Analysis
-
max time kernel
300s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
15/01/2024, 04:59
Static task
static1
Behavioral task
behavioral1
Sample
ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
Resource
win10-20231215-en
General
-
Target
ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
-
Size
732KB
-
MD5
20a0d15b3694b4cd8dbcf2281ac08591
-
SHA1
47a9f1172ab951a2ed68f1fa0122d632ae2a0f66
-
SHA256
ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc
-
SHA512
55e990f99031ec607dacb31dce7373111fab676336f98eef7c9a35edb1ea1e69a9e0f00dc79e77b9d7c3158ccf1632634e5884bed89222b3dee96ab4dd6f2d9d
-
SSDEEP
12288:tCch49jGaKBC3Pv0mxQglpWAarKylD4P3It+kzEwi+GCrebH8Hp0CmD0mXQjnRR:tCP9tP3Pv7QMXwOPw+cGguH8HGlD0mX4
Malware Config
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.cdpo
-
offline_id
Bn3q97hwLouKbhkQRNO4SeV07gjdEQVm8NKhg0t1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-FCWSCsjEWS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0844OSkw
Signatures
-
Detect Vidar Stealer 5 IoCs
resource yara_rule behavioral1/memory/2484-73-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral1/memory/2660-77-0x00000000002B0000-0x00000000002FB000-memory.dmp family_vidar_v6 behavioral1/memory/2484-79-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral1/memory/2484-78-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral1/memory/2484-201-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 -
Detected Djvu ransomware 14 IoCs
resource yara_rule behavioral1/memory/1676-4-0x0000000000700000-0x000000000081B000-memory.dmp family_djvu behavioral1/memory/1968-5-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1968-8-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1968-9-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1968-27-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2620-36-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2620-35-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2620-50-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2620-49-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2620-57-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2620-56-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2620-54-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2620-80-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2620-208-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2660 build2.exe 2484 build2.exe -
Loads dropped DLL 6 IoCs
pid Process 2620 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 2620 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 1632 WerFault.exe 1632 WerFault.exe 1632 WerFault.exe 1632 WerFault.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2856 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8d48942f-f643-4d39-aaf0-87b2aeff60d3\\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe\" --AutoStart" ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.2ip.ua 4 api.2ip.ua 9 api.2ip.ua -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1676 set thread context of 1968 1676 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 28 PID 2592 set thread context of 2620 2592 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 31 PID 2660 set thread context of 2484 2660 build2.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1632 2484 WerFault.exe 33 -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1968 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 1968 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 2620 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 2620 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 1676 wrote to memory of 1968 1676 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 28 PID 1676 wrote to memory of 1968 1676 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 28 PID 1676 wrote to memory of 1968 1676 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 28 PID 1676 wrote to memory of 1968 1676 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 28 PID 1676 wrote to memory of 1968 1676 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 28 PID 1676 wrote to memory of 1968 1676 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 28 PID 1676 wrote to memory of 1968 1676 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 28 PID 1676 wrote to memory of 1968 1676 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 28 PID 1676 wrote to memory of 1968 1676 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 28 PID 1676 wrote to memory of 1968 1676 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 28 PID 1676 wrote to memory of 1968 1676 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 28 PID 1968 wrote to memory of 2856 1968 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 29 PID 1968 wrote to memory of 2856 1968 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 29 PID 1968 wrote to memory of 2856 1968 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 29 PID 1968 wrote to memory of 2856 1968 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 29 PID 1968 wrote to memory of 2592 1968 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 30 PID 1968 wrote to memory of 2592 1968 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 30 PID 1968 wrote to memory of 2592 1968 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 30 PID 1968 wrote to memory of 2592 1968 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 30 PID 2592 wrote to memory of 2620 2592 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 31 PID 2592 wrote to memory of 2620 2592 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 31 PID 2592 wrote to memory of 2620 2592 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 31 PID 2592 wrote to memory of 2620 2592 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 31 PID 2592 wrote to memory of 2620 2592 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 31 PID 2592 wrote to memory of 2620 2592 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 31 PID 2592 wrote to memory of 2620 2592 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 31 PID 2592 wrote to memory of 2620 2592 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 31 PID 2592 wrote to memory of 2620 2592 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 31 PID 2592 wrote to memory of 2620 2592 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 31 PID 2592 wrote to memory of 2620 2592 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 31 PID 2620 wrote to memory of 2660 2620 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 34 PID 2620 wrote to memory of 2660 2620 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 34 PID 2620 wrote to memory of 2660 2620 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 34 PID 2620 wrote to memory of 2660 2620 ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe 34 PID 2660 wrote to memory of 2484 2660 build2.exe 33 PID 2660 wrote to memory of 2484 2660 build2.exe 33 PID 2660 wrote to memory of 2484 2660 build2.exe 33 PID 2660 wrote to memory of 2484 2660 build2.exe 33 PID 2660 wrote to memory of 2484 2660 build2.exe 33 PID 2660 wrote to memory of 2484 2660 build2.exe 33 PID 2660 wrote to memory of 2484 2660 build2.exe 33 PID 2660 wrote to memory of 2484 2660 build2.exe 33 PID 2660 wrote to memory of 2484 2660 build2.exe 33 PID 2660 wrote to memory of 2484 2660 build2.exe 33 PID 2660 wrote to memory of 2484 2660 build2.exe 33 PID 2484 wrote to memory of 1632 2484 build2.exe 36 PID 2484 wrote to memory of 1632 2484 build2.exe 36 PID 2484 wrote to memory of 1632 2484 build2.exe 36 PID 2484 wrote to memory of 1632 2484 build2.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe"C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe"C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\8d48942f-f643-4d39-aaf0-87b2aeff60d3" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:2856
-
-
C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe"C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe"C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe"C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2660
-
-
-
-
-
C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe"C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe"1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 14402⤵
- Loads dropped DLL
- Program crash
PID:1632
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA5124da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD58448d3aa1248e31218217fc5a32de612
SHA10c043723f77683b93abf32ce1c44f1d5d1c3f421
SHA256595225b49e46cb3188316c75f0befd0063ddc348d46fd0f1371f4517d12ea3cc
SHA512e83a971266597a9f49a703b5d4aaa662dc3c0c4a4ba9686ad1266102620bbc5c7d1425b2c7a45e0b470af71ccb2ccf164cf2b4ac501b292ee42749abdfd8e4dd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5160af5a6533a7b64ea8cc1c1f01db434
SHA17cc7d309e444ffa706f8626212b98ae8eb7891e1
SHA256ff770a582029f8821d0b0ddecbfda32a8946408bd2ca0245000e0d9497f81703
SHA5122d979b6a4477725abeba442d6baf57a8bf4d37417a89fe352d7a7492d02e857ab5035e3c5190cfbea9543b254f5fe3df47d4c8db53f54e531a9483bff46807dd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d17e1129fcf1b1171315281d14be9757
SHA1373c5c39ecbe3132654b7c28640ed12091543ac7
SHA256ffc60c52e50d3f520249c2c101afea933c13ea768416022a61c5c1d0df747950
SHA512f53f7d52e61f054deeb33940fd5f2732883de4a0619ca62885bb9133489e7c51fe9e338ef76d06899cabb27691c8d5377bbcc9300a24437b1be96dd9bce43e20
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD5fb93c6f6c919b24deaed6bbf017008cd
SHA1f744f76c86f454676c7805af45e7209b061d25c5
SHA256c74395f967cfe0ed9f0bad14cdb99188370186f95bdfbeae7fe716f07cec6fd9
SHA5128333e070471a65eb23aa574be1ea4bb947e6ecdf1a14a429ddb53f8612b738446660b37e400958999704d85a4b818a4df7489776996dc2d5411e0bbe60046b6e
-
C:\Users\Admin\AppData\Local\8d48942f-f643-4d39-aaf0-87b2aeff60d3\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
Filesize732KB
MD520a0d15b3694b4cd8dbcf2281ac08591
SHA147a9f1172ab951a2ed68f1fa0122d632ae2a0f66
SHA256ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc
SHA51255e990f99031ec607dacb31dce7373111fab676336f98eef7c9a35edb1ea1e69a9e0f00dc79e77b9d7c3158ccf1632634e5884bed89222b3dee96ab4dd6f2d9d
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
98KB
MD51f87e0b6221312c5aaaccb8121603088
SHA1bb362447f7435c9e8d58c3cd5ccfc24c186f838f
SHA256f1fb4dc3162af1f0ac16c06dfc05deb8f158ec14b6d4d2d948d43ecaa092b19f
SHA512bb2944efffdda42f16677f5ce69037887a649c7ef3e1826e61a85db4b8cfdd53af91c9f0c6e376ffff14f4293896c1e939463b0e8b2d84d192c3ef9b46efbc0d
-
Filesize
59KB
MD5d3ea3654914c8852f3a87180d1a2c241
SHA18fbceb89a466cf0d638349c4ab11049eeea92827
SHA256a44378f382dc7d31009893e74486828819f162acf0a56f0abc145ec9d6eb5e93
SHA512758cf04e0f35dea39a89c0975bc8c63cb38572530b24c9f1c98bfd40c620aedb9e5846567efdf6cfd8708112bcf17369417fc61bd60d5280e3f741b58e221a81
-
Filesize
114KB
MD50b2c3c144d8ef3d86c29c1ea2c2db875
SHA182e04b00f56bea4df2a0b116042c4f14d6bd7ccb
SHA256d4e18facb6cef797b9a22e0dd6eeddadd3b08551866374dcc94ae26e559d33a1
SHA512ad99aa3457bb7af7957a541c9a9d751685094a07673fb68c0915b3e7052328e5316be92f6115f7102b54e7891a5a034ef9cf0710abc78d89d7feabc9ce7ddda8
-
Filesize
59KB
MD5600baa942b0b4d4e50a6816a766751cd
SHA14e199b21e8aca88bb3e20d685396a3a1c5abdcc7
SHA256ed4b2bf512c5254c272e316f620afcdad26075ea48b2c67382eda20c1b2d2e5a
SHA512bba6f2df515162fa6b44a258f92cf96f6cdafca5d9a7967d5061300b12f9660bc093efc156b436f0c9bb59e2d7f0f0ec66dc74de2676c1e063870034a8531551
-
Filesize
35KB
MD5b2808651a83ceefb3f6426029b782791
SHA168ed8fcdef574d26b038a5b8ac83c5b313d6405f
SHA25643fe14f20a4b534f2a9d63701ad88a646b7ebcdb7e465789e8443fec8c7cf325
SHA512733a39ac098d9a28203855c7876090f7d3b466760a93b18245d9fe79de1b6410a4523ab485e702e20af0be0a64680c3ed3157c874c12b3a172d6d69307517519
-
Filesize
134KB
MD50ee21651770797e46547373020237d66
SHA1ad50062605bb70be6b1c54a97bd74b958dfe9c30
SHA25687dfdd019f35d2150e54a4f8381edeef3d1c7ff2c35cbf7becf84e8d073c18c5
SHA5121f35aac8018d00fc9c9acec267c15ebc38e1182622655747a4384204a5f53764984953961ff9f67269f97cf950411d655aff54b82178bba67d04ba545e15e337
-
Filesize
76KB
MD51f932ddda236e15e47b0bbdfc3afcc71
SHA14ae50e69606ad10156dc1c73fcadafcc03373a7e
SHA2563217b1922a79d11579e159aa5557f230ba70803bce304f8d227b3b93d32d06fb
SHA5122458e6ae673749c516bff2d83da47c9d0f5c4a50a2fe6bfaa0d7c9696fca5d72bdc22a9103d172237b651bb451d01cc5def1781bb80a33257a708ec1a3565ff2
-
Filesize
92KB
MD522e09e303bf210c5a1366eed0be0b294
SHA18579012d28b1c325facb09e50ee0f33400c98d0f
SHA256ef828c82ba2541737e984e24f16ab37b68810ccd90c836cf18d74e4a90417c7d
SHA5129d5aec3a9787b019191e700366aed9ed6d48a01868ec6588a6b64759b84fd96523a48f5a2eff723cdcee0096c40ea0f2f6d9bc2a67aa559f11cf2928317b3570
-
Filesize
133KB
MD519328a290f3992a5f63b0bef89218be4
SHA15b798f9014af5404f66a9c6022e9a488c1cf4fa6
SHA2562d0e2ea31bef90b5c6c83d5256ab4692a91c6342cc98e2b2f1d0a7f22658cecc
SHA512f02899e8bf27f1265a067b0f9737c4476a6f49331f3be832f63cd396e730eca7c3e30eec39cd293641db5a05b89f8980e5e3eac79bad246e5537c97a3eceb044
-
Filesize
287KB
MD539f684a39496bea7e5fe2b862157e633
SHA1bceee6c817276bbf6fc13c8c2e5557f9fea6ae86
SHA256d563a779176ce0e86af4e240924a8fa45c8b9ee18ccca669a361a515f16a9c02
SHA5123589042f766c35050bbaf5c583bfc2d590e4688482707cccc2f12115bdda17114d49dcb0b61328f27d6934860f3ca29271302260fc5d2c1c4ed712103e3eab8b
-
Filesize
57KB
MD54d3ada47a82a737dbd9a9672f8659366
SHA1abd8382762eacb4430928cb814bc7f0cac536504
SHA2564914798a45e8808b148480a5345ebd86be9cf696baf372059e52b1074549aaef
SHA512713fa4ea0b71068ca34cddf394ce493c12d0073aba11df43ce5ae1d4234e33053f5b95bd5ad5e3d275c8b4a8ca17a83d04298db6ac0968bb85dfa34eea9b50ba