952
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:1120
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2352
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
e99c729661d361cfdeccb76fb786aea4

SHA1
f91d515bd1fd8fbe2a4d274f8062af1d0bd23a8d

SHA256
ffab13b85532e329f80d61cef78d604e593cf8d409e5aa117e3b9b3c96926159

SHA512
4317e4bc797f0efca9ce3ab3bc404e35d965a8135e5efc17a5b92c7751c060998339640a0f66d5ad815d7c9ccd06d34cc8f6c22d092d3698fc13cfd283ec3241

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
b9bd4fe445f20b0f4e66b1625bd74b6b

SHA1
7e8c851dfce92fa75063460e3d08264fca555625

SHA256
e7fef189bceae8b3e68b6f12fe2e93ec1c45fbe75badf8b6610720ec618ce306

SHA512
14bbeab82866d28908f876a174f3feb40396a003a47f4ddc1444db8d8284a016e4ded587057a633f673059b2a0e59793aed578fcec4f5e5039f2682cc1e77f21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8a48725f1f97c6b5c6ba9afd931a55ae

SHA1
cd380b292b16ba3b3512856f33d1dcd2683faed1

SHA256
2d64ea80f70d6ca97dd4eaf37cb19c36dc74aeec064d68fe499e925fa4b779b7

SHA512
4e37637f93189730b01310b23d969d58f69c81de6ab04fe203dc28cb0cb2d9c7dacf3fe270134123e0ada7eecb3b0708fd782a2ee33d9eba8cd85931813bf493

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
13d57de43631e5ae61513e4fb327d77e

SHA1
cfb4675e3a06d4d911ff03f69f55a5927ff38dac

SHA256
ae458cd0a303b700c0f349c272024b0a2ca420b4b28826b53c41c71d6252ef54

SHA512
d704dbddbf93263427dd31b18385fccfda1b6923eb8a44be2e283a4d56629388193ae5d72fd37f65da4ec14b07f99a0fef6934892109f20dda33786506597f1c

Download Submit
C:\Users\Admin\AppData\Local\7de8fb50-4313-4c32-a4e7-cbbf9d49c476\0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78.exe

Filesize
890KB

MD5
a6918e36eed0c82c50e27957b85a0df1

SHA1
152c5b5eed5a80a80ec17390e5f7f866fdcfba6d

SHA256
0345dce9200ed7695fd6d0f385663b5b72edacfcd7d7670a22fc4b4c6ac32d78

SHA512
5eb7937b574bf29f26b706741b9bb6197537307552dffd720030ce66e541fd9b2b4b0d827b536e1caa7fdd3b670355bde81e34aa91308a97d9fb438bc0306e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab978E.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF420.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\a072aa1c-c540-4a4b-af6f-f90dcbe688ef\build2.exe

Filesize
301KB

MD5
e23c839edb489081120befe1e44b04db

SHA1
d57fd824ac54082312dcc23d2bca61e4d98f6065

SHA256
f68f73e9330202575e6476e37ed5bfaa11a52bfac4d1248c6fee5628f17c0cf7

SHA512
8c40e7cc8b538cf33ec650e694f81e50e576dcf9d771c2d6d8d960fbb6fd38b64bc604ba0dba1c9ca3cedabecdc83c789ca515352f3de12c997150df0ed4d0c1

Download Submit
C:\Users\Admin\AppData\Local\a072aa1c-c540-4a4b-af6f-f90dcbe688ef\build3.exe

Filesize
89KB

MD5
cce3f7d20cbfd3d03026206159949234

SHA1
4f6f4f8e8d3a6903f882f86696edb673137ad533

SHA256
59d0b33369aee88f08f1d495be3295a1e4e790082e2cba88ddb94b3b7b281a1f

SHA512
44619f96ed08704ff664cdfdac3bc010e4938434c1275b9af0dbe3c102fde005eff68b7dfa77e45f9d508bfc3c50716d0d2a412a8b208544cc50ae4b1768f641

Download Submit
C:\Users\Admin\AppData\Local\a072aa1c-c540-4a4b-af6f-f90dcbe688ef\build3.exe

Filesize
295KB

MD5
6065b4b6056aeeb1f23d9dc6faa9a782

SHA1
64f54f17090744c2ad3880b0e1a948a1204cc864

SHA256
224a511b8327d2e56e5acc9b4a741e4ac9fea3a8415c00e8f6d2fbb8d0c2770a

SHA512
da35a81f14cd5fd97c2e7af6df63f21706644841289d03b659bf35a6a7000e19edd6ef2190167ab6ee1cce1c3e1365f8b16f7ac28127d1814d59854dbb993132

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
175KB

MD5
8261e1be4a2c17dacac8b1847d9a784e

SHA1
2b14c9dc5be4bf9df37b89bfb994091e9020e6dd

SHA256
2b356625a5e7d3eed8a2b0f87e327cc3acf80c2ba8f007e15f51c5cdf5d6614d

SHA512
332fafca28bfa20c719ece964a5b7cae4308118caf93c37f51997aa0e2b233fc5527eb6b3978b0882fecc7d1890c51afedfa75d0d481e8155473c1f47234c2f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
33KB

MD5
fd4a40e84e0b4ae38a9943e2a9ae4406

SHA1
d2747f958d644a4f3b684de19e78a99f2bcf2761

SHA256
3a13626bdfb582421264907b6db179476de9eca4766d7d273c16783f5830fcfd

SHA512
578c807b0956c0a4d5cbfb307a0fc6ba61593ddf3db1e0cadf95a2c92312dfcead5fd64834a19f8d3e5f8d8fec5d4bf83f5b884b93c29c704e5690655283fc4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
289KB

MD5
e9eefff82c714e0b33bb14559d796671

SHA1
e3352871a82707a2015de2627b545d9f21958908

SHA256
36ae7284aaf877972274d6217c9593f1127b8ef94d14b6739db933850c33a726

SHA512
137bda1104a43dd77823b0b9abdf88b424cbea47bf2466ab2e3eb7098174e8c9bdd5e8b79fe5df939f97dc2e65e994f7403754789565948bf1e68fb7dbd6ccb4

Download Submit
\Users\Admin\AppData\Local\a072aa1c-c540-4a4b-af6f-f90dcbe688ef\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
\Users\Admin\AppData\Local\a072aa1c-c540-4a4b-af6f-f90dcbe688ef\build3.exe

Filesize
128KB

MD5
53bc6c328281928e94ac312f63f13f05

SHA1
d49275ca0cd7f367733a365323b466ad588e5ce0

SHA256
7278f0c920ff8dad67e62751745e858817abb1c5b461414162311e57eb833e7c

SHA512
48e55739728038066eeb2fca5c20e5c6c25587860b2ac7f021218e66fe7c77894c09e0301c4ceb78b72ebc19d85203d8bd66e8c15a1e1aed9eee58c6d465fb77

Download Submit
memory/1468-77-0x0000000000960000-0x0000000000A60000-memory.dmp

Filesize
1024KB

Download
memory/1468-81-0x0000000000250000-0x000000000027C000-memory.dmp

Filesize
176KB

Download
memory/1504-254-0x0000000000980000-0x0000000000A80000-memory.dmp

Filesize
1024KB

Download
memory/1860-212-0x0000000000400000-0x000000000063F000-memory.dmp

Filesize
2.2MB

Download
memory/1860-86-0x0000000000400000-0x000000000063F000-memory.dmp

Filesize
2.2MB

Download
memory/1860-85-0x0000000000400000-0x000000000063F000-memory.dmp

Filesize
2.2MB

Download
memory/1860-82-0x0000000000400000-0x000000000063F000-memory.dmp

Filesize
2.2MB

Download
memory/1952-309-0x0000000000960000-0x0000000000A60000-memory.dmp

Filesize
1024KB

Download
memory/2044-2-0x0000000001DF0000-0x0000000001F0B000-memory.dmp

Filesize
1.1MB

Download
memory/2044-0-0x0000000001C30000-0x0000000001CC2000-memory.dmp

Filesize
584KB

Download
memory/2044-1-0x0000000001C30000-0x0000000001CC2000-memory.dmp

Filesize
584KB

Download
memory/2208-38-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2208-62-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2208-61-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2208-60-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2208-58-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2208-54-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2208-53-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2208-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2208-224-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2336-283-0x0000000000972000-0x0000000000982000-memory.dmp

Filesize
64KB

Download
memory/2352-336-0x00000000008C0000-0x00000000009C0000-memory.dmp

Filesize
1024KB

Download
memory/2580-30-0x0000000001D50000-0x0000000001DE2000-memory.dmp

Filesize
584KB

Download
memory/2580-31-0x0000000001D50000-0x0000000001DE2000-memory.dmp

Filesize
584KB

Download
memory/2580-36-0x0000000001D50000-0x0000000001DE2000-memory.dmp

Filesize
584KB

Download
memory/2676-230-0x00000000008D0000-0x00000000009D0000-memory.dmp

Filesize
1024KB

Download
memory/2676-232-0x0000000000230000-0x0000000000234000-memory.dmp

Filesize
16KB

Download
memory/2684-233-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2684-236-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2684-238-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2848-28-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2848-8-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2848-7-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2848-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2848-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download