Analysis
-
max time kernel
299s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
15/01/2024, 04:56
Static task
static1
Behavioral task
behavioral1
Sample
b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
Resource
win10-20231220-en
General
-
Target
b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
-
Size
732KB
-
MD5
ca106182fc4543131ef128b77f57c70a
-
SHA1
26d5069dfabecd28077365ecdb2704a621527c96
-
SHA256
b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5
-
SHA512
04f911af74389114301acc580e6041f6350df4eceb1ad6dc6034bef75d388581391c37d83847adc61a8b83e9b68b72f17e2d1f2b4a185bc7efd2b03d92daba4f
-
SSDEEP
12288:2L2LS6hjiwI975M/yK2YdeY0M2DbnRsN82298kZaZvmaifZSKANOx+D:2L2xn/yXNY0M0Vl6v1wZkNO0
Malware Config
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.cdpo
-
offline_id
Bn3q97hwLouKbhkQRNO4SeV07gjdEQVm8NKhg0t1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-FCWSCsjEWS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0844OSkw
Signatures
-
Detect Vidar Stealer 6 IoCs
resource yara_rule behavioral1/memory/1628-73-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral1/memory/1628-79-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral1/memory/1628-78-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral1/memory/2168-77-0x0000000000280000-0x00000000002CB000-memory.dmp family_vidar_v6 behavioral1/memory/1628-200-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral1/memory/2216-285-0x0000000000900000-0x0000000000A00000-memory.dmp family_vidar_v6 -
Detected Djvu ransomware 14 IoCs
resource yara_rule behavioral1/memory/2824-7-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2824-8-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2824-5-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2136-3-0x0000000001F90000-0x00000000020AB000-memory.dmp family_djvu behavioral1/memory/2824-26-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2620-34-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2620-35-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2620-49-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2620-48-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2620-56-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2620-55-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2620-53-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2620-57-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2620-211-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Downloads MZ/PE file
-
Executes dropped EXE 12 IoCs
pid Process 2168 build2.exe 1628 build2.exe 2532 build3.exe 332 build3.exe 3012 mstsca.exe 2644 mstsca.exe 2216 mstsca.exe 1924 mstsca.exe 1312 mstsca.exe 340 mstsca.exe 1548 mstsca.exe 2080 mstsca.exe -
Loads dropped DLL 8 IoCs
pid Process 2620 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 2620 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 812 WerFault.exe 2620 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 2620 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2908 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\356c2969-5b64-4da1-afdc-1539ee879782\\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe\" --AutoStart" b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.2ip.ua 9 api.2ip.ua 3 api.2ip.ua -
Suspicious use of SetThreadContext 8 IoCs
description pid Process procid_target PID 2136 set thread context of 2824 2136 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 19 PID 2468 set thread context of 2620 2468 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 31 PID 2168 set thread context of 1628 2168 build2.exe 33 PID 2532 set thread context of 332 2532 build3.exe 38 PID 3012 set thread context of 2644 3012 mstsca.exe 48 PID 2216 set thread context of 1924 2216 mstsca.exe 50 PID 1312 set thread context of 340 1312 mstsca.exe 52 PID 1548 set thread context of 2080 1548 mstsca.exe 54 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 812 1628 WerFault.exe 33 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2484 schtasks.exe 2856 schtasks.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2824 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 2824 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 2620 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 2620 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2136 wrote to memory of 2824 2136 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 19 PID 2136 wrote to memory of 2824 2136 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 19 PID 2136 wrote to memory of 2824 2136 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 19 PID 2136 wrote to memory of 2824 2136 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 19 PID 2136 wrote to memory of 2824 2136 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 19 PID 2136 wrote to memory of 2824 2136 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 19 PID 2136 wrote to memory of 2824 2136 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 19 PID 2136 wrote to memory of 2824 2136 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 19 PID 2136 wrote to memory of 2824 2136 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 19 PID 2136 wrote to memory of 2824 2136 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 19 PID 2136 wrote to memory of 2824 2136 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 19 PID 2824 wrote to memory of 2908 2824 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 29 PID 2824 wrote to memory of 2908 2824 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 29 PID 2824 wrote to memory of 2908 2824 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 29 PID 2824 wrote to memory of 2908 2824 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 29 PID 2824 wrote to memory of 2468 2824 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 30 PID 2824 wrote to memory of 2468 2824 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 30 PID 2824 wrote to memory of 2468 2824 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 30 PID 2824 wrote to memory of 2468 2824 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 30 PID 2468 wrote to memory of 2620 2468 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 31 PID 2468 wrote to memory of 2620 2468 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 31 PID 2468 wrote to memory of 2620 2468 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 31 PID 2468 wrote to memory of 2620 2468 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 31 PID 2468 wrote to memory of 2620 2468 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 31 PID 2468 wrote to memory of 2620 2468 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 31 PID 2468 wrote to memory of 2620 2468 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 31 PID 2468 wrote to memory of 2620 2468 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 31 PID 2468 wrote to memory of 2620 2468 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 31 PID 2468 wrote to memory of 2620 2468 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 31 PID 2468 wrote to memory of 2620 2468 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 31 PID 2620 wrote to memory of 2168 2620 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 34 PID 2620 wrote to memory of 2168 2620 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 34 PID 2620 wrote to memory of 2168 2620 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 34 PID 2620 wrote to memory of 2168 2620 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 34 PID 2168 wrote to memory of 1628 2168 build2.exe 33 PID 2168 wrote to memory of 1628 2168 build2.exe 33 PID 2168 wrote to memory of 1628 2168 build2.exe 33 PID 2168 wrote to memory of 1628 2168 build2.exe 33 PID 2168 wrote to memory of 1628 2168 build2.exe 33 PID 2168 wrote to memory of 1628 2168 build2.exe 33 PID 2168 wrote to memory of 1628 2168 build2.exe 33 PID 2168 wrote to memory of 1628 2168 build2.exe 33 PID 2168 wrote to memory of 1628 2168 build2.exe 33 PID 2168 wrote to memory of 1628 2168 build2.exe 33 PID 2168 wrote to memory of 1628 2168 build2.exe 33 PID 1628 wrote to memory of 812 1628 build2.exe 37 PID 1628 wrote to memory of 812 1628 build2.exe 37 PID 1628 wrote to memory of 812 1628 build2.exe 37 PID 1628 wrote to memory of 812 1628 build2.exe 37 PID 2620 wrote to memory of 2532 2620 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 39 PID 2620 wrote to memory of 2532 2620 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 39 PID 2620 wrote to memory of 2532 2620 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 39 PID 2620 wrote to memory of 2532 2620 b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe 39 PID 2532 wrote to memory of 332 2532 build3.exe 38 PID 2532 wrote to memory of 332 2532 build3.exe 38 PID 2532 wrote to memory of 332 2532 build3.exe 38 PID 2532 wrote to memory of 332 2532 build3.exe 38 PID 2532 wrote to memory of 332 2532 build3.exe 38 PID 2532 wrote to memory of 332 2532 build3.exe 38 PID 2532 wrote to memory of 332 2532 build3.exe 38 PID 2532 wrote to memory of 332 2532 build3.exe 38 PID 2532 wrote to memory of 332 2532 build3.exe 38 PID 2532 wrote to memory of 332 2532 build3.exe 38 PID 332 wrote to memory of 2484 332 build3.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe"C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe"C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\356c2969-5b64-4da1-afdc-1539ee879782" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:2908
-
-
C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe"C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe"C:\Users\Admin\AppData\Local\Temp\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe"C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2168
-
-
C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe"C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2532
-
-
-
-
-
C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe"C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build2.exe"1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 14442⤵
- Loads dropped DLL
- Program crash
PID:812
-
-
C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe"C:\Users\Admin\AppData\Local\0809a0fd-c8f5-4132-9b7f-1d66a0a0335c\build3.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"2⤵
- Creates scheduled task(s)
PID:2484
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {463077D9-47CD-4ED0-956B-B88E524C77BF} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]1⤵PID:3032
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3012 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:2644
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2216 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:1924
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1312 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:340
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1548 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:2080
-
-
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"1⤵
- Creates scheduled task(s)
PID:2856
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA5124da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD54862e55474a68bd103b48d8276555bc8
SHA1dbe4d390b5dfa7035feb496c10cc8ca523232899
SHA256c8a0d03c1b272ad150705519a1a4f4a38b94cf108516ee5638ec3beda45913a0
SHA51238b1ba6427d831bbc9d73cb53e91525109765e6bb866914c6ed73d21c9e798af662a5edfe64ff25765bacb4192320558ac1241dc2f65ab56af8b1ac93e6913b5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d6bd3ce44cb6dbb5a3a758df70b8d2dc
SHA1ba6edc650597c9b91efcd1fe7fd648db4d18ac8f
SHA256bf9ec23bbd2ff9112e6b30fb4f87c0ebb70f55bb2d24d37263aa292371733b94
SHA512b20a4c7c896c7dced9896a6624f4457e622370f7371c821be1d7e0020fb86e5a1a7c197f744c53127d7fd717cce4ee059f56add9116a77e66e7f6713d92fa001
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD591462fff5e024ff68587cb99536df527
SHA132d8a51b9b33fb8f073a3e8294caa54f1ce9c0a3
SHA256cf8e8a70e603049d21d5b49f14c1ee1390695208381466caaf3d3298340ecc7f
SHA512127a30d18faf1ca1940f6748b592277685c1eb5a79b9e6de7bd14061a3a0610eb8f23d0128cd827cb392d886ab2c5ebfa6be54bfc225bf465809d72e4d9f2938
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD5d6aff1f132ae20154c85d34d81f08df0
SHA139d4255799529b1810b2cedff76468deffd62361
SHA2562dfab86586ecf066e64645e25c303a993bf8dc553a123670acd7162273c76f5d
SHA5124fb7f8b3dc0ded44af80fb35fade0611fd021d555b95fb8d2bfb7233be7c55b8e38c6e2f742f4ad952b112e6da744300b7618dd07db8e67cefb488fca4ab2c32
-
Filesize
29KB
MD5b071926dcdb69fc865386c11d5af1549
SHA192310d34e8b3dfa6f6a8357e7fca6ac17441ca36
SHA256e53bf6142b8c04425d0295e0b128af57310f7c052d93ce626520774d7a3d978e
SHA51228affb69a6d3421693b771d06ef6102b4c3045ecaa777e7ed13d90071cdb0735bbc6d30c9411b2aed6419744e3643ff93d9c16c3aafb9a2c2d1bf1c7bcf34ad8
-
Filesize
108KB
MD57f531c744b9b3e4aa7c43f594373862f
SHA1b639aff94453644fde55e69701da371b5701a9d4
SHA2561d03309bb5e2db582a71936421e05bcd710d9b7032aab5799c977602c6d17227
SHA512c9f49df136fd9c87e321640b8347dea54fc1d1b6393dad57d4598b781350038caa7c1804e411a532f6140228d0d3bc55cecb9c43028e0b56b2e5f34b36a4d9aa
-
Filesize
61KB
MD55b586278979a109655f55c7d0175d106
SHA1522262741c052a130958e582a3c8b1b68e6ee0b5
SHA256ce1e4fdf5ba3b89a95def955b6e89ca2bd819a90294d98dfa3efcf1e798d136c
SHA5124091cb6fae153845ceb45590327c67b6684a1eb1cb67bf85e3bb6888a4f990bbfd21c018b9d108e20ff7c6ef5be71b23ae7f0bee573ff269bf7b9449372ed9b1
-
Filesize
275KB
MD5109f7b17791be79c8253edd0d267d8ad
SHA134143163df2135220184a23287802fe47381bc36
SHA256e7bdbea65830b81532dd18aa6a98b7d875100dc177ff6bc3f86963584aaf024b
SHA5123a20113d32ce86471af55ac459e35f750514dfba2f75a440e5f56a1b8b05192ffa6a8c2714c170ad3600a42bf493820c3a2e74d948a5cd0b3166d31eddd9c89a
-
Filesize
117KB
MD5c89db5554f918664de6506bed6bfe471
SHA16b0aa2bfcdd4ffdd237ea1a16b0661065e88f1ee
SHA256c976a1c217fc221d6e8b93c20708405508025bfe1bc492823fa133c02daea0a3
SHA5129ff01beff0fe0a9f3d1e18847465e632f175aead18d75dd3121057aa2e8eb6c68cb5b82a787dccf8b1a7dfaca262d4d542e765a416a8b955f64a6371decc4228
-
Filesize
42KB
MD5f384ec915bf063cd24b0a821d946e533
SHA1d5ffc9314cb1bf6799928685251cc4766bf868d1
SHA256f167600efe9cedc4e12a5d3bc500fd414100d8ee63c33179beadd4b80e6b15a8
SHA512e72dd94fe36e72c173040729bb038b3eaf87b7f48b93b55c953492648de757e9a62c1153efa14a62751f2fd6e6859d7fc71f1dbcdfa8bea38196ce0c5c828314
-
Filesize
75KB
MD5c06cd075a1452e83c8fba3c4b8fcabf0
SHA1fdf53e934903a3d8e65dea9676a0f5164a1b3fd8
SHA256f855eaa3d305579505f231c0c5def62f174013623bcb527debefa29f0718c02b
SHA512b6fb1fa8dbfcff34f0fda92b6b231899f6161c3d660c0a4988365b47b132ad688b90cde56b75adbde105d4b28140b13a3f4a60bd64fefda8cfb5a535e5d85500
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
C:\Users\Admin\AppData\Local\356c2969-5b64-4da1-afdc-1539ee879782\b6e0b3fdd03c8e6da4709362e6c1dc95e5af4443a5bb6335ab848c1f26c0bee5.exe
Filesize45KB
MD522788ef65dc39ffef5312db57b0c9310
SHA1e836c5e938eff1179dc6b774a09d3e7e90265593
SHA2569b71de9cf866b5b585d1e8c174c8c2048736c1a35cbceec1dd57007981e531c6
SHA51229b0e053cce0f6e73085e968af1c15c4b0a555523ee429947b193097d3506e3ceda5d2a4aed84aecfa8539e843ae845739fcf13110b069292e9c75ed8b8a7498
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
120KB
MD5ebc7560d2e0e44f9127eef79c8dfa12f
SHA1510e98889070f7a041026722bc16ed1fbbd7ff8a
SHA256472ada3a26896b84fb5b47446f863b40b472dca5543b33b139b43c81884fc744
SHA512a4190c74678a810c2d5ab96004a2d306269e107792adb2362bf04b5b3d52dbccad850fa224cc9a36463dfa8c5d529a0bba915adbfd9e9297011ee8b0636f21c3
-
Filesize
282KB
MD54d848c2bdb8f20582e3106127393f8f7
SHA1896adf8e2dfd3c5772b97431dc22000caf876aa6
SHA2562be02bf10903444f137b10ebf346b22c8c7e5aec3e23a4f81f8e8167fbce8851
SHA512ce61a8db930482c7e8a36d0c9e0759e845e76da1000b3d5a65addc639ce9d6c8a4b765199da9775ed9d3fbfc7073af02b00dd8b2929dae5b931a9773ea1939f1
-
Filesize
157KB
MD5a9137630666f569392a9498766657d2c
SHA12b44e02c7209ccff03993b34467bdd42536b6eff
SHA2569217713dd630683359996518a0ee48d5be19af36867b62b4736b820c9956d712
SHA5121b66b815690fb4f1501f83d4e62a10bc038bb10fa3b2c1cb20d60e881c5ea057c4272d1049baf65cced8632c9b5652b78d55c69936c21e964ec2663139cb7695
-
Filesize
13KB
MD5764dc93cee29e80fb0249489d9138e84
SHA14d9f306b5076ee63a19bb2594588eadec40985a1
SHA2569a88d4a90f0ff46d37628fb566f9bd1c710cb06d6be140f668524098b013f039
SHA512190085000daae7696a0fa15e5e56b67eaa76779574345d03d2ba318a341f6dcfe0ac7616f129756b16fd91016d85547971127d953a9a923db4558ab3551c6f84
-
Filesize
92KB
MD54b3fc3105731c7ff3a7e3966416912a2
SHA10e792bf25e8795158074fa6bd2ee87ad16675124
SHA256c0f698bcc4324958848de5d8e1b1bdaed5e01632d8c827a5a95356eb04a2c443
SHA5126ed5ee0139d9d9a676232a6c5d6e9a8528f880025a11fccf8a1a32a999ae5fac41f993c384fabec788e4e47da714d67f1def0348da6b0f4392e7fc7ff1098c28
-
Filesize
63KB
MD553c1d0419cc1e389423616aaf846b963
SHA16fd24277680bc838a2ccfa9d097d186ec5c0a2bb
SHA2566d4712ed74160e655967433583d644da0d99c6739b7bf064a17a86b88bdaaae5
SHA512472592264e8cef327cf5eab26d5d4482d81da03e1c6f5587d38dec0cae481959a965b5f43d10a578af9acf817fa85ab392f0b3a61e79bf0c2f505b8657df56f5
-
Filesize
269KB
MD51e4ea4014fb21520abe07b3a598bf88e
SHA1e1017249638c61efe983721ac1be953870d9d675
SHA256d8020fc96492cc7de30fe35c2f2324569af675d795fdd792007c5d044eb27a37
SHA5120848753cade4f47873fe746605173e2a336183a232920f5e91f6dc03372ead74f182d7f14594c99a2419100ee11f54fa9516cbf89584ef72090ad954149d5ea3
-
Filesize
100KB
MD5f57ec55e923cd5a711f014e1bc602b71
SHA1a3395fa9753d6204bcce561b731cc53875536515
SHA256e6dcfe9e42367d16c31ee586b7ea5f66b5e853d7796a635b611ee99e375302ed
SHA5128c17097dda9970a704f9d29cf07ce8509865a6aba6cee84cbb670b36e2b6d7289a15c5796e653cc8569218b88635c9b4c07a64be2f86c7e6a6fedad27ab92c69
-
Filesize
235KB
MD540ef730b610d3d44d531c409af7b8482
SHA121180b11c322c179acad871a43b0a1447baa3b57
SHA256651331f22307be173e49fd2d986236899d499be3b941eef8d734f599c9de130b
SHA5126ea7442215229079ed49a7fd90e1e9569a2d6a2e6fd481bf1243186586753a66d8e485d472d394b6b1fd0c357aeaed5f0abbe5b72db0656a57fb120493d797f1
-
Filesize
358KB
MD5c4070da9f9b0581171af16e681ccdff8
SHA13fb4182921fdc3acd7873ebe113ac5522585312a
SHA25626063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0
SHA512c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427
-
Filesize
196KB
MD5ed8e13e5a7554cff7d7c2db0d2455417
SHA1c5311f99993930dc21caca5a4c50ab0195da6dba
SHA2564a42c23f02cf5d7ed4d23327ff8aeb6de904d4f27489ced487e3d7e8836966ea
SHA5126533c306be27d17f280aa62c674daedd8b3ee9e8fded5f09253ee912b573a4a081ba864308cd434dc7e02fb5f90849e92efe27168793f30308e7312bf8c4d6da
-
Filesize
220KB
MD5dca6d478b929680dc412b2612c57f4b2
SHA1443cec2378f02be49b96f86011a0ae84483a0784
SHA2569a93f79207c25873efa7fd2712f48a1a3dc2503ba460e7fc0d49c34e2d45eca1
SHA512dd2cdcaade8e06c7edcb8d4336b1b0b298887117e0f1eee6ae8ac05679f04fab03013607bbda0ce5959b3be97900963c10de488b36c2716076cda2cee4a6ce49
-
Filesize
224KB
MD52c89c33e1c69ed6e5c2680e86a66f88c
SHA11351ce7db5e2a7d6e9c9d054a89fce8dc2e17ef9
SHA25682f3c2eb7b8252e8898d1144e93738de4f87cd78eedcfa0372b5b04f58918d6f
SHA5122ca42581c8494318e7b380338d5fc09adf751a132ccb4dc1fa6c4942a92bfb948613f40f5234bee547c7d6555a384a2489876c9b0e60ed632a34dee2b3783e19
-
Filesize
249KB
MD5f1e34351afeb5d0dde190bed8f6854e0
SHA159afa42f892a0389e9e95d05b257385ba5041e87
SHA256543e79ace9beffd86df38e5e2ff01416edb8026834b61674dd39343513085c7e
SHA512ea327f043610bb4d06e40a8774107208e84ce36d9c06602fdf8b84cd6b3d09016f7859b5f7b103bbb4a1b8bee4eacd26e895bbd933370226d359419518ebc1f8
-
Filesize
161KB
MD57b128430e59813ae7189e3cbab0f1248
SHA1f3d101b236ca9d14d30aca0d736f3bff90448d16
SHA2566a97c744d60c421cc946aa214139e16ca71f9245c36a6bd1eee339d8245c67fb
SHA512494f90339e30fba7b1c7e4c6db3e0aa0ca012762d7ae87cbb6678b21468e89981f7938f937bc106f3de9dddce154c0fc46c02909779b3ad0ec1cce95b4220154
-
Filesize
122KB
MD58bba81fc4053282dad3413859fdfcf80
SHA1b8c0df632265e2c0c6a9d8c3b10de25740b763e0
SHA256ee702a0e709163c481a0c1321b174dc8b824697022e62a41df89745643a17c0a
SHA5121c36e881d6d81c2c254e3fb923cb028ea2799a32ce40849b11942a264e57e3757ae7ce606dd3613d0306ce085dda66684659695b51c4cbc69bca5e8be417aebd