Analysis Overview
SHA256
b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877
Threat Level: Known bad
The file b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877 was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
Djvu Ransomware
Detect Vidar Stealer
Vidar
Downloads MZ/PE file
Executes dropped EXE
Modifies file permissions
Loads dropped DLL
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-15 04:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-15 04:56
Reported
2024-01-15 05:01
Platform
win7-20231129-en
Max time kernel
298s
Max time network
131s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1a841c40-07de-44a9-bedd-c24a30328690\\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2816 set thread context of 2824 | N/A | C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe | C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe |
| PID 2580 set thread context of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe | C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe |
| PID 2900 set thread context of 1228 | N/A | C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe | C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C | C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C | C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe"
C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\1a841c40-07de-44a9-bedd-c24a30328690" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
"C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe"
C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
"C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 1452
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| MX | 187.211.34.211:80 | brusuax.com | tcp |
| KR | 211.168.53.110:80 | zexeq.com | tcp |
| KR | 211.168.53.110:80 | zexeq.com | tcp |
| KR | 211.168.53.110:80 | zexeq.com | tcp |
| KR | 211.168.53.110:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| KR | 211.168.53.110:80 | zexeq.com | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
Files
memory/2816-0-0x0000000000270000-0x0000000000301000-memory.dmp
memory/2816-1-0x0000000000270000-0x0000000000301000-memory.dmp
memory/2816-3-0x0000000002150000-0x000000000226B000-memory.dmp
memory/2824-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2824-7-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2824-8-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2824-5-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\1a841c40-07de-44a9-bedd-c24a30328690\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
| MD5 | 5d797e409679eea82284f632621d381e |
| SHA1 | 1a39daedecd2bc86f82be93f5472bf854ea42c55 |
| SHA256 | 0bbcc37eae9bee724392d7bcf4dcc6da1af88842c7e2d330cf2a24797f90ed59 |
| SHA512 | 82630668581a377bba07014a250c4a8c89658d84e1993628c86f2e3cc7614a16e58e61b3e7e09a92ac4e0bb5f8397e8649997c4e9087554308a65dda5bfac156 |
memory/2580-46-0x0000000000320000-0x00000000003B1000-memory.dmp
memory/2824-44-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2580-51-0x0000000000320000-0x00000000003B1000-memory.dmp
memory/2784-53-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2784-52-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 47268c3ffbac0c61e214b091fb6facbb |
| SHA1 | 43861b5bec5145814d57f1513cff7ce5d11d8e74 |
| SHA256 | d0525e9c72697dcd3b910ff5288580ac0da483bb5d1a975301c9d5126b13754c |
| SHA512 | aed989aaf634be8175995fb051b207fb54782fb3a3cebcc0fdb874e8974c8260ebed8d9a4e6d648533957000b8ed29a9db80627f32185abf0646e1fc6ade0084 |
C:\Users\Admin\AppData\Local\Temp\Tar44CE.tmp
| MD5 | f5c6e61c91a7b253dbe6462e615ca9dd |
| SHA1 | 590d200344662206b57813537f2827896a73ac97 |
| SHA256 | d4a26b899102dc12f1d13af2113635fdbed10f37f2a6cc7b45f9589b3062f8eb |
| SHA512 | 0ebd863c46e6ce48ad67da98aeb599be5122e867e558c458cc41d9471da43ee7f5067a21ebc0cd387b121c14b6f3dc9e9169405c36d71f64f210d3d2a062f950 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bce41f16984f847251021417704a2a23 |
| SHA1 | 1a43c25460ffb2d499bc1a2c3067b0561723d99e |
| SHA256 | be9a0c9d3d81e6509b0f2836fde92a2c4ab223f620f520699b6b946f82645862 |
| SHA512 | 3dab28bcf0c7b5c407a903615daee4c5f475acd95ac72dd431f70a93895e01a40ff5d44df70976977c2ded372ce50a4f6c1ca5d42cb2230043004e1e61888fed |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
memory/2784-70-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2784-69-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | ab037d9b7fa676510d4ec3481ac70766 |
| SHA1 | 243ab545a96b308741ede24dd1e5daa6e2f08d10 |
| SHA256 | 814f863b6a48b2a36db29d170d321ba6394d8d68643a02351252cb6e2a065329 |
| SHA512 | 2b61ca9ca654f3b963596bc23f14331a3b7c9acf562a2b7e556fa8203e12bb978ea001789f475c0d81c8a2f7127f2421acb2d3a2ebdfdc9d5b73aeb87bf516e9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | e77f2bc5804e7a1f744af1ea7070972c |
| SHA1 | 8db94531344956166c152163a4ea9e123f000bd6 |
| SHA256 | ccff609e350153d27c0829ba54828127468f691c028a9564b2451b1d70e24bd3 |
| SHA512 | e674994e071334c90ef3a090617c0bd9dc870dfcc290bb411b86f1ed0932d652a2d44e187f564ed12ad0b83a60803689bf5b0b4345bb1ae5857bbaf9f92f0932 |
memory/2784-71-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
| MD5 | d3f0da32be16048d8e09c4de1138cb96 |
| SHA1 | 57d11a8fbcb85c697acbe220797a886abdee513b |
| SHA256 | 908968f164e9bd7b8f2956a0f82d520742a1aa8367418df1f0998a17fb7f7ac0 |
| SHA512 | 9ddc2266923ef76d91a7c97760b11a30ad524e19d737eb2b194aed02791c93a687302fcf0e3dbb3184d27df1195066e96ac2f7b68a9067a1cb6581555c82d64c |
C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
| MD5 | 37a2311acfd0a649382f8acb44b5f84c |
| SHA1 | 46c9b9c005a9e44176de57d53917246cec478cd6 |
| SHA256 | 41c8bba3ff6970ce4cac4599a2ab4854c65bd235346bc4a461e69d72d8481c17 |
| SHA512 | c3ac8ff1574d456b855201b5ad56e27dcd2a057a56a0b15d433c573c82428feb5f5c4b4cd5f27b719aafa3cf08025658b0b26214ae94c3e6b4571d90780a9066 |
\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
| MD5 | 05cfb5662a31f3bbd39b792435bdc8f6 |
| SHA1 | 06eccfdf15f1bac9e18212b14a247c3eefd0aac0 |
| SHA256 | de1b6b2abbe4102cec8ec7dea380f0676cbab2d4975c2a8296ddb31fa62208ea |
| SHA512 | 70ed4a8ee0281490a1fea253b94924a63615bd6f336152fb9a80693f778894b3859cd8f452b44e3dd8761db0f5f479dfeb8d91959685839c9bf47fe312037f2e |
\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
| MD5 | 0588890c13a01b0e8a72d02a0286f47c |
| SHA1 | 4b8ce85288e926bbdbe02cf37001bef00c8b11a5 |
| SHA256 | 784cf1489e65f620fb7c29741c6386da729d9021a34701761e72bb89dc82919f |
| SHA512 | ef9589a3bdd50d0267954e4195008f842dbfe8fa365f83649fcd2cd47bfedad6cc339dde2943347abd576e3f53c3cdd4c3535d556c654fa8581701fc83c017a9 |
memory/2900-91-0x0000000000230000-0x000000000027B000-memory.dmp
memory/2900-89-0x0000000000520000-0x0000000000620000-memory.dmp
memory/1228-92-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1228-93-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
| MD5 | 2fa91df5f2e1f224f09febef7b0a4933 |
| SHA1 | c17ea646c85f20cc525b3f150deefd8b8826a244 |
| SHA256 | 51b2f2a87b218ce2141707428cfe6dfa65fd5595c1162001a912e1124910e36a |
| SHA512 | ee5e2429987405b1939bcb9031e562abb2a99678c883ae62455a7c5be6f381ea8c0c92ea2e69b03bbf34a4b6eacd66ff5b6f290f687fa97974e918b1e0baf1d9 |
memory/1228-87-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1228-85-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
| MD5 | 3f4032a03dd330e5610b37669ef7fb33 |
| SHA1 | 626c785d2074043274d45a5c178a47f09f5d0a6a |
| SHA256 | a7de3256cb8b91d6dc4f3cdc4edaf072b73253448dd4c4e902006e59cc272875 |
| SHA512 | 66a3c62d45f36814b2813e626bd8589ba2b4c59e7bf533e5806dcabb5aaae30508b47b5cd0499d0d24134868f7102cc343cda4c04d7ea73154ac767bf41c513d |
memory/2784-128-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 92e4249ba13ad7679cf0c11cd7c66078 |
| SHA1 | 413b21cbf7202a6516e6f9a17a61bc01efe50555 |
| SHA256 | da46df30188966e39ed3ae59ed076a7b2261b08c3aabbb746c07e5d7905682fc |
| SHA512 | 549291f29be8a82754aca3c6cdf31373dace732bb6e6a167c8898dba9de74394524189897a1d59f6e28dbeac359ee2ba6d68e8b7e367d5abb2bb6dee9e0c9252 |
\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
| MD5 | bcfbed5369d194284bffd441c44ed1d0 |
| SHA1 | 9cb909598415a906bde667a2d2c2bb334779d665 |
| SHA256 | df3496dd84f96610eed78cd3a17628e085e7af78fe90d250c62f945bdb1ffa10 |
| SHA512 | 52ada2a37a1ae5574aca28db52266378fc5c0bfc99bdce63057c08d751333a021782a6f053b67bfb9dca5cb704ea6b29b0c518c7c38c13ee8b0179b5f4715b3e |
\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
| MD5 | fb43147c03f7a6d085e138f2b3708418 |
| SHA1 | f41d6c594fa581a60650d119e5089313b2ca9f00 |
| SHA256 | 143c91d11dc5d687cde50f8eccbd4b7d90a57bea361323ba6273b6c596073c0d |
| SHA512 | ddba7812c9dde9342d243930ff31fceba7fcc6d037f3f53c37242cf70533b354da329f6d20a53c03a563af70ff00d455c0db6948b36b718375a1e05a720cc5c7 |
\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
| MD5 | dd13edb641027266050a817a341413f4 |
| SHA1 | 9d78717d8c0e36528b47c2b19b400c0e4067911d |
| SHA256 | 9fb21e9bb6e3ae9abbf20c43f2bef9f9efd5cd5c128afeef26a1c9cfec98eb17 |
| SHA512 | 61283697c5541eda9333ab601c818388eb06e7e81d967804915365cb9cc79f95f46c4179ff71daabf414bee8cd15f967739bcd1245a7fcc9a7403f2fa3821a6c |
\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
| MD5 | 0b35986e46e2d0938eb91431983b8dc6 |
| SHA1 | e4ee9a3e8bca24ac1be81391a592e8f685ea02a3 |
| SHA256 | 4cd49614ab78719ccee3ed7dceff9c50c2da010042eba2eb32e0bb90fbdbffa5 |
| SHA512 | 62313eadfe92dbe8e3065095001c0221c25b2044a47c151d072827e8953becf5f52deaa5274de007ef52f50082b9c6f3c2d34cab9536d4e9f5299f8bdd996d1d |
memory/2784-215-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2784-218-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2784-217-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1228-219-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2784-220-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2900-223-0x0000000000520000-0x0000000000620000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-15 04:56
Reported
2024-01-15 05:01
Platform
win10-20231215-en
Max time kernel
298s
Max time network
305s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\43d29600-5dd6-4448-aee8-79e285f7fb51\\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2780 set thread context of 3236 | N/A | C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe | C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe |
| PID 4892 set thread context of 4128 | N/A | C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe | C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe |
| PID 4068 set thread context of 2440 | N/A | C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe | C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe"
C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\43d29600-5dd6-4448-aee8-79e285f7fb51" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe
"C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe"
C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe
"C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1936
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.193.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| KR | 211.181.24.133:80 | zexeq.com | tcp |
| BG | 95.158.162.200:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 200.162.158.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.24.181.211.in-addr.arpa | udp |
| BG | 95.158.162.200:80 | zexeq.com | tcp |
| BG | 95.158.162.200:80 | zexeq.com | tcp |
| BG | 95.158.162.200:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.0.202.116.in-addr.arpa | udp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| BG | 95.158.162.200:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
memory/3236-4-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3236-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3236-6-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3236-2-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2780-3-0x0000000002670000-0x000000000278B000-memory.dmp
memory/2780-1-0x00000000024D0000-0x0000000002564000-memory.dmp
C:\Users\Admin\AppData\Local\43d29600-5dd6-4448-aee8-79e285f7fb51\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
| MD5 | 5f8089b3a19ea58f0f2431274366dce3 |
| SHA1 | 58014605c7eaae071c0ce455ad42c8caa713e68f |
| SHA256 | 0516efbad9bafe2771191e869fbef3beb29ba8cd6565439caacbcb510f6d3b89 |
| SHA512 | 7b49fd6c906209aec32cac9a5a0cb482831fa951a53c58aaf0f8cee123df6945fc0f702448c6048a59b3192fc6ab36ff9c834762812ed83b82d96188b52adda9 |
memory/3236-17-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4128-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4128-24-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4128-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4892-20-0x0000000000970000-0x0000000000A0F000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 590edb01a32cb6fa43e01075be2d4af8 |
| SHA1 | 02edb562a756399828a6ec14a5636b37e1b3ba7c |
| SHA256 | d3d158bba48acf754df84ca27eebb16f6636029212a4c13ff0227feece88dd6a |
| SHA512 | 45031d2b78d3ee5297090a4457f7d44d3ca5530d3dade78f5bbb1ce7143421cda864b3714e2b4e46cc1a7c6d73c740fc565772ba615ebcc3c82d572e869b3c57 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 769697d3cfda6384e234f92e8ca141cc |
| SHA1 | a88b33273f8362f402a31c98d078ce28d25847bf |
| SHA256 | e217dc8f422c50d7560fd033836fd578965cdfa863fb7b5fa37451960ce6ff65 |
| SHA512 | 67389550c2f1be186bbc5c33006ef1d08dbfb1d86575e361025006006df255738d7593011554e90f28a3998be193de53128b02034e0d1745dca5e261fadf6844 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
memory/4128-30-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4128-29-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe
| MD5 | c174e289ca298c4fa52fc9025d4a8c52 |
| SHA1 | c29facd4869d8d2e74e1281f5b98c74f6a996571 |
| SHA256 | 3ced2cde34675e21a2b93805f85a5d3605835182d39146e84fb7265cf2cfaf46 |
| SHA512 | 1df2b666402fa5e1fd0d1beed7eb507a2066636d9aa3f69120b605c53e48fe29334ae0da43be6280b4d11b9218e9fa3cd8ee3d2bd2f61a0290e06a67e53d1619 |
C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe
| MD5 | 4b1ec785c148475592f2344328bd9a2d |
| SHA1 | de99f7bd3dd7fe31ed208e94907b3760659c7146 |
| SHA256 | 550606d4416297ae0c76c8e4c17f813d94c8e3e74bf158c4877692e37d071f1e |
| SHA512 | 87475eb6159690a2c2619bfee34ef2830997dc8e5f6e4ee389ab5e1036f2c0444a5b427d88764318a34c02bcca5e3c7345b108ad8323a1d52fcb2a396ec50a21 |
memory/4128-39-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4128-45-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2440-46-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe
| MD5 | 70c19c3ee72b34a5bf0cb0393c4576b9 |
| SHA1 | 7d576b13bcaa796424c407126e90186dabfcf89e |
| SHA256 | e4dc20abd97137131bdfaec25fe2ae80ded6e952082ebeab4f744bb815a7fb75 |
| SHA512 | 27907226d95b63847f7e34d006260faef15194b8e2b67262e140e458fcacbc67e84b4d3d28c309a26e66a4e74dbd7292271403cc0d1f7b0f0eeb9695b9999021 |
memory/4068-42-0x0000000002080000-0x00000000020CB000-memory.dmp
memory/4068-41-0x0000000000540000-0x0000000000640000-memory.dmp
memory/2440-40-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2440-47-0x0000000000400000-0x000000000065E000-memory.dmp
memory/4128-55-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4128-54-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4128-52-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2440-56-0x0000000000400000-0x000000000065E000-memory.dmp
memory/4128-57-0x0000000000400000-0x0000000000537000-memory.dmp