Analysis Overview
SHA256
2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470
Threat Level: Known bad
The file 2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470 was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
Detect Vidar Stealer
Vidar
Djvu Ransomware
Downloads MZ/PE file
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Unsigned PE
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-15 04:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-15 04:49
Reported
2024-01-15 04:54
Platform
win10-20231220-en
Max time kernel
299s
Max time network
293s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f9a45bb9-2be0-4b26-8abb-729ebfc89b89\\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
"C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe"
C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
"C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\f9a45bb9-2be0-4b26-8abb-729ebfc89b89" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
"C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
"C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe
"C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe"
C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe
"C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.193.125.74.in-addr.arpa | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| AR | 186.13.17.220:80 | habrafa.com | tcp |
| KR | 175.120.254.9:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | 220.17.13.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.254.120.175.in-addr.arpa | udp |
| AR | 186.13.17.220:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
memory/3352-1-0x0000000002530000-0x00000000025CE000-memory.dmp
memory/3352-3-0x0000000002670000-0x000000000278B000-memory.dmp
memory/4776-2-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4776-4-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4776-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4776-6-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\f9a45bb9-2be0-4b26-8abb-729ebfc89b89\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
| MD5 | b8b236e9fab508d1ed85fc4ad0843ef5 |
| SHA1 | 4366140de33fd27603f8aeb5f26d395e5d9a51c8 |
| SHA256 | 2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470 |
| SHA512 | fdb986be769977940c551d0d331c903879761802555fd8df9b82cc9740e28d8bbced1955bd786bee268e2bb4b3734e4ac415b29bcbf5da806b5095beb85c0f74 |
memory/4776-17-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1652-20-0x00000000009F0000-0x0000000000A92000-memory.dmp
memory/4648-24-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4648-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4648-22-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | c59cab556400eb40ceac32fe0115c947 |
| SHA1 | 47ceb44cb24bba7eeb30ae84781e08ae7c857050 |
| SHA256 | 7d7035b101b9ce7d06486aeb8b9e8d18c42256a05c877862126aaffb9aeb22d9 |
| SHA512 | c95d433d0bc30d9112f5002ed0083cb8283181ecae5ce8d10784248e6b0489cf8c8a406c019d84ea54f78f6cd5100a2e2fbc67703141039a108da27f77d512f6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | d4de3ad1154ecca1283bfbbbb10e8048 |
| SHA1 | db2ac46ef1b0b060582deab0153e4de455c9b892 |
| SHA256 | de65e26e8b0a9f86d94f13847219257bf2d7f124fd5885c4a5cf39ab7ba3e785 |
| SHA512 | 1e911a0b12395be3b2a53938d1753eb667a7d836d828d13a91e5f43cb70962cf68246770b57e7214ebfeada9bd5345a12b82adacae6416e6bf18680c7f2c645d |
memory/4648-29-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4648-30-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4648-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4648-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4648-34-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4648-41-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe
| MD5 | 56d345a1f005ed14beb5477502cd93b2 |
| SHA1 | f070b5d8c2d986e2ba96cba32486fe75c9914a5f |
| SHA256 | f020e2b0651312065af61565a18f24776d4952a83dbb654cb8a2894a82ca11ab |
| SHA512 | 5ea8f03e0283f14e51065b9a3fd20b2af7a98857e4744ac29096d1e4ee46c0bd2e0e093a1cc91801b0b7d3547cf71b948a03ae3e972dbd4b39cd5afffa7bd184 |
C:\Users\Admin\AppData\Local\3ec478c9-37a8-4dc3-a57c-ea8e24d8973c\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/4648-45-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1256-50-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2720-54-0x0000000000A30000-0x0000000000A34000-memory.dmp
memory/1256-55-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2720-53-0x0000000000AE9000-0x0000000000AFA000-memory.dmp
memory/1256-56-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1256-58-0x0000000000410000-0x00000000004D5000-memory.dmp
memory/2844-76-0x0000000000B1A000-0x0000000000B2A000-memory.dmp
memory/2412-95-0x000000000084E000-0x000000000085E000-memory.dmp
memory/1884-114-0x000000000098E000-0x000000000099E000-memory.dmp
memory/5056-137-0x0000000000A40000-0x0000000000B40000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | a4f6fffee96cda7a29579017f0899c64 |
| SHA1 | 820e654a00474dfe1dede7cd921ce192310d1fa1 |
| SHA256 | 2325159cd56f70a1b3eccb1b31b0c803a8e49430b62b39efafa744b805ae1467 |
| SHA512 | 7c1c0d087cecb38d9b0a8a372caffc3375e95b47ae46e344c2712e386a0899326304c940e535b14e219348f25a1351bd2a020d96ba08faa0976cdc69d19647dd |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-15 04:49
Reported
2024-01-15 04:54
Platform
win7-20231215-en
Max time kernel
298s
Max time network
166s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\11da1ed9-3ab4-46ca-abb1-0fd1a7cfbc85\\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
"C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe"
C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
"C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\11da1ed9-3ab4-46ca-abb1-0fd1a7cfbc85" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
"C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
"C:\Users\Admin\AppData\Local\Temp\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe
"C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe"
C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe
"C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe"
C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe
"C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe"
C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe
"C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 1460
C:\Windows\system32\taskeng.exe
taskeng.exe {4AFDD69A-4276-4491-ACB3-D1D15EC0CEEB} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| BA | 185.12.79.25:80 | habrafa.com | tcp |
| KR | 211.168.53.110:80 | brusuax.com | tcp |
| BA | 185.12.79.25:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
Files
memory/2216-0-0x0000000002180000-0x0000000002212000-memory.dmp
memory/2216-1-0x0000000002180000-0x0000000002212000-memory.dmp
memory/2216-2-0x0000000002220000-0x000000000233B000-memory.dmp
memory/2308-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2308-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2308-7-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2308-8-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\11da1ed9-3ab4-46ca-abb1-0fd1a7cfbc85\2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470.exe
| MD5 | b8b236e9fab508d1ed85fc4ad0843ef5 |
| SHA1 | 4366140de33fd27603f8aeb5f26d395e5d9a51c8 |
| SHA256 | 2976b9cc47bd3854337e3653128eec2ac18da76a93941b5cc0becd0ba4926470 |
| SHA512 | fdb986be769977940c551d0d331c903879761802555fd8df9b82cc9740e28d8bbced1955bd786bee268e2bb4b3734e4ac415b29bcbf5da806b5095beb85c0f74 |
memory/2308-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2552-28-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2552-29-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2552-34-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/3008-35-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3008-36-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 474e8bc1d6ed0ea9ace8de2fdc236b78 |
| SHA1 | 61f6de7dbfb0613de91ad30fe5a234d0ffed596a |
| SHA256 | 505a775131700a08b3a2878d4f5edcfd46f316d48baf0334348b10cc2084bb04 |
| SHA512 | 1b5564e1474e5e8135ec95de74e826c34005322e2c71bfbb685decda97e73cf65b13401f318b624cec1a61eb11261cbaf3ef231d95c1517e5e4a7467930f2236 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | d3df90005c5a4c3ff5ac8e9034d57b3f |
| SHA1 | dfa24520cfe380b7770f6114e50c6aaf2405069c |
| SHA256 | 3871b702db80ce7a24b40e8f201e2fe57c77e9844b13cbe8ce06490385fc15a2 |
| SHA512 | 01a57f94756794c3b9b8448d4045810ef8f9f7df7fde649ed5f9aa33e1ffc938aaee9f811c8eada116210ae3fd32df8ea46a6ba52f558dae6cda1deba3c44d95 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b5279abd0f2814821a433529fb5a3c1a |
| SHA1 | 08101db46d899c2b8d7cee24ba5c20317a93b155 |
| SHA256 | 2e9b8b8f128f0fb3a724eec5edaf783b8c1d6977a9c1da15a368969a5276aed8 |
| SHA512 | cf8563f42078f4f5d7eb6c993547e2a15f9f2d9350c1df2e1ccfb34ce8bfef4399815e30ff7ffe39bfffca7fa42a62b77baab4eadf19a372e9054fc8c6f835c5 |
C:\Users\Admin\AppData\Local\Temp\Cab8D71.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/3008-49-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3008-50-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3008-54-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3008-56-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3008-57-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3008-58-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe
| MD5 | c4070da9f9b0581171af16e681ccdff8 |
| SHA1 | 3fb4182921fdc3acd7873ebe113ac5522585312a |
| SHA256 | 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0 |
| SHA512 | c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427 |
C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build2.exe
| MD5 | 5fdbc7061921001b06f5bcd8f1fd3e27 |
| SHA1 | bf1bb8bc1113827f3c615352fb7105d71ebf6e4d |
| SHA256 | 4f78c94ab539b688956081dac8e29b1505192f195c3d95be26f97c6c22fd5fe1 |
| SHA512 | eafd539c4c6489f3f522f1a05be71d8693c95db24a196361814d89c4173c405fda15258746886a42d8916bc9621ad8aab2c441f6c42512d25184b8af69373588 |
memory/2604-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/740-78-0x0000000000460000-0x00000000004AB000-memory.dmp
memory/740-76-0x00000000002A0000-0x00000000002C7000-memory.dmp
memory/2604-79-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2604-74-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2604-84-0x0000000000400000-0x000000000065E000-memory.dmp
memory/3008-91-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\da39936c-6829-4206-9339-c852d37efc38\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\Temp\TarA3B0.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e1d57fe74b613a0fbb7dfb50d72cd7f8 |
| SHA1 | 88fb4afde2476c87ee1475656e3ab231de479bd2 |
| SHA256 | d7d2e38460bf8599297d1cd383cd4885c29b74e35bc5ec34dcde50bb5d678f9f |
| SHA512 | 9411e49cf815cbd07b1eff2793e1603b1a38ed3ce54ba5f91d537488478454a8abeed5f4da2510d33a0a741d1e99d7bade8b35656d3b1e54f90176a191680f47 |
memory/2800-194-0x0000000000970000-0x0000000000A70000-memory.dmp
memory/2800-195-0x0000000000220000-0x0000000000224000-memory.dmp
memory/1960-204-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1960-211-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1960-219-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1960-220-0x0000000000410000-0x0000000000477000-memory.dmp
memory/2604-227-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2104-243-0x0000000000900000-0x0000000000A00000-memory.dmp
memory/3016-269-0x00000000008F0000-0x00000000009F0000-memory.dmp
memory/1504-298-0x0000000000920000-0x0000000000A20000-memory.dmp
memory/1504-314-0x0000000000920000-0x0000000000A20000-memory.dmp
memory/2668-330-0x0000000000860000-0x0000000000960000-memory.dmp