Analysis
-
max time kernel
298s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
15/01/2024, 04:56
Static task
static1
Behavioral task
behavioral1
Sample
b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
Resource
win10-20231215-en
General
-
Target
b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
-
Size
811KB
-
MD5
9244e8dafdb3baa6ebbf1eed741fc1bb
-
SHA1
ad7620174b2d4ac4461f1d8623e632e4b63fa867
-
SHA256
b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877
-
SHA512
c5e79d0f52bf4cf374f86325d4be819573e9cbad4afe57d164c83ce2806095c76b81a7f34dbfe71a64b29563c289a4b872a61459fbc7d9da16308eb0798a10b8
-
SSDEEP
12288:QpoaBPg7lN6/RFLeoA03fdZh+UwvL1hd4JMuUzgAl8F5bLlt89SOUx5ruaBsi:OgR4XCXcsphd4JMh8vdt896xAaBs
Malware Config
Extracted
djvu
http://zexeq.com/test1/get.php
-
extension
.cdwe
-
offline_id
dSwr1XNNi5cIitB5eDPbMANcusB1dWGDB8ToUnt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-e21iz7dS58 Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0842ASdw
Signatures
-
Detect Vidar Stealer 5 IoCs
resource yara_rule behavioral1/memory/2900-91-0x0000000000230000-0x000000000027B000-memory.dmp family_vidar_v6 behavioral1/memory/1228-92-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral1/memory/1228-93-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral1/memory/1228-87-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral1/memory/1228-219-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 -
Detected Djvu ransomware 15 IoCs
resource yara_rule behavioral1/memory/2816-3-0x0000000002150000-0x000000000226B000-memory.dmp family_djvu behavioral1/memory/2824-7-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2824-8-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2824-5-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2824-44-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2784-53-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2784-52-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2784-70-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2784-69-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2784-71-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2784-128-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2784-215-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2784-218-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2784-217-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2784-220-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2900 build2.exe 1228 build2.exe -
Loads dropped DLL 6 IoCs
pid Process 2784 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 2784 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 1692 WerFault.exe 1692 WerFault.exe 1692 WerFault.exe 1692 WerFault.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 948 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1a841c40-07de-44a9-bedd-c24a30328690\\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe\" --AutoStart" b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.2ip.ua 16 api.2ip.ua 3 api.2ip.ua -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2816 set thread context of 2824 2816 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 28 PID 2580 set thread context of 2784 2580 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 32 PID 2900 set thread context of 1228 2900 build2.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1692 1228 WerFault.exe 34 -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2824 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 2824 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 2784 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 2784 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 2816 wrote to memory of 2824 2816 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 28 PID 2816 wrote to memory of 2824 2816 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 28 PID 2816 wrote to memory of 2824 2816 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 28 PID 2816 wrote to memory of 2824 2816 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 28 PID 2816 wrote to memory of 2824 2816 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 28 PID 2816 wrote to memory of 2824 2816 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 28 PID 2816 wrote to memory of 2824 2816 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 28 PID 2816 wrote to memory of 2824 2816 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 28 PID 2816 wrote to memory of 2824 2816 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 28 PID 2816 wrote to memory of 2824 2816 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 28 PID 2816 wrote to memory of 2824 2816 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 28 PID 2824 wrote to memory of 948 2824 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 30 PID 2824 wrote to memory of 948 2824 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 30 PID 2824 wrote to memory of 948 2824 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 30 PID 2824 wrote to memory of 948 2824 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 30 PID 2824 wrote to memory of 2580 2824 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 31 PID 2824 wrote to memory of 2580 2824 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 31 PID 2824 wrote to memory of 2580 2824 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 31 PID 2824 wrote to memory of 2580 2824 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 31 PID 2580 wrote to memory of 2784 2580 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 32 PID 2580 wrote to memory of 2784 2580 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 32 PID 2580 wrote to memory of 2784 2580 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 32 PID 2580 wrote to memory of 2784 2580 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 32 PID 2580 wrote to memory of 2784 2580 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 32 PID 2580 wrote to memory of 2784 2580 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 32 PID 2580 wrote to memory of 2784 2580 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 32 PID 2580 wrote to memory of 2784 2580 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 32 PID 2580 wrote to memory of 2784 2580 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 32 PID 2580 wrote to memory of 2784 2580 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 32 PID 2580 wrote to memory of 2784 2580 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 32 PID 2784 wrote to memory of 2900 2784 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 35 PID 2784 wrote to memory of 2900 2784 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 35 PID 2784 wrote to memory of 2900 2784 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 35 PID 2784 wrote to memory of 2900 2784 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 35 PID 2900 wrote to memory of 1228 2900 build2.exe 34 PID 2900 wrote to memory of 1228 2900 build2.exe 34 PID 2900 wrote to memory of 1228 2900 build2.exe 34 PID 2900 wrote to memory of 1228 2900 build2.exe 34 PID 2900 wrote to memory of 1228 2900 build2.exe 34 PID 2900 wrote to memory of 1228 2900 build2.exe 34 PID 2900 wrote to memory of 1228 2900 build2.exe 34 PID 2900 wrote to memory of 1228 2900 build2.exe 34 PID 2900 wrote to memory of 1228 2900 build2.exe 34 PID 2900 wrote to memory of 1228 2900 build2.exe 34 PID 2900 wrote to memory of 1228 2900 build2.exe 34 PID 1228 wrote to memory of 1692 1228 build2.exe 38 PID 1228 wrote to memory of 1692 1228 build2.exe 38 PID 1228 wrote to memory of 1692 1228 build2.exe 38 PID 1228 wrote to memory of 1692 1228 build2.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe"2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\1a841c40-07de-44a9-bedd-c24a30328690" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:948
-
-
C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe"C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2900
-
-
-
-
-
C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe"C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe"1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 14522⤵
- Loads dropped DLL
- Program crash
PID:1692
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA5124da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5e77f2bc5804e7a1f744af1ea7070972c
SHA18db94531344956166c152163a4ea9e123f000bd6
SHA256ccff609e350153d27c0829ba54828127468f691c028a9564b2451b1d70e24bd3
SHA512e674994e071334c90ef3a090617c0bd9dc870dfcc290bb411b86f1ed0932d652a2d44e187f564ed12ad0b83a60803689bf5b0b4345bb1ae5857bbaf9f92f0932
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD592e4249ba13ad7679cf0c11cd7c66078
SHA1413b21cbf7202a6516e6f9a17a61bc01efe50555
SHA256da46df30188966e39ed3ae59ed076a7b2261b08c3aabbb746c07e5d7905682fc
SHA512549291f29be8a82754aca3c6cdf31373dace732bb6e6a167c8898dba9de74394524189897a1d59f6e28dbeac359ee2ba6d68e8b7e367d5abb2bb6dee9e0c9252
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5bce41f16984f847251021417704a2a23
SHA11a43c25460ffb2d499bc1a2c3067b0561723d99e
SHA256be9a0c9d3d81e6509b0f2836fde92a2c4ab223f620f520699b6b946f82645862
SHA5123dab28bcf0c7b5c407a903615daee4c5f475acd95ac72dd431f70a93895e01a40ff5d44df70976977c2ded372ce50a4f6c1ca5d42cb2230043004e1e61888fed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD5ab037d9b7fa676510d4ec3481ac70766
SHA1243ab545a96b308741ede24dd1e5daa6e2f08d10
SHA256814f863b6a48b2a36db29d170d321ba6394d8d68643a02351252cb6e2a065329
SHA5122b61ca9ca654f3b963596bc23f14331a3b7c9acf562a2b7e556fa8203e12bb978ea001789f475c0d81c8a2f7127f2421acb2d3a2ebdfdc9d5b73aeb87bf516e9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD547268c3ffbac0c61e214b091fb6facbb
SHA143861b5bec5145814d57f1513cff7ce5d11d8e74
SHA256d0525e9c72697dcd3b910ff5288580ac0da483bb5d1a975301c9d5126b13754c
SHA512aed989aaf634be8175995fb051b207fb54782fb3a3cebcc0fdb874e8974c8260ebed8d9a4e6d648533957000b8ed29a9db80627f32185abf0646e1fc6ade0084
-
C:\Users\Admin\AppData\Local\1a841c40-07de-44a9-bedd-c24a30328690\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
Filesize379KB
MD55d797e409679eea82284f632621d381e
SHA11a39daedecd2bc86f82be93f5472bf854ea42c55
SHA2560bbcc37eae9bee724392d7bcf4dcc6da1af88842c7e2d330cf2a24797f90ed59
SHA51282630668581a377bba07014a250c4a8c89658d84e1993628c86f2e3cc7614a16e58e61b3e7e09a92ac4e0bb5f8397e8649997c4e9087554308a65dda5bfac156
-
Filesize
104KB
MD537a2311acfd0a649382f8acb44b5f84c
SHA146c9b9c005a9e44176de57d53917246cec478cd6
SHA25641c8bba3ff6970ce4cac4599a2ab4854c65bd235346bc4a461e69d72d8481c17
SHA512c3ac8ff1574d456b855201b5ad56e27dcd2a057a56a0b15d433c573c82428feb5f5c4b4cd5f27b719aafa3cf08025658b0b26214ae94c3e6b4571d90780a9066
-
Filesize
130KB
MD5d3f0da32be16048d8e09c4de1138cb96
SHA157d11a8fbcb85c697acbe220797a886abdee513b
SHA256908968f164e9bd7b8f2956a0f82d520742a1aa8367418df1f0998a17fb7f7ac0
SHA5129ddc2266923ef76d91a7c97760b11a30ad524e19d737eb2b194aed02791c93a687302fcf0e3dbb3184d27df1195066e96ac2f7b68a9067a1cb6581555c82d64c
-
Filesize
124KB
MD53f4032a03dd330e5610b37669ef7fb33
SHA1626c785d2074043274d45a5c178a47f09f5d0a6a
SHA256a7de3256cb8b91d6dc4f3cdc4edaf072b73253448dd4c4e902006e59cc272875
SHA51266a3c62d45f36814b2813e626bd8589ba2b4c59e7bf533e5806dcabb5aaae30508b47b5cd0499d0d24134868f7102cc343cda4c04d7ea73154ac767bf41c513d
-
Filesize
112KB
MD52fa91df5f2e1f224f09febef7b0a4933
SHA1c17ea646c85f20cc525b3f150deefd8b8826a244
SHA25651b2f2a87b218ce2141707428cfe6dfa65fd5595c1162001a912e1124910e36a
SHA512ee5e2429987405b1939bcb9031e562abb2a99678c883ae62455a7c5be6f381ea8c0c92ea2e69b03bbf34a4b6eacd66ff5b6f290f687fa97974e918b1e0baf1d9
-
Filesize
67KB
MD5f5c6e61c91a7b253dbe6462e615ca9dd
SHA1590d200344662206b57813537f2827896a73ac97
SHA256d4a26b899102dc12f1d13af2113635fdbed10f37f2a6cc7b45f9589b3062f8eb
SHA5120ebd863c46e6ce48ad67da98aeb599be5122e867e558c458cc41d9471da43ee7f5067a21ebc0cd387b121c14b6f3dc9e9169405c36d71f64f210d3d2a062f950
-
Filesize
263KB
MD50b35986e46e2d0938eb91431983b8dc6
SHA1e4ee9a3e8bca24ac1be81391a592e8f685ea02a3
SHA2564cd49614ab78719ccee3ed7dceff9c50c2da010042eba2eb32e0bb90fbdbffa5
SHA51262313eadfe92dbe8e3065095001c0221c25b2044a47c151d072827e8953becf5f52deaa5274de007ef52f50082b9c6f3c2d34cab9536d4e9f5299f8bdd996d1d
-
Filesize
357KB
MD5dd13edb641027266050a817a341413f4
SHA19d78717d8c0e36528b47c2b19b400c0e4067911d
SHA2569fb21e9bb6e3ae9abbf20c43f2bef9f9efd5cd5c128afeef26a1c9cfec98eb17
SHA51261283697c5541eda9333ab601c818388eb06e7e81d967804915365cb9cc79f95f46c4179ff71daabf414bee8cd15f967739bcd1245a7fcc9a7403f2fa3821a6c
-
Filesize
118KB
MD5bcfbed5369d194284bffd441c44ed1d0
SHA19cb909598415a906bde667a2d2c2bb334779d665
SHA256df3496dd84f96610eed78cd3a17628e085e7af78fe90d250c62f945bdb1ffa10
SHA51252ada2a37a1ae5574aca28db52266378fc5c0bfc99bdce63057c08d751333a021782a6f053b67bfb9dca5cb704ea6b29b0c518c7c38c13ee8b0179b5f4715b3e
-
Filesize
263KB
MD5fb43147c03f7a6d085e138f2b3708418
SHA1f41d6c594fa581a60650d119e5089313b2ca9f00
SHA256143c91d11dc5d687cde50f8eccbd4b7d90a57bea361323ba6273b6c596073c0d
SHA512ddba7812c9dde9342d243930ff31fceba7fcc6d037f3f53c37242cf70533b354da329f6d20a53c03a563af70ff00d455c0db6948b36b718375a1e05a720cc5c7
-
Filesize
137KB
MD50588890c13a01b0e8a72d02a0286f47c
SHA14b8ce85288e926bbdbe02cf37001bef00c8b11a5
SHA256784cf1489e65f620fb7c29741c6386da729d9021a34701761e72bb89dc82919f
SHA512ef9589a3bdd50d0267954e4195008f842dbfe8fa365f83649fcd2cd47bfedad6cc339dde2943347abd576e3f53c3cdd4c3535d556c654fa8581701fc83c017a9
-
Filesize
273KB
MD505cfb5662a31f3bbd39b792435bdc8f6
SHA106eccfdf15f1bac9e18212b14a247c3eefd0aac0
SHA256de1b6b2abbe4102cec8ec7dea380f0676cbab2d4975c2a8296ddb31fa62208ea
SHA51270ed4a8ee0281490a1fea253b94924a63615bd6f336152fb9a80693f778894b3859cd8f452b44e3dd8761db0f5f479dfeb8d91959685839c9bf47fe312037f2e