Analysis
-
max time kernel
295s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
15/01/2024, 04:55
Static task
static1
Behavioral task
behavioral1
Sample
a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
Resource
win10-20231215-en
General
-
Target
a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
-
Size
735KB
-
MD5
3c2b31e7c091650e12934ee8eeaeeb58
-
SHA1
5848274e0b6da2d94d28b32314a5b9b56d2d7a5e
-
SHA256
a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a
-
SHA512
fde24a46c657248611e27feb5835eb76e12ba828028b1ba514ff98cf5046f122d68e179923f6c52edec0c97edc578f7a6e0671eda12799ce4351f934db0d6100
-
SSDEEP
12288:89z7w/ixbv7lzUwXOwuG6rVAPJChCEzIa5vMFiZL1jb1yP0t5BwEYNi7/S:89z7wibTxUwXOw6WIDzXyiZW09fei7
Malware Config
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.cdpo
-
offline_id
Bn3q97hwLouKbhkQRNO4SeV07gjdEQVm8NKhg0t1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-FCWSCsjEWS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0844OSkw
Signatures
-
Detect Vidar Stealer 5 IoCs
resource yara_rule behavioral1/memory/2520-72-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral1/memory/2520-78-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral1/memory/2520-77-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral1/memory/1340-76-0x00000000001C0000-0x000000000020B000-memory.dmp family_vidar_v6 behavioral1/memory/2520-226-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 -
Detected Djvu ransomware 16 IoCs
resource yara_rule behavioral1/memory/1852-4-0x00000000006C0000-0x00000000007DB000-memory.dmp family_djvu behavioral1/memory/1612-5-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1612-7-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1612-8-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1612-26-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2580-34-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2580-35-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2580-49-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2580-48-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2580-53-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2580-56-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2580-55-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1340-75-0x00000000002E0000-0x00000000003E0000-memory.dmp family_djvu behavioral1/memory/2580-114-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2580-169-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1340-228-0x00000000001C0000-0x000000000020B000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Downloads MZ/PE file
-
Executes dropped EXE 14 IoCs
pid Process 1340 build2.exe 2520 build2.exe 268 build3.exe 2144 build3.exe 1908 mstsca.exe 1520 mstsca.exe 776 mstsca.exe 2436 mstsca.exe 532 mstsca.exe 760 mstsca.exe 2712 mstsca.exe 1576 mstsca.exe 3064 mstsca.exe 2900 mstsca.exe -
Loads dropped DLL 8 IoCs
pid Process 2580 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 2580 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 2580 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 2580 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 912 WerFault.exe 912 WerFault.exe 912 WerFault.exe 912 WerFault.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2680 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\24a08177-5051-4a05-82e2-978b9537af99\\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe\" --AutoStart" a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.2ip.ua 4 api.2ip.ua 9 api.2ip.ua -
Suspicious use of SetThreadContext 9 IoCs
description pid Process procid_target PID 1852 set thread context of 1612 1852 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 28 PID 2664 set thread context of 2580 2664 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 31 PID 1340 set thread context of 2520 1340 build2.exe 34 PID 268 set thread context of 2144 268 build3.exe 38 PID 1908 set thread context of 1520 1908 mstsca.exe 43 PID 776 set thread context of 2436 776 mstsca.exe 49 PID 532 set thread context of 760 532 mstsca.exe 51 PID 2712 set thread context of 1576 2712 mstsca.exe 53 PID 3064 set thread context of 2900 3064 mstsca.exe 55 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 912 2520 WerFault.exe 34 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2904 schtasks.exe 1864 schtasks.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1612 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 2580 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1852 wrote to memory of 1612 1852 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 28 PID 1852 wrote to memory of 1612 1852 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 28 PID 1852 wrote to memory of 1612 1852 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 28 PID 1852 wrote to memory of 1612 1852 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 28 PID 1852 wrote to memory of 1612 1852 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 28 PID 1852 wrote to memory of 1612 1852 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 28 PID 1852 wrote to memory of 1612 1852 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 28 PID 1852 wrote to memory of 1612 1852 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 28 PID 1852 wrote to memory of 1612 1852 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 28 PID 1852 wrote to memory of 1612 1852 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 28 PID 1852 wrote to memory of 1612 1852 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 28 PID 1612 wrote to memory of 2680 1612 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 29 PID 1612 wrote to memory of 2680 1612 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 29 PID 1612 wrote to memory of 2680 1612 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 29 PID 1612 wrote to memory of 2680 1612 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 29 PID 1612 wrote to memory of 2664 1612 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 30 PID 1612 wrote to memory of 2664 1612 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 30 PID 1612 wrote to memory of 2664 1612 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 30 PID 1612 wrote to memory of 2664 1612 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 30 PID 2664 wrote to memory of 2580 2664 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 31 PID 2664 wrote to memory of 2580 2664 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 31 PID 2664 wrote to memory of 2580 2664 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 31 PID 2664 wrote to memory of 2580 2664 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 31 PID 2664 wrote to memory of 2580 2664 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 31 PID 2664 wrote to memory of 2580 2664 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 31 PID 2664 wrote to memory of 2580 2664 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 31 PID 2664 wrote to memory of 2580 2664 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 31 PID 2664 wrote to memory of 2580 2664 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 31 PID 2664 wrote to memory of 2580 2664 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 31 PID 2664 wrote to memory of 2580 2664 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 31 PID 2580 wrote to memory of 1340 2580 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 32 PID 2580 wrote to memory of 1340 2580 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 32 PID 2580 wrote to memory of 1340 2580 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 32 PID 2580 wrote to memory of 1340 2580 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 32 PID 1340 wrote to memory of 2520 1340 build2.exe 34 PID 1340 wrote to memory of 2520 1340 build2.exe 34 PID 1340 wrote to memory of 2520 1340 build2.exe 34 PID 1340 wrote to memory of 2520 1340 build2.exe 34 PID 1340 wrote to memory of 2520 1340 build2.exe 34 PID 1340 wrote to memory of 2520 1340 build2.exe 34 PID 1340 wrote to memory of 2520 1340 build2.exe 34 PID 1340 wrote to memory of 2520 1340 build2.exe 34 PID 1340 wrote to memory of 2520 1340 build2.exe 34 PID 1340 wrote to memory of 2520 1340 build2.exe 34 PID 1340 wrote to memory of 2520 1340 build2.exe 34 PID 2580 wrote to memory of 268 2580 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 35 PID 2580 wrote to memory of 268 2580 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 35 PID 2580 wrote to memory of 268 2580 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 35 PID 2580 wrote to memory of 268 2580 a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe 35 PID 268 wrote to memory of 2144 268 build3.exe 38 PID 268 wrote to memory of 2144 268 build3.exe 38 PID 268 wrote to memory of 2144 268 build3.exe 38 PID 268 wrote to memory of 2144 268 build3.exe 38 PID 268 wrote to memory of 2144 268 build3.exe 38 PID 268 wrote to memory of 2144 268 build3.exe 38 PID 268 wrote to memory of 2144 268 build3.exe 38 PID 268 wrote to memory of 2144 268 build3.exe 38 PID 268 wrote to memory of 2144 268 build3.exe 38 PID 268 wrote to memory of 2144 268 build3.exe 38 PID 2144 wrote to memory of 2904 2144 build3.exe 37 PID 2144 wrote to memory of 2904 2144 build3.exe 37 PID 2144 wrote to memory of 2904 2144 build3.exe 37 PID 2144 wrote to memory of 2904 2144 build3.exe 37 PID 2520 wrote to memory of 912 2520 build2.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe"C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe"C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\24a08177-5051-4a05-82e2-978b9537af99" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:2680
-
-
C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe"C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe"C:\Users\Admin\AppData\Local\Temp\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe"C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe"C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build2.exe"6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 14367⤵
- Loads dropped DLL
- Program crash
PID:912
-
-
-
-
C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe"C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe"C:\Users\Admin\AppData\Local\eb5dcb5b-778c-410f-8c36-47ecea83187d\build3.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"1⤵
- Creates scheduled task(s)
PID:2904
-
C:\Windows\system32\taskeng.exetaskeng.exe {D0EDE7BC-9159-4D69-9190-ABFF6977CB4A} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]1⤵PID:1428
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1908 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- Creates scheduled task(s)
PID:1864
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:776 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:2436
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:532 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:760
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2712 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:1576
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3064 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:2900
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA5124da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5053e0961fc5841d063419890e657216e
SHA185d420bf7c5370df818b7286ef3c9b9ff252ffea
SHA25667ca9657ce00b3fffe57925a937ab31c0e86c40998775ace1e57fb1ede44601c
SHA5120e38144f33364d16d17d5593b3eb04276a35f412c7a7f402f5eadd34c8866b4edd38b948181bc4f883ce004f0f948a89ab8808f42366e0e537db19852d7a7789
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5684f353424c623330a61ea87a660b84e
SHA185699f1b3e449d07844d0bcf707f34438cc8abcf
SHA256b224357d2cb524e055f9bd565ff3edb55b6ed56ba636ccfb1f7a007aebd1311b
SHA512c6c437962047a3614eafa693c81c9b86a9bda04695ddc81b8df40dc0d16447855dd6dbdec9da720e1a381fb9b20a8477f17b585469545910e881cfbcab95ab35
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52f2f3c5a52379836dc15a1e6b6645956
SHA11926098223f2c5da36107d5e146e19b95b58495e
SHA25635c2e360cab77a557e95248429a15b137e7a69c7268d2b72c7d053d4bf42215a
SHA5128613dcfeeea14bbe930540319ae52a605db722f4443f04319ba1a69a050143dd07a641ef2136c0978f9d661a44a0d12450e515584cbf933b09eee583a159c8c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD50949ff744fb3ba42b01ae456dc6733a7
SHA1c117219a9a1cb6469fe447f295108ee7f570ae64
SHA256b4a92323e80f5b8cd3f2f148d1ac0fd80219f8f9d327755dcd0c409f5a7e7388
SHA51210121276da3190020a7a202e9f632607469c3f08809eeb54c75741b071c6341214af19f71e00440b3d127fceea2bf03f9cef8e1202419291d686a795fe2f177e
-
C:\Users\Admin\AppData\Local\24a08177-5051-4a05-82e2-978b9537af99\a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a.exe
Filesize735KB
MD53c2b31e7c091650e12934ee8eeaeeb58
SHA15848274e0b6da2d94d28b32314a5b9b56d2d7a5e
SHA256a3113438508c7141c5f4cd4ad3ea64a4e9f08a87944ad2ceb5760e539e6a8d1a
SHA512fde24a46c657248611e27feb5835eb76e12ba828028b1ba514ff98cf5046f122d68e179923f6c52edec0c97edc578f7a6e0671eda12799ce4351f934db0d6100
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
86KB
MD5c18f9a896b1a96762db5662853d6b94b
SHA1adf5965d077cccfd4e5d4a47137e65d19f5c6b48
SHA25694880e5d803d7001809ca823fd15484d2b3a87c8a5676952f3e4d08a1641f3c4
SHA5128d3f3597a9cb2f49563f479a6654521d2cefb687cadb13b81fc624ab1bc06c19f181b8890435866a5cc7928c0a22cd6b18ffb07e9431d110f08cf2027d2fceff
-
Filesize
83KB
MD506b47d11e7f05b7a8ec0403d48122dd6
SHA11150692f659f6be1d39533a120afd8e6c39387aa
SHA2560ae7aa899ec3b723c87028340addce96de143b5a691477d7066f61d8bdf6f471
SHA512fa1cca60822e6050eb63d7b9f47c87b775b39bde92d9e968afbc29349e222631af960583017d643ac688895b47f630350a5318126483ef4f5536aecad66a0adc
-
Filesize
64KB
MD55fdbc7061921001b06f5bcd8f1fd3e27
SHA1bf1bb8bc1113827f3c615352fb7105d71ebf6e4d
SHA2564f78c94ab539b688956081dac8e29b1505192f195c3d95be26f97c6c22fd5fe1
SHA512eafd539c4c6489f3f522f1a05be71d8693c95db24a196361814d89c4173c405fda15258746886a42d8916bc9621ad8aab2c441f6c42512d25184b8af69373588
-
Filesize
32KB
MD55cf27478cf33387fce38eef7054ab1f3
SHA13c1d100942bd8e29fd329e2184bd30b558ba930e
SHA2567566635be327d4851e820efbbaca604a1ddb34fe9cdd37401c2dfb65afb0befc
SHA512337c4beb3a37323d14c530e83ee12a6720f37be8feb272268751bb77921a99461b096c3730acd9e4036069c78868aee008ee02ec28204f2ecccdcbcc7772f3c4
-
Filesize
43KB
MD5864627bdf745eda7e7c9868aa5d8b2cc
SHA1d6355883f6edc3940c601f89a7f8d3902bb1c6fa
SHA256f86fbbe033bf6b10b72c0eab6e1614d35f81dac37e620a15b6dc6d8fdfe96c30
SHA512bb5715d402c9b0ffaee53aa1e535b736f99d39dea83ea0efd575810aefc19e65dc9af6409549d2e89ad0cb2f06ed989ca1d3fdcefd6dbbf1bc012ae08e2b8316
-
Filesize
49KB
MD5eba7dd24dbf26e11d00c46c1e31af97c
SHA17a0ab51fe542b995fda55824c28bb6634921ae9b
SHA2565bbbed6d3670f160d2ab3d7714065d412c17a17285e167dd62dc0e731c29d1e6
SHA5125bf2e61bb4bdd2e61a974ed4da97e32c5327a34e817dd67e2a8daf52d28aa27e7c3d96474bef1a4af1e63ef7e456317092b4d9de9a6f6fc307d5169f8d4e9289
-
Filesize
178KB
MD597876d29fdfe56e9cb29a0b93435dda0
SHA1a863d84a33fb75ee4bc81203ed8fea77259cd8c3
SHA256a8a871f0d8dac606050304539be45600d441021158ddbba96f38352169723b55
SHA512fbd155089c7be72a0fb09b70d1ce76f4856fe28e4ce0ebf5b7e77fe20e327cf93fd8dd0e63113eb3efd9a6462674bd5c9f4fdb500c302a56b43e1861469a687a
-
Filesize
140KB
MD5e48cde27b568bdf4f48005ea798a3499
SHA11428bd2ad4882111aa578f93bba8d5ac30af5266
SHA25673f0cdba3653a614f06cd6d7292e8f3453007c0b5f1ae5f477c16cbee771a153
SHA512d3593c6a1303f84aeedb78c34ab449f801f23627211abf0ac140d121601f618238e476c59af8267048865ef569cd7c2b0f31108f604cc4b6c52452a277c00dec
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
136KB
MD5ddd41c9f1e05950d887a19c5c0796aae
SHA17533f7c83bf2323b7cb473042992bdd28e69c444
SHA25631f6455c91ab14213dc328c9eb8ace57db24e1c238a0549442c44e5cb000716f
SHA512c600c984d78ed0dc3dcfd294e67126879e1355e446663ff550447ff2a436328324fb66968b359b0dcc3e60101afdfbd733f10319ade2a4ac93c63438ca62660c
-
Filesize
75KB
MD5ae4bd1b16336e053a817a1bbad696120
SHA11ac2f5a2adfe10362b73545cc7b0a6c79ec07909
SHA256475a21db48099a03e0f01f59447f925718bcfe1044f2ccb54baab2369a2d4bdf
SHA512027ab2ed7aea37df3c708331d6ddb4bf61ae7f4d5f2bb4362cd520508d047258e6a5ffe511d62158b49ee825ddf09739fae01948e524090950fd1e6e8ae82625
-
Filesize
94KB
MD5a796a4e9bda2490e70607932e085e289
SHA158ae2353dae80e6499316336c58e902cd4ba9c4d
SHA2560606cbaa53e55864bcb9e20f3426a2164734ea394ef14fd204a0a1431d10e575
SHA5129c79d33ab16a6f5a0510ce9db6527cb50547f31003d7038713a9f800cce8b8f6f6cb2784ceb751f05036d6be6d42b98efa05718d632245a323b4ee8e06bb29f0
-
Filesize
58KB
MD5956a0460a4c142fa6b5c70dec0872af0
SHA1aade02ab4fab13ef34a88fd87a92990c079541ef
SHA25635dcda33197b4f6a1dc8a45dde2e9dd6d25b67d53b6369d6a1d6192292c7ca0e
SHA512162b7721dfe4d2f11283bb364ed3704022c2bd5d43692997f1ead52959b31e1d4bc3ad0126f72b9e694de1e7125cdc2f711f13b2a26c2bda8cc386f1ae871b9a
-
Filesize
225KB
MD5fe3b3cbc34bba7a595ffa84ce906aff8
SHA1fcfc5967cbf23df360952e4cbf37a23c3404e6b7
SHA256bf6dde768f944e5bc829274a1c202e32c2e12ae1d16bc7a702f89dbb3dbf1d48
SHA51209672aa9eb5164aa87cafde7a61d7980f6b15f6b1dd5b7c5e67105c8689f0e211ab989ecefab5669199733bce586e8cd7fab81a2593be726d69565e647d8a656
-
Filesize
187KB
MD51ccf31bdd875be9881991f56c08408f6
SHA14aa6366088d353b1a06ec141481b863cd42c0a75
SHA25674b214e76c8dae00ce66e996c9b7380dda5565eb6ec6806c7c50568614711fc9
SHA512d3ad73d1f449eb75194688500d7f0d963b0579029338396ae1be19f07a6a831680e8770f4d3f1bba4743628e96d490e51427dabf9dfff0930fe6f8272f8caced
-
Filesize
358KB
MD5c4070da9f9b0581171af16e681ccdff8
SHA13fb4182921fdc3acd7873ebe113ac5522585312a
SHA25626063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0
SHA512c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427
-
Filesize
136KB
MD5be1d2812607430d60569567b7417efd0
SHA12e5c06ff36abae8514cfc313c731068c34dd2879
SHA256208392e9cb32d9fc672864b7dc4f6a0cac4e5004efe85d2c5038c41ccec37266
SHA512b680191696b0ed32bd5eb25017ed4c2de4653b096d17346796dff0e06d34927224afcfe5bf97c88b56168f8742a7aef14ddbc7200c0724097cfdfa29b1340a89
-
Filesize
61KB
MD5aa39bf5403592cd7dd43dd8f4cc9d07d
SHA13593659621b2bb7e32a78059308fff2be04f3c27
SHA256823d59f6b7a71f79bc83fd253b0561767e9b0568589c92933ee8be9fcc787ae0
SHA512dea28d320a66027d4ad9c2c97df76cc0d087694b2c6967d996cc0a6b08fe4e2ab82c0e654c5d21b8dcd8726b1875e6ed41372be0d40cfaaccd5da63329bb41d6
-
Filesize
53KB
MD5be0dc2b3392ddad04d79be0767d5eb2f
SHA1d7a703e75c5a6a5d8078b2eb5fc22eaa298958c9
SHA256197b33a766825f2c42aa0c3a9e91e9673614bf60222d4c8ff8fa5ea56bc0e693
SHA5126cd39681314a358a45c964771f2bfae3e8705ea4216dfa0d94ab3bf943f764242c27861c9efa9a9ee35960d196a5ed1e3522690d7cb776f6484e641e25b02f1d
-
Filesize
43KB
MD5e979517f1b235c791ddcfa4e9973fd5e
SHA14c865c82232632d98af184f2387b51ad931bef32
SHA256ca2cb2ba86cd09c65c4becc53038a430eb95db6170c635e5988aab08e97b509c
SHA51243477b0a9ff2ef9fa940755a1406b62f2b6b5212d0a0e39ee6c003c591e0a606d70948d734b7fa38d71ec3b6745f4e203026c96fca76df42eec92e89d65590f6