Analysis
-
max time kernel
131s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 13:20
Static task
static1
Behavioral task
behavioral1
Sample
538b71221fc868d804dad1b3019cf73e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
538b71221fc868d804dad1b3019cf73e.exe
Resource
win10v2004-20231215-en
General
-
Target
538b71221fc868d804dad1b3019cf73e.exe
-
Size
210KB
-
MD5
538b71221fc868d804dad1b3019cf73e
-
SHA1
aacd8fa3f58ade7d9bf281ca171e56c35a2ddaef
-
SHA256
440d5de6aaa2ccd09e773a6092ebcf51025e7684025115f587552fe492eb5108
-
SHA512
5ee98f2bb1bed67c0ca3dd3fc6e16474a8ed86d7c70dc9930ae9f3bfee26e424e1e760356a877fbc0933414bfd554c71fedbbe2591178f3f23a3b529625dd9ed
-
SSDEEP
3072:RVpWFLFxLBHPEsWJ8/nPsdnv/zsln7dHyuDM16yBf6J3z16RtMmfX:R8LrLBHtWiPPsVv/zQ7dHyuDUBffM
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
djvu
http://zexeq.com/test1/get.php
-
extension
.cdqw
-
offline_id
mMsRxMUuXypapZbGOAfxD9pczHmW8zVRP7Pgjwt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-99MNqXMrdS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0840ASdw
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 538b71221fc868d804dad1b3019cf73e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0992d72b-f381-4791-a0ca-c18d8e3ee68a\\F00C.exe\" --AutoStart" F00C.exe 2896 schtasks.exe 1504 schtasks.exe -
Detected Djvu ransomware 15 IoCs
resource yara_rule behavioral1/memory/2676-45-0x0000000002160000-0x000000000227B000-memory.dmp family_djvu behavioral1/memory/2788-46-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2788-50-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2788-49-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2788-71-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1988-82-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1988-81-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1988-96-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1988-95-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1988-100-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1988-103-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1988-102-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1988-104-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2412-120-0x0000000000990000-0x0000000000A90000-memory.dmp family_djvu behavioral1/memory/1988-185-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 1212 Process not Found -
Executes dropped EXE 10 IoCs
pid Process 2676 F00C.exe 2788 F00C.exe 1104 F00C.exe 1988 F00C.exe 2412 build2.exe 1560 build2.exe 3036 build3.exe 2140 build3.exe 2232 mstsca.exe 2476 mstsca.exe -
Loads dropped DLL 12 IoCs
pid Process 2676 F00C.exe 2788 F00C.exe 2788 F00C.exe 1104 F00C.exe 1988 F00C.exe 1988 F00C.exe 1988 F00C.exe 1988 F00C.exe 1996 WerFault.exe 1996 WerFault.exe 1996 WerFault.exe 1996 WerFault.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1308 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0992d72b-f381-4791-a0ca-c18d8e3ee68a\\F00C.exe\" --AutoStart" F00C.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 api.2ip.ua 11 api.2ip.ua 15 api.2ip.ua -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 3036 set thread context of 2096 3036 538b71221fc868d804dad1b3019cf73e.exe 28 PID 2676 set thread context of 2788 2676 F00C.exe 38 PID 1104 set thread context of 1988 1104 F00C.exe 43 PID 2412 set thread context of 1560 2412 build2.exe 46 PID 3036 set thread context of 2140 3036 build3.exe 49 PID 2232 set thread context of 2476 2232 mstsca.exe 58 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1996 1560 WerFault.exe 46 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 538b71221fc868d804dad1b3019cf73e.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 538b71221fc868d804dad1b3019cf73e.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 538b71221fc868d804dad1b3019cf73e.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2896 schtasks.exe 1504 schtasks.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 build2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2096 538b71221fc868d804dad1b3019cf73e.exe 2096 538b71221fc868d804dad1b3019cf73e.exe 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2096 538b71221fc868d804dad1b3019cf73e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 1212 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3036 wrote to memory of 2096 3036 538b71221fc868d804dad1b3019cf73e.exe 28 PID 3036 wrote to memory of 2096 3036 538b71221fc868d804dad1b3019cf73e.exe 28 PID 3036 wrote to memory of 2096 3036 538b71221fc868d804dad1b3019cf73e.exe 28 PID 3036 wrote to memory of 2096 3036 538b71221fc868d804dad1b3019cf73e.exe 28 PID 3036 wrote to memory of 2096 3036 538b71221fc868d804dad1b3019cf73e.exe 28 PID 3036 wrote to memory of 2096 3036 538b71221fc868d804dad1b3019cf73e.exe 28 PID 3036 wrote to memory of 2096 3036 538b71221fc868d804dad1b3019cf73e.exe 28 PID 1212 wrote to memory of 2740 1212 Process not Found 29 PID 1212 wrote to memory of 2740 1212 Process not Found 29 PID 1212 wrote to memory of 2740 1212 Process not Found 29 PID 2740 wrote to memory of 2772 2740 cmd.exe 31 PID 2740 wrote to memory of 2772 2740 cmd.exe 31 PID 2740 wrote to memory of 2772 2740 cmd.exe 31 PID 1212 wrote to memory of 2004 1212 Process not Found 32 PID 1212 wrote to memory of 2004 1212 Process not Found 32 PID 1212 wrote to memory of 2004 1212 Process not Found 32 PID 2004 wrote to memory of 2652 2004 cmd.exe 34 PID 2004 wrote to memory of 2652 2004 cmd.exe 34 PID 2004 wrote to memory of 2652 2004 cmd.exe 34 PID 1212 wrote to memory of 2676 1212 Process not Found 37 PID 1212 wrote to memory of 2676 1212 Process not Found 37 PID 1212 wrote to memory of 2676 1212 Process not Found 37 PID 1212 wrote to memory of 2676 1212 Process not Found 37 PID 2676 wrote to memory of 2788 2676 F00C.exe 38 PID 2676 wrote to memory of 2788 2676 F00C.exe 38 PID 2676 wrote to memory of 2788 2676 F00C.exe 38 PID 2676 wrote to memory of 2788 2676 F00C.exe 38 PID 2676 wrote to memory of 2788 2676 F00C.exe 38 PID 2676 wrote to memory of 2788 2676 F00C.exe 38 PID 2676 wrote to memory of 2788 2676 F00C.exe 38 PID 2676 wrote to memory of 2788 2676 F00C.exe 38 PID 2676 wrote to memory of 2788 2676 F00C.exe 38 PID 2676 wrote to memory of 2788 2676 F00C.exe 38 PID 2676 wrote to memory of 2788 2676 F00C.exe 38 PID 2788 wrote to memory of 1308 2788 F00C.exe 42 PID 2788 wrote to memory of 1308 2788 F00C.exe 42 PID 2788 wrote to memory of 1308 2788 F00C.exe 42 PID 2788 wrote to memory of 1308 2788 F00C.exe 42 PID 2788 wrote to memory of 1104 2788 F00C.exe 41 PID 2788 wrote to memory of 1104 2788 F00C.exe 41 PID 2788 wrote to memory of 1104 2788 F00C.exe 41 PID 2788 wrote to memory of 1104 2788 F00C.exe 41 PID 1104 wrote to memory of 1988 1104 F00C.exe 43 PID 1104 wrote to memory of 1988 1104 F00C.exe 43 PID 1104 wrote to memory of 1988 1104 F00C.exe 43 PID 1104 wrote to memory of 1988 1104 F00C.exe 43 PID 1104 wrote to memory of 1988 1104 F00C.exe 43 PID 1104 wrote to memory of 1988 1104 F00C.exe 43 PID 1104 wrote to memory of 1988 1104 F00C.exe 43 PID 1104 wrote to memory of 1988 1104 F00C.exe 43 PID 1104 wrote to memory of 1988 1104 F00C.exe 43 PID 1104 wrote to memory of 1988 1104 F00C.exe 43 PID 1104 wrote to memory of 1988 1104 F00C.exe 43 PID 1988 wrote to memory of 2412 1988 F00C.exe 45 PID 1988 wrote to memory of 2412 1988 F00C.exe 45 PID 1988 wrote to memory of 2412 1988 F00C.exe 45 PID 1988 wrote to memory of 2412 1988 F00C.exe 45 PID 2412 wrote to memory of 1560 2412 build2.exe 46 PID 2412 wrote to memory of 1560 2412 build2.exe 46 PID 2412 wrote to memory of 1560 2412 build2.exe 46 PID 2412 wrote to memory of 1560 2412 build2.exe 46 PID 2412 wrote to memory of 1560 2412 build2.exe 46 PID 2412 wrote to memory of 1560 2412 build2.exe 46 PID 2412 wrote to memory of 1560 2412 build2.exe 46 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\538b71221fc868d804dad1b3019cf73e.exe"C:\Users\Admin\AppData\Local\Temp\538b71221fc868d804dad1b3019cf73e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\538b71221fc868d804dad1b3019cf73e.exe"C:\Users\Admin\AppData\Local\Temp\538b71221fc868d804dad1b3019cf73e.exe"2⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2096
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\6BBE.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:2772
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\6FC4.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:2652
-
-
C:\Users\Admin\AppData\Local\Temp\F00C.exeC:\Users\Admin\AppData\Local\Temp\F00C.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\F00C.exeC:\Users\Admin\AppData\Local\Temp\F00C.exe2⤵
- DcRat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\F00C.exe"C:\Users\Admin\AppData\Local\Temp\F00C.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\F00C.exe"C:\Users\Admin\AppData\Local\Temp\F00C.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Local\f0106d9f-02b8-4813-8ed0-d1d7d5f1d38a\build2.exe"C:\Users\Admin\AppData\Local\f0106d9f-02b8-4813-8ed0-d1d7d5f1d38a\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\f0106d9f-02b8-4813-8ed0-d1d7d5f1d38a\build2.exe"C:\Users\Admin\AppData\Local\f0106d9f-02b8-4813-8ed0-d1d7d5f1d38a\build2.exe"6⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1560 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 14527⤵
- Loads dropped DLL
- Program crash
PID:1996
-
-
-
-
C:\Users\Admin\AppData\Local\f0106d9f-02b8-4813-8ed0-d1d7d5f1d38a\build3.exe"C:\Users\Admin\AppData\Local\f0106d9f-02b8-4813-8ed0-d1d7d5f1d38a\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3036 -
C:\Users\Admin\AppData\Local\f0106d9f-02b8-4813-8ed0-d1d7d5f1d38a\build3.exe"C:\Users\Admin\AppData\Local\f0106d9f-02b8-4813-8ed0-d1d7d5f1d38a\build3.exe"6⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- DcRat
- Creates scheduled task(s)
PID:2896
-
-
-
-
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\0992d72b-f381-4791-a0ca-c18d8e3ee68a" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:1308
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {6AF46484-A135-4E71-9B74-E55092CC1FF8} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]1⤵PID:2016
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2232 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:2476
-
-
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"1⤵
- DcRat
- Creates scheduled task(s)
PID:1504
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5d4fa6d2a84fa78d11b875ea5cd30eba8
SHA1992b2a18b5dce24b924086e93cd37a4463256c56
SHA2564f5e1f270a70f3ad6f5de2661bb2577b8706b9a7f3c62e1eb73c38b29dadcc48
SHA512a54f8208e37833c4ad89f751071a8912199198c8ce0aeec5cef9eadf11f2be24c6f436b8b0c13eb00080cea574c139e818b69026e72e9fc29719b85b04eac8ce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5e5b80321e7a61c71d2608fbde75c20cb
SHA15cad01f723e08a70632455bf54515ce407ee1b6e
SHA2566e8d3595413d36dc9d15ced944041e23e01e899421960a046abbcd44cff40f07
SHA512f7c2ce42150f4f453785268cb6099ac4efaa4cbabac842e755ba0e470fdf02e9965067f42ff19daea73fc1c77d8450fc58c20e4e51cc3bd60204e7e9a39a5ebf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f2e4a7ab228f964c877ee5ab2d16c6a9
SHA1554b1f21a9dbba82d04fce3b74942cbfe708b2ac
SHA2566830d151c1744761f6150cb548a95e36d26b58da7351e480a6e498a6a7d4a1f3
SHA512427f3c061827ab46c0a099ff1387d21ebb032b116951a31f1da41c4b5566c7e6f8431f08ff5a126c8866159f83ac06d083e9cc84b3ca6cbb7295156cddccd010
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD59230ab833ce263a1e023985e4c90feeb
SHA1033db76f205a7bed55c47feff2b2c97a5867fb0d
SHA256aad97555f363a950b0daeb60f9da63ffcaebad4fd939140a915fe1320078ff49
SHA512241766117d39200cabf56a0881aa142584293391e290116e63a2d08af06f31aa571247374fed49713b47e16aa67308bace638d2e7ecfa787a0b8a0650a4e8b32
-
Filesize
172KB
MD5581ec3b00053849e6999861b394880c3
SHA1ba67915e42492112f61b49bce21afb30bce41153
SHA25626073eb2e29a72b1eb23b04b6ba2fca1752f93a8acc94535ad865ce869d55224
SHA5121fd23d06d24b4736d23214965f3df57f1b2054b9c38bb41de6aadedad21396ca5aad9c225d5483333bb1ee4af32ad75bc25391238c588376ea3321028ca6d560
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
212KB
MD597e61f23dcb866ea0ca377251e77cdd4
SHA19680a77c75d3da14b30f734a55d0f49d158026bc
SHA256d27526404767a4afbc13b90356300b8695bb4d06bae187704ec9906e66612842
SHA51216467579ca90fcfb6daaa8b0a3349add57bfe315025e59f484a6bea491a0a2569eb75d343342f9f046f6c35d7eeee059d8e20030e361e82eef73f4fe635ba4a2
-
Filesize
328KB
MD58774a42551b4e7891e281c26b682ffef
SHA11bc7728889cbcaa37d1f2c4d4246a72583cc4089
SHA256d6e387ad4d55ee08566e260266a6ea662f01bc6dfb9034bb308ee89cd0c2c6d9
SHA5124af6f5322ff5b40ad7c7f217e11c8890aa3d09e4df7b05146f673cedff8cf8ba917d50cd176fb489ababb06a26b9d691949c310f31f15a4077f874eb54f39341
-
Filesize
85KB
MD5eedfd690d51e17d0f1a152ce0643a11b
SHA1a18a26cedc1195613de1c7098f0370eea71c866a
SHA25658a1181e5d2522298fb00d97fc12a1938bc75e5b10b44dc36b308e74ffc6ba2b
SHA5120fbed5d6a28c489e8237c17a101760d7f157fa6f4f0c0254f296bc32072cb1203e505656ecc96af08900de6c280f64c795ae6882be71781021736ed7cd1af66a
-
Filesize
14KB
MD5d74651a2687975601e1bf4e8c61e7d7b
SHA1611f52f3105b963761bc82892ba21837f5e80052
SHA256708ff30dc65d70fa428800f979a750629360f59b44f69cef18c11e7f871626c0
SHA512c1b110b53b70e2467ce070180da8eee64201db2e5598f87231203393d064b05bf0f8914465b401ba9868361deda8c207544fd49b7c24ca0fca0f2053936a8087
-
Filesize
367KB
MD588c329ae9111ea78d0b222420cff4da9
SHA10be6e99356081b4811a35fbf9692a47102912e4e
SHA256d5c44cec2943f0f3493c8655091faf211f1094274ed8b7da3ce10fdce684a957
SHA51214be0a3f754c64123d0136d68c437b060fa09ad8f8a30e1fd6c3b9f0881542ca46d0a98887e76a721b32eb26293e56b1214f48dd39b453b69e04dea1fb8dad63
-
Filesize
661KB
MD50863a6996f1fffb76ff08274e3bd243b
SHA1434fa13959b75f4d7b1b7d1ed83b251f85fc47c4
SHA2562eb6d314f4910a0d1514fb5a9a93a3bddccc95b6c3ec47b03ee1bd0eb71fc856
SHA512541560d4d1ab2136fc6d2625c9b776202d64cd64a6a8492f673f171af6ba6bc49e1d7c7079a5948e7f6cb36d2bb77740ce1aa9e5e8930dc967b201774c6544f5
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
91KB
MD5e55b624cc074f912cbf4af5578b2f2fa
SHA1c34e38a853081658ae0801ad9a5ea3a8c044025c
SHA25654b27fd0b0fb313615cffe681c73c9ac895286926cc354c112d0a30eb7063661
SHA5125f0a7ebf96a975e88c85f230656e6c9a1b3057eaf5bc7b2f5ebf0e31618eefaba4203e35842cbb0aa28b8040b0b4560b29686540d4f4f4ca76e6337cab248acb
-
Filesize
150KB
MD5c80ed9af29d4fd5342d1066df00d125e
SHA1cc8c74abe3eab5ae71e38c5dc7ef886a1464d03f
SHA256b6960f34612f201118eac575cfe5fca38eb033b99b4dc249f9505852353621f2
SHA51290f8cacca136b73b0b4e5149d7ab05c21dec1a2b984b39cc14dd1db3c7832535eb795a4c9a76931a4f8232a81a5df16e10d68483dd1ef13d3a3e4edd00eeaa0f
-
Filesize
198KB
MD53d9865840d4d5aec2948d3f3ef964db3
SHA110360c4153f13cd3e9bcb88d8ff0eef8b7c893cc
SHA256a7ace9b1199e47c3e48ce18bec426d64aea28d1fbd2005bba7ebe43856a21c52
SHA512cb9eb040a74d96ecdcc197319096f226412d351dcaea049ef1c43488e5d73fdc5ec5d6b44b0aa271c2a77ac7d4e3b9c82be715e951fbeeb8618819b7001b5836
-
Filesize
114KB
MD55b2ba1f88c34025261da2c32256e3d30
SHA10dec1a7f9c032ad66646a00e0074a4eb9f9bf0cc
SHA25693a4300396e88507cc8dfdfce60f7bdc8c0302c0d95d6ec4f597bf60731cc7f9
SHA5125805c273615f7cc22b4014ef7237326400fcd5283518025cff3a32d8afa7a3ce8327b40223c5d6dd47ec68dfe9af7ccb558fd2d3aa1e02edd6fb4d9d99884d27
-
Filesize
210KB
MD5d2d714f467416fb117f7fdcc698d1ee7
SHA1b6d0bc272806a88ac5abdb643deb2b750114d852
SHA2565a14ebbe4bdaae479cd8385418e0c02bccbd1f47dd6bcc68c76493d91512d436
SHA512cd1d4d096e80281acf4f9d7520531bb808c03e0cb6f6d5fe9c819b8c447ed74f4c2bc204775721e17c17e55c7a1d0ccc6f7a577877a3792da6de39dd7c99a039
-
Filesize
200KB
MD5034b6d734a57bfd51ca3d902c92cbd89
SHA11c4bc3f6f7fe6ebcebf5375209dc671a2f5205fa
SHA256921c0468b6f2a1b45e9161ac22e9d5c0ad58997e71d267ef782645b32c77f81d
SHA5122d1fa9b6ff274fd1796c5b29472d1e347d07df8f736863b00f322ee6d93d89277cac2808ef9aaf99f504dd16180308ba44d8453264a6f4743c1d4e23c3113a2f
-
Filesize
32KB
MD584d7df5d8ccd0a35f311e763eb34b451
SHA1471d04e1dbd87086c034a5c8bcf9a4618afed2d8
SHA2567f1ae63a159c837c3f3c163f7c7decf7c2ebaa52876893344831177e84a97cd6
SHA5122d843bcce64bdfda943a0732355919976ae092c24cfe47c7e105c22aff0ce730231ac9b899c86bba7992765ee84af5b275f3ea414f1f9ced6c3aa3b5e0aca030
-
Filesize
132KB
MD5c34eb5ede344b1010070ab72033de77d
SHA1474d238eff550b6fcd23fff5957b67117ac85766
SHA256c7fa4a2cd18bcc6456d39d38747f94c8fafe8440e9da72949cd0f9dbca4202ae
SHA5125705e070788229534bd3a0328c432210fca7f5645aabd37d6bdc3081d62ef2790d60fbacd8f8fd365817dca9c7e55aca68633f0c0eb0cf0c4a2b6941f5be4e66
-
Filesize
709KB
MD5fb63e92c110edf654aafd854d6dfce74
SHA1f42755793df9a53e786863f9eecaa5fd50087e6a
SHA25656cf2235afa22716da576cf8e894ee3f480cf92c5e406a342666aabcec19c55e
SHA51266744b574fabd0765ca85a59bb5409e95bfdcb6f96c434dcc0e8efff980a34e159ae8030ec04b8266f3db281d66f07f8ca503993dc1b104bce611a38f7a47985
-
Filesize
216KB
MD5a187125322e7072de3196b7ae5684f65
SHA1c2563b181c8d7a84bb9a758994d4b5fe644315ce
SHA25669941676bb04f17207d351806d67e888a0b0e064624dd4b72330d81726ef31e3
SHA512c46831c360acbd942a2dbdd34d400f3309525b2c22df9394ebb9f18a36a5d738471d60e15b8997eb7f8d77a4ba9947209171a796a52bdac67566a51eccd4138e
-
Filesize
202KB
MD55f7cf12ff9e606dbb19ae3a6c116e92d
SHA156db8a369ea68b4b7850e9472e1f427a8a82f9f7
SHA25610580739cd1ea6f7b112681ff7b338f32410ad6281a3fc4efc5464a81b947083
SHA512e0689a89912a1e3b7e2b70b00afa927c9a577a3fab3d82c8fa290b60effa57a36231f33fe142b9701c5abeed7fe83e361b84fcf5d83fa3a87bb6bef35c13f30c
-
Filesize
161KB
MD5c5f8f162f8ac54b49f16637f4c805d87
SHA1f7d5600b361ec2f5e2fc3a2c038511a99cf41a4f
SHA2565e0678325eccbdf0d60f49e5127bad88f77c5dd31a9a6c4fabbc4ce985b17453
SHA5126cfa27c41c77ea063c6add69fb2e0532434e32376dcf4cdfc59966d2b0929643e2c30413ad42a7ef03199f6dd2eb3be43daf05aa220a8fcd011ece70e073f235
-
Filesize
119KB
MD5fe9df65489ce18b48155ad707282db64
SHA18630ffef77e3e7cff4500981fcb967d5e05143ae
SHA256cdda6a809413af88bd74959febd1a15cdf5185a975f55a40800f3cb347f9283b
SHA512b5631a34ed682f0a5e86fff90606db7304acb1cc9edd33517329ff457a4705ca8079432d8f1f86080972a0a35f817cfa7cfd29c711023b5d961849b350fc03df