Analysis
-
max time kernel
293s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
15/01/2024, 04:52
Static task
static1
Behavioral task
behavioral1
Sample
5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
Resource
win10-20231220-en
General
-
Target
5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
-
Size
761KB
-
MD5
9258bfe8d8bbabf415a67bf39d7c912c
-
SHA1
0fe9c215d1fc9430bf9c055d446c7805f79f6725
-
SHA256
5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95
-
SHA512
7b26ecff8224797aa5d7972e0d7a46d4743975d2cefff75c5d8d99aa57a6fd5b72a97faff6f1a08bb75b8254c41a556c0756fcdda7800e5890de1a6699ba6fb6
-
SSDEEP
12288:0TSAO9OIqmUVIp+urd57CyDjXNodk1lOCrIxkbawucOV3bRxT+/:0RI2VIp+Yd9TNoorIxkBtM3txT+/
Malware Config
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.cdpo
-
offline_id
Bn3q97hwLouKbhkQRNO4SeV07gjdEQVm8NKhg0t1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-FCWSCsjEWS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0844OSkw
Signatures
-
Detect Vidar Stealer 5 IoCs
resource yara_rule behavioral1/memory/1260-78-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral1/memory/1260-80-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral1/memory/2168-74-0x0000000000230000-0x000000000027B000-memory.dmp family_vidar_v6 behavioral1/memory/1260-75-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral1/memory/1260-244-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 -
Detected Djvu ransomware 15 IoCs
resource yara_rule behavioral1/memory/2752-5-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2752-8-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1684-4-0x0000000001E30000-0x0000000001F4B000-memory.dmp family_djvu behavioral1/memory/2752-9-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2752-27-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2860-36-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2860-35-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2860-50-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2860-49-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2860-57-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2860-56-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2860-54-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2860-79-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2168-72-0x00000000008A0000-0x00000000009A0000-memory.dmp family_djvu behavioral1/memory/2860-207-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Downloads MZ/PE file
-
Executes dropped EXE 14 IoCs
pid Process 2168 build2.exe 1260 build2.exe 2248 build3.exe 1964 build3.exe 2676 mstsca.exe 2972 mstsca.exe 1464 mstsca.exe 840 mstsca.exe 1080 mstsca.exe 348 mstsca.exe 2924 mstsca.exe 1876 mstsca.exe 2768 mstsca.exe 2672 mstsca.exe -
Loads dropped DLL 8 IoCs
pid Process 2860 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 2860 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 2860 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 2860 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 692 WerFault.exe 692 WerFault.exe 692 WerFault.exe 692 WerFault.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2596 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c7a8d402-37d2-464d-8f6c-8241bbef596c\\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe\" --AutoStart" 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.2ip.ua 9 api.2ip.ua 3 api.2ip.ua -
Suspicious use of SetThreadContext 9 IoCs
description pid Process procid_target PID 1684 set thread context of 2752 1684 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 28 PID 2088 set thread context of 2860 2088 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 31 PID 2168 set thread context of 1260 2168 build2.exe 33 PID 2248 set thread context of 1964 2248 build3.exe 40 PID 2676 set thread context of 2972 2676 mstsca.exe 43 PID 1464 set thread context of 840 1464 mstsca.exe 49 PID 1080 set thread context of 348 1080 mstsca.exe 51 PID 2924 set thread context of 1876 2924 mstsca.exe 53 PID 2768 set thread context of 2672 2768 mstsca.exe 55 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 692 1260 WerFault.exe 33 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3004 schtasks.exe 2940 schtasks.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2752 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 2752 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 2860 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 2860 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1684 wrote to memory of 2752 1684 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 28 PID 1684 wrote to memory of 2752 1684 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 28 PID 1684 wrote to memory of 2752 1684 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 28 PID 1684 wrote to memory of 2752 1684 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 28 PID 1684 wrote to memory of 2752 1684 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 28 PID 1684 wrote to memory of 2752 1684 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 28 PID 1684 wrote to memory of 2752 1684 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 28 PID 1684 wrote to memory of 2752 1684 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 28 PID 1684 wrote to memory of 2752 1684 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 28 PID 1684 wrote to memory of 2752 1684 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 28 PID 1684 wrote to memory of 2752 1684 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 28 PID 2752 wrote to memory of 2596 2752 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 29 PID 2752 wrote to memory of 2596 2752 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 29 PID 2752 wrote to memory of 2596 2752 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 29 PID 2752 wrote to memory of 2596 2752 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 29 PID 2752 wrote to memory of 2088 2752 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 30 PID 2752 wrote to memory of 2088 2752 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 30 PID 2752 wrote to memory of 2088 2752 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 30 PID 2752 wrote to memory of 2088 2752 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 30 PID 2088 wrote to memory of 2860 2088 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 31 PID 2088 wrote to memory of 2860 2088 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 31 PID 2088 wrote to memory of 2860 2088 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 31 PID 2088 wrote to memory of 2860 2088 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 31 PID 2088 wrote to memory of 2860 2088 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 31 PID 2088 wrote to memory of 2860 2088 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 31 PID 2088 wrote to memory of 2860 2088 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 31 PID 2088 wrote to memory of 2860 2088 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 31 PID 2088 wrote to memory of 2860 2088 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 31 PID 2088 wrote to memory of 2860 2088 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 31 PID 2088 wrote to memory of 2860 2088 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 31 PID 2860 wrote to memory of 2168 2860 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 34 PID 2860 wrote to memory of 2168 2860 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 34 PID 2860 wrote to memory of 2168 2860 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 34 PID 2860 wrote to memory of 2168 2860 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 34 PID 2168 wrote to memory of 1260 2168 build2.exe 33 PID 2168 wrote to memory of 1260 2168 build2.exe 33 PID 2168 wrote to memory of 1260 2168 build2.exe 33 PID 2168 wrote to memory of 1260 2168 build2.exe 33 PID 2168 wrote to memory of 1260 2168 build2.exe 33 PID 2168 wrote to memory of 1260 2168 build2.exe 33 PID 2168 wrote to memory of 1260 2168 build2.exe 33 PID 2168 wrote to memory of 1260 2168 build2.exe 33 PID 2168 wrote to memory of 1260 2168 build2.exe 33 PID 2168 wrote to memory of 1260 2168 build2.exe 33 PID 2168 wrote to memory of 1260 2168 build2.exe 33 PID 2860 wrote to memory of 2248 2860 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 35 PID 2860 wrote to memory of 2248 2860 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 35 PID 2860 wrote to memory of 2248 2860 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 35 PID 2860 wrote to memory of 2248 2860 5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe 35 PID 1260 wrote to memory of 692 1260 build2.exe 37 PID 1260 wrote to memory of 692 1260 build2.exe 37 PID 1260 wrote to memory of 692 1260 build2.exe 37 PID 1260 wrote to memory of 692 1260 build2.exe 37 PID 2248 wrote to memory of 1964 2248 build3.exe 40 PID 2248 wrote to memory of 1964 2248 build3.exe 40 PID 2248 wrote to memory of 1964 2248 build3.exe 40 PID 2248 wrote to memory of 1964 2248 build3.exe 40 PID 2248 wrote to memory of 1964 2248 build3.exe 40 PID 2248 wrote to memory of 1964 2248 build3.exe 40 PID 2248 wrote to memory of 1964 2248 build3.exe 40 PID 2248 wrote to memory of 1964 2248 build3.exe 40 PID 2248 wrote to memory of 1964 2248 build3.exe 40 PID 2248 wrote to memory of 1964 2248 build3.exe 40 PID 1964 wrote to memory of 3004 1964 build3.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe"C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe"C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\c7a8d402-37d2-464d-8f6c-8241bbef596c" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:2596
-
-
C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe"C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe"C:\Users\Admin\AppData\Local\Temp\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe"C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2168
-
-
C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe"C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe"C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build3.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe"C:\Users\Admin\AppData\Local\ab139c2b-d9c5-440f-9ac6-56094128987c\build2.exe"1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 14562⤵
- Loads dropped DLL
- Program crash
PID:692
-
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"1⤵
- Creates scheduled task(s)
PID:3004
-
C:\Windows\system32\taskeng.exetaskeng.exe {94260BD7-4207-46A4-87B1-94A819890B9E} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]1⤵PID:1684
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2676 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- Creates scheduled task(s)
PID:2940
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1464 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:840
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1080 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:348
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2924 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:1876
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2768 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:2672
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA5124da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD585a3356dc69b9ba81a1200a295775c69
SHA1d2570084703e635ddc5d64b3e29aaee0458904ce
SHA2567ff66131a092b016d48507adbd45eae27d08e32b5c9383e4abaec0d196e60a22
SHA51269d7a55d36e1ffed5cf505a2401ccabb2d6cfb7398edc82f7a122fc197e1ee8a59b882add73b99086aec2110674320a8eda88ecf534b80ec4de5d0ca3c389a5c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ba4c6b82e116d3510d2f2e792f38d2a6
SHA1e440b6a5043730dc8bbc96d225dae5e14e62cd08
SHA256993ec3c8bf5f56753989067b1bc674e570e09040ba380a18b6a9fe2f7f5d4883
SHA5126ba2047df7e5022f2d2f7b39288c4aae3704b71b1dd1aa4674fe651c521eeed2ec0a1e1d569c8f6714207b2dd6ff32a833869fe2ffe9fafecc1ecc87f89899af
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5077d0320462b49e67107a0c054bc4e18
SHA1eca4dbf3ba2871eb256d430bc6f19cefc937f5f9
SHA256f940b7fbd3b64eb8680a2e8e0fe796c8185575b4de7afb8e5bd019277e2de53d
SHA51235774686b5e99b18668ac662224a138f70a926b34a171cfafa22d2026a80c82c57f5c4deacdddebbffaf6c7c9d37052f932777321df6c1e6dcccdff6f5692981
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD556f3a4084e5911a6842ea6491c6509d1
SHA14acc7dee468700dd3171444a7fffa754abade33b
SHA2563e13aee320061b7a0087727380d216d9660c4a0ed8400bda42b297893a2cb580
SHA512cdae98628f7ee2e547ff0f2121d12d2d82f3c5e5a81f56270edd4e801bacb15f78d433409aad15b2ce2b5b8e5eb2a0cf4fe7820884cf238612376ef5b42802d9
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
115KB
MD565846057126132b51335657bd3cdc8e2
SHA188caac5b2223e54cd73e4084ee84dc5649ab2450
SHA256ab393b8e107c7f9012adca3669470ca7153795812aa9685e9b840c395561e828
SHA512a767fd47a737ac0e93c08cdecba1496385c6890f5e857563b789f4dd793e7a4ae89eb46330de4772bb4de70085416c692f5273a322c2ec14d65455b0f6834f78
-
Filesize
14KB
MD593a9fc448f5d6ee357b877ea45c728b1
SHA19117410d638153298f2ee16e6c9f54dd0ab95533
SHA2566594e2680d17afa761e0dd6f2e9c1353ce5a7918e381e649ab602d263ff446bf
SHA512b5a0ac57794cb9ef8b96d22644df17df73cf930b86d0c3be781a8544c2c6e482f075c56dfc7c15fb93eaa34558ad533f8f099d8d1055ec77bdd02a46d97faebe
-
Filesize
54KB
MD5dce665b9fcabb81b8993ea1ffe1a1545
SHA176ffa54e06e7cf6c30b80b1622c3688322f072f2
SHA256378589590951cabf226b9d40da1c3809eb391cd976155c15e39b6d63e80face2
SHA512c329fd1637d204922f2e144f4c2cf74791df3dcf7069e140f42620b1bcc020b8a5904e37a43f3caba0bdf7759872b5f6c2e6c340993db77a1e9adbada0f71883
-
Filesize
171KB
MD593ccbec018a8da1d4e271098e5849f98
SHA1e9e3314da0018e70bdd94f421956c7425675af4a
SHA256e349260f7da99382e6f914bece0036c95a0ffe91d70d9490c9d82f2c115fe52e
SHA51214b23ce71769384920e3c82dd232ec22b2c67c134be893682c0a29f05ac3c288dcf5f8df5b129f9b4dacd71ba7e2ac60923c6b2f188881888a3718bb018d5f60
-
Filesize
143KB
MD5ca3917b2e5bbdb9e5734fe725b5b80a6
SHA1068fa9764296f639d982053e84016230370dd5e1
SHA2567e57d1e8d655eddfd1567867e662caaffdfd4864d9a15098f83f02569502fe7e
SHA512c7aa7e06505c4c029db5c36fd43a1bdff654cd429b5f34dfd8e204b857c157b249602f30c6413f8d5f58e36058d109c87fd74101f1e6df25fbdc965c2c086e73
-
Filesize
53KB
MD5f49397aceec33fd12c85398ae4b6a68e
SHA10716633105ae3cf692c7fa6f9d0910c2b78ab1a0
SHA25628cf4f95d16427d570b99ebd885f1fdf75e21871fe13403f340cbc9bf9c59211
SHA51283606b8907b69bcdc951939d1b8291809488d53a85306c585df083fa121d01bd06175a6f25594c08396e8c91d79df10c8eb35b181d560a7da99d4006802545bc
-
Filesize
16KB
MD5b3d7a44dc29a1b69636e5e6aa6b0bf9b
SHA1c8f7188cd3e7e90a2413b641ba4356239a734b1a
SHA256d20851dc0adfcfc1349b4129d1515dc7e366e586190de2150a847f9843c0f43e
SHA51287a7c1ba21d256d12e1416f183e7bf60f0e898dd3e52ab5b253c0ed4c987b2fd9d28234dd7bb3c2a7787af5c9e7d5254ca58044458d1b700d8ba8430f6acbd26
-
Filesize
24KB
MD50c74f8dc892bf829189aabcccc5f0ba1
SHA1fb894c4d0ec5c6a8ce0f309d01d0686bb94886ee
SHA25609a8265a74b7380966d12e8d0c5e1292ef9117423b9f2fde70c17bb6a271fb99
SHA512b3dfdf5eaceacb9fb3ed9fdebf0d3f4faf34f12cbfd1d42e7c3fa480d3de5e1008a2e44857723a5119ffe69a1863c5985455b81bfd598d71db3e5e73e2a56970
-
Filesize
208KB
MD573c744361d663544a12d1eb10488f451
SHA133f09811da0beedf347ae22129502e4cbbf8240c
SHA256b7f9d45530de09859ba7f6eb495f112b001c7d0bd0f5765dbdd64950ccca3f24
SHA512257c15fc9cd5316747ec46edd3c4643db1f08de307adb7c150c85d63d75074193841093613481382f2d1fb80acddbf9d543b582d7625fe2d55994b172381c0fc
-
C:\Users\Admin\AppData\Local\c7a8d402-37d2-464d-8f6c-8241bbef596c\5ac99bbe691224fd287b1779b9e1cdf072c5d9630953f5a4df5d49398d434e95.exe
Filesize166KB
MD50a1c07d8f0a02a3b3ad87fb6770993c3
SHA16f2f6e352bba65133369ff22fd8d2fcd7222bb78
SHA2563c6e60fc855b4a961ed906f36321da84cbadda7717a6596b2762d54829f96c3e
SHA5129452393e5457c8cc8936bfe9b157886f557df699468b4c9dca7f1d91aa6e3bb34d20556987bbef5d5d3ab4f70ed8cb23b7de9ac0ea1570d819b4a3db768ce2aa
-
Filesize
73KB
MD5dbe8a2a8024004c88fa59bc166ee4a1c
SHA11fb8cd20bf35511fe717bfa79e7dcb9df41562ed
SHA256616f87cd6c33bb6e8ed9a724df6d07ef2b0555be28008f1b741558400486a1a7
SHA512547f60f57dc63b56f75205b1bca5888ce971503730609e3e3b63434ce384ab1d7ecc4f5bc98c384e6fd8ebbbf14f98a111098c96052eba604523073a50e9fc1c
-
Filesize
67KB
MD519181f57b86b820be337e9f14c3fa297
SHA14c37b5540f872011108971ca3053c78fe3259b2b
SHA25609f347e166b1cd9ba0e146b991bd2a19afc1398348d15f17b553c7db295ca1aa
SHA512cfa0f3f5c983f107da90b158f9f828f99b0e725722ee3af1e66e06b6912207f79f419e9a0b6854985ee122058385d573b56dbc9626fa0f39a65dae64ffb6d2a7
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
69KB
MD5b362789135c5db0f5d4565b4538e12a4
SHA1d5b051dadc4bdf6271e10453114aba23512239ff
SHA25657dcdb835e0de94000d36bbb127d701ac96bc5659fc4048cbe016cfc5e2dfcd7
SHA512438f75b83005786d412bbf0c867ad3f230109332873b32dc7fa82d109d565722b6c9f1b08992b51a8ca948965fa5425f29cee993781219634a5546a7037fe165
-
Filesize
17KB
MD5a0432f52c06407f511b2de017af7c49e
SHA12233a133cca47bfc8c2db675a40860f14f390c72
SHA25648e04756e9d5e48119892235b7cfe7c1848699bb110ecf1369f7ae62cef6fefe
SHA5123476b772c6161e61d4595e8ef479275d3ee265fcd9c7178adcf31c9803f2b38e47e1f611d2ee3b0090cc65da1bbaa0e7d5fc90cb6b7ee8759386b9ee065b8e99
-
Filesize
59KB
MD53adcf124ba7d6ca067ea4c6305a6679d
SHA1f34c7022d1f3b1006069619b4abbb9a393065d69
SHA2562a7363910cb34de5712dc8c0a7bca16187621fd6d7911d199aeae3847152571a
SHA512cef9703fa3c00a21948285acd71b5b718206cddf2443b6c7361b48e7c5d6fb0e18662d2526284cf1cb9d9bfabe9c3ef621aa033aadf93663a7796fab2511c3e9
-
Filesize
95KB
MD5aa4cb72142123c666acec1ee51c694e4
SHA1df2d4fc0d6280173b4487250d1facdfe3fec5caf
SHA2564fe24a2bb591d887594c6200dede75610149326ff2d31c2bef7480017d991f01
SHA512fb0c8e9f3093eb55ed172f17e47af27921202dd1e0c066cda78be5c2460ed9c77f5972716760f203f8d494a44897d0b4032aa61949fa194afea57e52c634b6a9
-
Filesize
90KB
MD53eb2466aaa27955834a0e3a3ee2980cb
SHA1abab7a747dae1488d713abf421c6a1e746b017d2
SHA2565fe961ba9c0621da1c7660b411b5126a8785fa6ce97f034dae3ec25166f34ff4
SHA5125bce2df344a839ce41fc1d58d0494f160a302c531e5bdc6f916cd92f8ea6342189dd219a3b6f8e3f6fe0ab84f1d60d1540dd4ab02780e366a3669b6b1c18dfb3
-
Filesize
58KB
MD5af3c3fa08c34302db34aea22e12fc51e
SHA11fd9662ddba3049803289c23cab6493b1d5efda6
SHA2564a9b3f548e9256cd25e9273b5ddabbc5a815000d3eb8d02442fa6279f5334dd2
SHA5120bfe2571a4e65ebf3cafa5ed5c5c54013bd5faf351cea5629890357968a96b970a322cc97533243c379c2d0d82a845f5166ce417b897a377f32e76358e659e88
-
Filesize
167KB
MD5b3d165d49705ef1bcaaef95d51184a7c
SHA186f1dbad38aa09e58972f5b1f02a9a2d6216a74a
SHA256a7179f0c3353e1341c7fa282f648325d250ae82bb2f6df154cee3d52de1b8ec2
SHA512f7ab03efa5f199aeaf76a6af20340fc38ead59b5dac127a16383112b674d33c0945686a25097db19236220b64de562dc691e5a7277557b3c72126b91c4b10e9c
-
Filesize
76KB
MD5090bd842e2d09d1d2a5645a92c0b2f62
SHA1048f1bb3ec59cf58f19de66f5ebec38b60e35327
SHA2566390a49d9dd6db8b3aa5c400f09b2ea3e7416d4ddc1b29091e64128c73a979ce
SHA512e380a72e672ed8944152ff2ad4cfdd9385bccf8544b1b51c091b39a937fe1fe7a5969733da383506b52c704ba20e18ccd1ce56a299afc8029ce0599cf7d0b884
-
Filesize
56KB
MD51f6abdb53e15615605affb291438cf2a
SHA1bb58a4d9b6d5e4a8b2d959373ec46ccc7d547a52
SHA2568ab9396a2aa1b31d98c4ab9cee3fa42f3354f5e49da0bcde1a1cddba8239d4ba
SHA51287e40aa79aac63576c5e2fb06d7bf54fdecfaf12d298223dd52f46091f1c1d19d1caf74c1c371375603ff8950f57c07b1f6e6f60aca3c831f8e96a9ecb3dc59b
-
Filesize
51KB
MD5bfd0bf66f7c0b8ea98444d781d01d358
SHA15f420ebc36be51b742f18154f0469825522d2ac2
SHA25613c3ed37541dd8d0894eb63a9ebbac85ef14fe6460eb2953be70624d16c5eaaa
SHA5121a740168b63fa66c5b85a930eea56eb789d91c9013c2e402596a450779704aee0db608d388ea4a76d35512c7d7e6f7ad65a39f7211f17b171000c94460b726ed