Analysis
-
max time kernel
300s -
max time network
169s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
15/01/2024, 04:58
Static task
static1
Behavioral task
behavioral1
Sample
cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
Resource
win10-20231220-en
General
-
Target
cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
-
Size
723KB
-
MD5
0407f464f5383cc888945bda2afa42c6
-
SHA1
92de3404b2b42c0460565201ceaf2669bd6fc149
-
SHA256
cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20
-
SHA512
39aabd70c7065714718c0cb91795b1e690972780e1c118cb0f71f7f481f889f1df36b2e4b17b2e791ac8ef477c69f412a00f51bde9eec9e3c7531498c5586e50
-
SSDEEP
12288:qKWz9fNdRDFUssQkmmhlew/2NSFaanti7JDaDN79dOCOMW+/jeV/sJ/oftN2y2Eh:nQ9pDFUs1kzhlew/uSFBtilDaDNpd3xE
Malware Config
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.cdpo
-
offline_id
Bn3q97hwLouKbhkQRNO4SeV07gjdEQVm8NKhg0t1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-FCWSCsjEWS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0844OSkw
Signatures
-
Detect Vidar Stealer 5 IoCs
resource yara_rule behavioral1/memory/1892-76-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral1/memory/1892-79-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral1/memory/1892-80-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral1/memory/460-72-0x0000000000260000-0x00000000002AB000-memory.dmp family_vidar_v6 behavioral1/memory/1892-227-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 -
Detected Djvu ransomware 15 IoCs
resource yara_rule behavioral1/memory/1744-5-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2444-4-0x0000000001E90000-0x0000000001FAB000-memory.dmp family_djvu behavioral1/memory/1744-8-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1744-9-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1744-28-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1712-36-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1712-37-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1712-50-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1712-51-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1712-70-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1712-71-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1712-67-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1712-88-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1712-189-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1908-279-0x0000000000930000-0x0000000000A30000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Downloads MZ/PE file
-
Executes dropped EXE 14 IoCs
pid Process 460 build2.exe 1892 build2.exe 780 build3.exe 3020 build3.exe 2320 mstsca.exe 2820 mstsca.exe 1908 mstsca.exe 2844 mstsca.exe 2096 mstsca.exe 2460 mstsca.exe 1996 mstsca.exe 2520 mstsca.exe 2364 mstsca.exe 2508 mstsca.exe -
Loads dropped DLL 8 IoCs
pid Process 1712 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 1712 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 1712 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 1712 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 904 WerFault.exe 904 WerFault.exe 904 WerFault.exe 904 WerFault.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2676 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\35536c4d-a176-40a0-8026-fcb91feb54e7\\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe\" --AutoStart" cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.2ip.ua 4 api.2ip.ua 12 api.2ip.ua -
Suspicious use of SetThreadContext 9 IoCs
description pid Process procid_target PID 2444 set thread context of 1744 2444 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 28 PID 2556 set thread context of 1712 2556 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 32 PID 460 set thread context of 1892 460 build2.exe 35 PID 780 set thread context of 3020 780 build3.exe 41 PID 2320 set thread context of 2820 2320 mstsca.exe 46 PID 1908 set thread context of 2844 1908 mstsca.exe 50 PID 2096 set thread context of 2460 2096 mstsca.exe 52 PID 1996 set thread context of 2520 1996 mstsca.exe 54 PID 2364 set thread context of 2508 2364 mstsca.exe 56 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 904 1892 WerFault.exe 35 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 760 schtasks.exe 2504 schtasks.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1744 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 1712 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 1712 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2444 wrote to memory of 1744 2444 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 28 PID 2444 wrote to memory of 1744 2444 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 28 PID 2444 wrote to memory of 1744 2444 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 28 PID 2444 wrote to memory of 1744 2444 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 28 PID 2444 wrote to memory of 1744 2444 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 28 PID 2444 wrote to memory of 1744 2444 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 28 PID 2444 wrote to memory of 1744 2444 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 28 PID 2444 wrote to memory of 1744 2444 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 28 PID 2444 wrote to memory of 1744 2444 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 28 PID 2444 wrote to memory of 1744 2444 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 28 PID 2444 wrote to memory of 1744 2444 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 28 PID 1744 wrote to memory of 2676 1744 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 30 PID 1744 wrote to memory of 2676 1744 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 30 PID 1744 wrote to memory of 2676 1744 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 30 PID 1744 wrote to memory of 2676 1744 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 30 PID 1744 wrote to memory of 2556 1744 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 31 PID 1744 wrote to memory of 2556 1744 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 31 PID 1744 wrote to memory of 2556 1744 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 31 PID 1744 wrote to memory of 2556 1744 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 31 PID 2556 wrote to memory of 1712 2556 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 32 PID 2556 wrote to memory of 1712 2556 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 32 PID 2556 wrote to memory of 1712 2556 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 32 PID 2556 wrote to memory of 1712 2556 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 32 PID 2556 wrote to memory of 1712 2556 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 32 PID 2556 wrote to memory of 1712 2556 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 32 PID 2556 wrote to memory of 1712 2556 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 32 PID 2556 wrote to memory of 1712 2556 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 32 PID 2556 wrote to memory of 1712 2556 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 32 PID 2556 wrote to memory of 1712 2556 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 32 PID 2556 wrote to memory of 1712 2556 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 32 PID 1712 wrote to memory of 460 1712 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 34 PID 1712 wrote to memory of 460 1712 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 34 PID 1712 wrote to memory of 460 1712 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 34 PID 1712 wrote to memory of 460 1712 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 34 PID 460 wrote to memory of 1892 460 build2.exe 35 PID 460 wrote to memory of 1892 460 build2.exe 35 PID 460 wrote to memory of 1892 460 build2.exe 35 PID 460 wrote to memory of 1892 460 build2.exe 35 PID 460 wrote to memory of 1892 460 build2.exe 35 PID 460 wrote to memory of 1892 460 build2.exe 35 PID 460 wrote to memory of 1892 460 build2.exe 35 PID 460 wrote to memory of 1892 460 build2.exe 35 PID 460 wrote to memory of 1892 460 build2.exe 35 PID 460 wrote to memory of 1892 460 build2.exe 35 PID 460 wrote to memory of 1892 460 build2.exe 35 PID 1712 wrote to memory of 780 1712 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 36 PID 1712 wrote to memory of 780 1712 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 36 PID 1712 wrote to memory of 780 1712 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 36 PID 1712 wrote to memory of 780 1712 cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe 36 PID 1892 wrote to memory of 904 1892 build2.exe 38 PID 1892 wrote to memory of 904 1892 build2.exe 38 PID 1892 wrote to memory of 904 1892 build2.exe 38 PID 1892 wrote to memory of 904 1892 build2.exe 38 PID 780 wrote to memory of 3020 780 build3.exe 41 PID 780 wrote to memory of 3020 780 build3.exe 41 PID 780 wrote to memory of 3020 780 build3.exe 41 PID 780 wrote to memory of 3020 780 build3.exe 41 PID 780 wrote to memory of 3020 780 build3.exe 41 PID 780 wrote to memory of 3020 780 build3.exe 41 PID 780 wrote to memory of 3020 780 build3.exe 41 PID 780 wrote to memory of 3020 780 build3.exe 41 PID 780 wrote to memory of 3020 780 build3.exe 41 PID 780 wrote to memory of 3020 780 build3.exe 41 PID 3020 wrote to memory of 760 3020 build3.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe"C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe"C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\35536c4d-a176-40a0-8026-fcb91feb54e7" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe"C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe"C:\Users\Admin\AppData\Local\Temp\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe"C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe"C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build2.exe"6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 14407⤵
- Loads dropped DLL
- Program crash
PID:904
-
-
-
-
C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe"C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe"C:\Users\Admin\AppData\Local\0381e364-b408-4c63-bf98-6303690d81a5\build3.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"1⤵
- Creates scheduled task(s)
PID:760
-
C:\Windows\system32\taskeng.exetaskeng.exe {C6C3ADA7-8755-4AF3-8ACE-6C635FDFFBB9} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]1⤵PID:2568
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2320 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- Creates scheduled task(s)
PID:2504
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1908 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:2844
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2096 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:2460
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1996 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:2520
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2364 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:2508
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cee70d925ec26494b55db142979f9771
SHA158bb5093be0bb5228921aaf5ce3037b4fa9d3980
SHA2564a10d2fcd6f33ba842e1bf7ab2b5823a907ee994a2ee65d1edc4244d9f8d5952
SHA5123afadfb767b38553b4ab1bd00d7c8c3212f10ac5fc4e4124aa6e435ee6295b6b5f5d23f673ce382b389aea8854ad291278652c5daa2607200fd20d357eec6cb8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\646C991C2A28825F3CC56E0A1D1E3FA9
Filesize184B
MD52075f9b81f3b89bc359ddd10eb29c1b6
SHA169733862e65ea3005862a4357e571d9543e33306
SHA2568e7c9a1f4f5b48e680f0ea9151bb5e7e2f4eb66249a49a7e0873f48635c5d1cc
SHA512d1eaab63b2d8d25d5b354e7bb7c1adc03423dc174216b28862cac61d201b12ffa6f0d1e8801f3ca5873c926d836fc68cb106fccab325f07c3dd4f81e7f05b58e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5143afd374220a299e436105607ffc1fd
SHA1c24ee962c2c182708cfbe07501d6e217002b3b2b
SHA2562c4d2fb3aa417b87bfd0db2973231ce3c3bae3f65f548b7e95f1dd1e7f80d0b2
SHA51256d671d4dce74862e1121978d6fd4e8b7b5c9d3323bc65f2ca9ccd28bdd4db6f0a49d8feacd589cc5a368faa9dfec9b9f7572416bffa3f9bcdc00d8d75ef5b32
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD527ec60a3bed94dbab817f3dcf9821b33
SHA1d46144afb0108db96b2ce2b2807e8b4fd0781c1d
SHA256dda4f6a36ec887cae4f6e0a95a40c5d910694a1eb249058f7c631fcb7383a0cb
SHA5127b19af41ce333088af01c4d41d9ad955962ae4d1afc9f266a66a783edee786ff1469b5e88642abddf5f73e6ee17e0771e6aabb7c082c365a51d3a6884bcd0db9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD5acc3b3a7bf98e84476341e314ad146ec
SHA1581092994fe3ced61b0bfc2fd08b5c6d19cf64f3
SHA256f608847636ff9084b103f84ece698d7b9e75159000ab09727278c394e79f0f17
SHA512e8ac9ccd29bdb85881df9ff5c745a063190293012a703c411ab00bc9598712fbfeba424cbc416e1bb941ddc55b077f4e209015595b5aefdbcdfa1fe80f732b1a
-
Filesize
133KB
MD5e51304578e508331130726d2be7e9d05
SHA179a17471121b0bc74558341991fcb5bd6ccc9336
SHA256464a39529e7925d347735285e3543bdc47bea6e7baab2109d78ee068e0075cc7
SHA512e3d4b30de3f45159031c6e304f2caee1c540b1404910e9d6631b12e92fce0a6f43bdbd26e3b717f4b18946ab7065beabb1dc1e435f48fc5b520cc4b8974d064d
-
Filesize
145KB
MD50c13b03f78354853d7fab5ead0aacaf5
SHA1de1a826d45d946628defe2fb4469dc826c789623
SHA256e7d5595e743ccb09c252fcd303ce114113ad07d7a269e78ba8549e9191f11680
SHA512e6450e86928b6c652502a435d683c1e2452d5aa8253f28a8c49e252af88890fc03afbb230bc48050b41840c5685f65003667c32bf01ced67e86ac304b87f0b80
-
Filesize
96KB
MD5d8c02a7cabb050ca8f107d2587fca2d5
SHA1be1e55d2e182de6818119c8edd9898710675a810
SHA2567727181ee888cb76bebaa4e2e5ffcdacf625f179204d290c56be36b98e59be1d
SHA512dd444a870e24f8753c4947070e21f7b5c03110afdd572967f115fe43e41cebe11e314d01608b11712d904e56b6c646e6d88c1ebd913cfaa2cbacb87b5fb90ff3
-
Filesize
61KB
MD524c414ade6fb8205b51d115f0069e2a3
SHA1c8a2547d574ffc3b0aabffda383f15cf517502cb
SHA25610489e3ccbcb177219c60954bd85baa2c8579d0011b8b9ba85413a435a143d8c
SHA512bdb8b27b0bfccee700331998ed1a721eac5e04d4c78f9ace8830dc32e45abcd447f51479db30a59327c5002be0c1def580d8872b9abff89a6a275ca2821cea5f
-
Filesize
60KB
MD525898ed865c579ca2ed4891f0aeb5fe1
SHA1a9ec7a581afcfa32a32f76e1ec967d89ca20986b
SHA2569da051ad6f9887716b18a3f72583be38466eaa0b91c9900b7a5cafab4497f609
SHA5121d4d8e9a7b8b0b573b764e51de65e42000712af830765ebc33313036fa5828769cf05c234d7a9be8f3cacb13ddaa4804953c9ff0d30d6997b2e30f7690d72420
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
C:\Users\Admin\AppData\Local\35536c4d-a176-40a0-8026-fcb91feb54e7\cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20.exe
Filesize723KB
MD50407f464f5383cc888945bda2afa42c6
SHA192de3404b2b42c0460565201ceaf2669bd6fc149
SHA256cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20
SHA51239aabd70c7065714718c0cb91795b1e690972780e1c118cb0f71f7f481f889f1df36b2e4b17b2e791ac8ef477c69f412a00f51bde9eec9e3c7531498c5586e50
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
102KB
MD5feca4b6542bb2aebd3bdd15750663ad4
SHA1d6761816ae701718ff76c6c56d0d55c1af9ebc68
SHA2563a0fbefd1a4682ae252bd22406837bc9797a90dba8e8e41b359ea78fef7d9d9e
SHA512a617d6f210d3194654d74635888c9dee6dd4856f3e98f1cf7d39001e764afe51b4ebd709bd667577406e60918e6e4c923ac7a16945428ba9f1dff9e44cb26731
-
Filesize
235KB
MD57e9ce13d746bca63a59bb71a9269cb35
SHA18e714c94724240c5c4cf7576900e053e97d5f231
SHA2566caeae151bcc766b1974f89f78af7e2c4b885d33790f3b4e4780519b8a0ee1a1
SHA5125223fac391d9fb9c349d2d61d5acafa21ff159ffe8a09001238c810df87898b7e93b3da923dac180ae66d87d556fa579509c14c84800b8a136c2bc9783fded22
-
Filesize
261KB
MD5b059af3512fab9c1c09238bb8109af7d
SHA140bf492b167e4ebf722552a4b353a72434c7627c
SHA256e5397de9e746e1dfacac4384375644198673a6dcba7555b2637a50d7089f9a41
SHA512f85db6d6f541b7597900a6f5ab3e7238a95c7fceb4fb00326fe462192688d1c6617736246c40813636722322d00447b3bcd62a008315adc1527971cb38146d6f
-
Filesize
108KB
MD5b9ebf5ac057c579ba372de8bcfa530cd
SHA1a77f3daa35cdd4fc4488f79af562a6800d190323
SHA25678b9ca31bfda7243bd574d12d1ff9753d7980d0ce0a8dbe2d2293d9baf7ae17c
SHA51294e94fc7b6013eef863d469ae69f2b30814b3731f8106837d7ee9c74e69f7a101a697b98a00040b7ac3b6173ab9687160344e0291c6a9f462b78b7a9618a444e
-
Filesize
83KB
MD546615ac34b4515c1b4fcda5063d4734e
SHA129d73e883a9ec2a06665b1e57ec783340af3f065
SHA2561e1f96b2bd1b012233e50aad97d36eaab71cb39f67fbabb7f42892e303bf4752
SHA51227fe815f40a968916cdc07d502edeb24d07d88173c8e0576a017808f72de551d8512a0cb9dd932b80430ad525f1cbb1859325fc43b411ea42e0e0d93a08aa67a
-
Filesize
358KB
MD5c4070da9f9b0581171af16e681ccdff8
SHA13fb4182921fdc3acd7873ebe113ac5522585312a
SHA25626063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0
SHA512c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427
-
Filesize
202KB
MD5d8f59424e90c3fb666b9c69621b3200c
SHA1c6970940803091ec0a8521427c16379d8c14f93c
SHA2560ca1ea49b54d6fb09d0630e49d46f309b23add4724c39bdd6fdabd6e2521a938
SHA512bb3f632fa666319040a3dae1182ad03105f02955fb58a39fa45bbc05efa65db47f5b695f7182c53e94726f0c55cc825c318ccc33f4e06e4b6879b466166d4642
-
Filesize
206KB
MD56b06728dcd7777de5cff4ae45b28b9df
SHA174eadcd6113b4849d0b4d32bea97011fde24bf0a
SHA25684fee44d4b32ec980b01c0f9018c7a2463c6d57e9577738bb4fa10c74df732e0
SHA512de9681a646fdd81c4ce2fb0e798c95bca311b004bed1615616001927f9a822419b881ad3fd910ddcd144cfdbcf65a22d8a0c76f6c97b75f23c829559bf699af2