Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23-01-2024 16:17
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20231222-en
General
-
Target
file.exe
-
Size
222KB
-
MD5
11ac7990dacb8fed9a583f69660a8310
-
SHA1
a891612189e2db49a16704a9ac08850c5a76be3d
-
SHA256
b6d7d2ab6d7e66ba154aac8266fd5e0f6667c11d3cc682b241da586a5577581a
-
SHA512
7613b538549467fb21b3d3a4c25c82a6ab44a384b832efc6cd420b32083bf81e4563f4e558cf316532cc7d8fed68f5d232c9bfeb4335230e8c6db20c036a20d5
-
SSDEEP
3072:yKSFP/aG5wOG9vlyLfniPI4JSzjEz5MXzHuSgAChOrFgjaaSpGq/B:y5FPyrs/iKzeMXPVh9p7
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.cdpo
-
offline_id
Bn3q97hwLouKbhkQRNO4SeV07gjdEQVm8NKhg0t1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-FCWSCsjEWS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0844OSkw
Signatures
-
Detect Vidar Stealer 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1748-109-0x0000000000240000-0x000000000026C000-memory.dmp family_vidar_v6 behavioral1/memory/1148-112-0x0000000000400000-0x000000000063F000-memory.dmp family_vidar_v6 behavioral1/memory/1148-116-0x0000000000400000-0x000000000063F000-memory.dmp family_vidar_v6 behavioral1/memory/1148-117-0x0000000000400000-0x000000000063F000-memory.dmp family_vidar_v6 behavioral1/memory/1148-278-0x0000000000400000-0x000000000063F000-memory.dmp family_vidar_v6 behavioral1/memory/1148-286-0x0000000000400000-0x000000000063F000-memory.dmp family_vidar_v6 -
Detect ZGRat V1 4 IoCs
Processes:
resource yara_rule behavioral1/memory/532-305-0x0000000004C70000-0x0000000004D3A000-memory.dmp family_zgrat_v1 behavioral1/memory/532-306-0x0000000004C70000-0x0000000004D33000-memory.dmp family_zgrat_v1 behavioral1/memory/532-307-0x0000000004C70000-0x0000000004D33000-memory.dmp family_zgrat_v1 behavioral1/memory/532-309-0x0000000004C70000-0x0000000004D33000-memory.dmp family_zgrat_v1 -
Detected Djvu ransomware 14 IoCs
Processes:
resource yara_rule behavioral1/memory/2628-32-0x0000000001D20000-0x0000000001E3B000-memory.dmp family_djvu behavioral1/memory/2632-37-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2632-40-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2632-41-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2632-62-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/364-72-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/364-73-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/364-86-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/364-87-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/364-91-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/364-93-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/364-94-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/364-121-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/364-133-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
Processes:
pid process 1188 -
Executes dropped EXE 14 IoCs
Processes:
DCD7.exeF3B3.exeF3B3.exeF3B3.exeF3B3.exebuild2.exebuild2.exe1815.exebuild3.exebuild3.exe8E3E.exe8E3E.exemstsca.exemstsca.exepid process 2776 DCD7.exe 2628 F3B3.exe 2632 F3B3.exe 2940 F3B3.exe 364 F3B3.exe 1748 build2.exe 1148 build2.exe 524 1815.exe 1080 build3.exe 2784 build3.exe 532 8E3E.exe 268 8E3E.exe 904 mstsca.exe 2296 mstsca.exe -
Loads dropped DLL 20 IoCs
Processes:
F3B3.exeF3B3.exeF3B3.exeF3B3.exeWerFault.exe8E3E.exeWerFault.exepid process 2628 F3B3.exe 2632 F3B3.exe 2632 F3B3.exe 2940 F3B3.exe 364 F3B3.exe 364 F3B3.exe 364 F3B3.exe 364 F3B3.exe 2420 WerFault.exe 2420 WerFault.exe 2420 WerFault.exe 2420 WerFault.exe 532 8E3E.exe 1776 WerFault.exe 1776 WerFault.exe 1776 WerFault.exe 1776 WerFault.exe 1776 WerFault.exe 1776 WerFault.exe 1776 WerFault.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
F3B3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c3a8c530-bcda-4351-ba1f-b57a633447f3\\F3B3.exe\" --AutoStart" F3B3.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 api.2ip.ua 9 api.2ip.ua 10 api.2ip.ua -
Suspicious use of SetThreadContext 6 IoCs
Processes:
F3B3.exeF3B3.exebuild2.exebuild3.exe8E3E.exemstsca.exedescription pid process target process PID 2628 set thread context of 2632 2628 F3B3.exe F3B3.exe PID 2940 set thread context of 364 2940 F3B3.exe F3B3.exe PID 1748 set thread context of 1148 1748 build2.exe build2.exe PID 1080 set thread context of 2784 1080 build3.exe build3.exe PID 532 set thread context of 268 532 8E3E.exe 8E3E.exe PID 904 set thread context of 2296 904 mstsca.exe mstsca.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2420 1148 WerFault.exe build2.exe 1776 268 WerFault.exe 8E3E.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
file.exeDCD7.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DCD7.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DCD7.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DCD7.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2776 schtasks.exe 2448 schtasks.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Processes:
build2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
file.exepid process 1180 file.exe 1180 file.exe 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
file.exeDCD7.exepid process 1180 file.exe 2776 DCD7.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
explorer.exe8E3E.exedescription pid process Token: SeShutdownPrivilege 1188 Token: SeShutdownPrivilege 1704 explorer.exe Token: SeShutdownPrivilege 1704 explorer.exe Token: SeShutdownPrivilege 1704 explorer.exe Token: SeShutdownPrivilege 1704 explorer.exe Token: SeShutdownPrivilege 1704 explorer.exe Token: SeShutdownPrivilege 1704 explorer.exe Token: SeShutdownPrivilege 1704 explorer.exe Token: SeShutdownPrivilege 1704 explorer.exe Token: SeShutdownPrivilege 1704 explorer.exe Token: SeShutdownPrivilege 1704 explorer.exe Token: SeDebugPrivilege 532 8E3E.exe Token: SeShutdownPrivilege 1704 explorer.exe Token: SeShutdownPrivilege 1704 explorer.exe Token: SeShutdownPrivilege 1704 explorer.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
Processes:
explorer.exepid process 1188 1188 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe -
Suspicious use of SendNotifyMessage 21 IoCs
Processes:
explorer.exepid process 1188 1188 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe 1704 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
F3B3.exeF3B3.exeF3B3.exeF3B3.exebuild2.exedescription pid process target process PID 1188 wrote to memory of 2776 1188 DCD7.exe PID 1188 wrote to memory of 2776 1188 DCD7.exe PID 1188 wrote to memory of 2776 1188 DCD7.exe PID 1188 wrote to memory of 2776 1188 DCD7.exe PID 1188 wrote to memory of 2628 1188 F3B3.exe PID 1188 wrote to memory of 2628 1188 F3B3.exe PID 1188 wrote to memory of 2628 1188 F3B3.exe PID 1188 wrote to memory of 2628 1188 F3B3.exe PID 2628 wrote to memory of 2632 2628 F3B3.exe F3B3.exe PID 2628 wrote to memory of 2632 2628 F3B3.exe F3B3.exe PID 2628 wrote to memory of 2632 2628 F3B3.exe F3B3.exe PID 2628 wrote to memory of 2632 2628 F3B3.exe F3B3.exe PID 2628 wrote to memory of 2632 2628 F3B3.exe F3B3.exe PID 2628 wrote to memory of 2632 2628 F3B3.exe F3B3.exe PID 2628 wrote to memory of 2632 2628 F3B3.exe F3B3.exe PID 2628 wrote to memory of 2632 2628 F3B3.exe F3B3.exe PID 2628 wrote to memory of 2632 2628 F3B3.exe F3B3.exe PID 2628 wrote to memory of 2632 2628 F3B3.exe F3B3.exe PID 2628 wrote to memory of 2632 2628 F3B3.exe F3B3.exe PID 2632 wrote to memory of 2916 2632 F3B3.exe icacls.exe PID 2632 wrote to memory of 2916 2632 F3B3.exe icacls.exe PID 2632 wrote to memory of 2916 2632 F3B3.exe icacls.exe PID 2632 wrote to memory of 2916 2632 F3B3.exe icacls.exe PID 2632 wrote to memory of 2940 2632 F3B3.exe F3B3.exe PID 2632 wrote to memory of 2940 2632 F3B3.exe F3B3.exe PID 2632 wrote to memory of 2940 2632 F3B3.exe F3B3.exe PID 2632 wrote to memory of 2940 2632 F3B3.exe F3B3.exe PID 2940 wrote to memory of 364 2940 F3B3.exe F3B3.exe PID 2940 wrote to memory of 364 2940 F3B3.exe F3B3.exe PID 2940 wrote to memory of 364 2940 F3B3.exe F3B3.exe PID 2940 wrote to memory of 364 2940 F3B3.exe F3B3.exe PID 2940 wrote to memory of 364 2940 F3B3.exe F3B3.exe PID 2940 wrote to memory of 364 2940 F3B3.exe F3B3.exe PID 2940 wrote to memory of 364 2940 F3B3.exe F3B3.exe PID 2940 wrote to memory of 364 2940 F3B3.exe F3B3.exe PID 2940 wrote to memory of 364 2940 F3B3.exe F3B3.exe PID 2940 wrote to memory of 364 2940 F3B3.exe F3B3.exe PID 2940 wrote to memory of 364 2940 F3B3.exe F3B3.exe PID 364 wrote to memory of 1748 364 F3B3.exe build2.exe PID 364 wrote to memory of 1748 364 F3B3.exe build2.exe PID 364 wrote to memory of 1748 364 F3B3.exe build2.exe PID 364 wrote to memory of 1748 364 F3B3.exe build2.exe PID 1748 wrote to memory of 1148 1748 build2.exe build2.exe PID 1748 wrote to memory of 1148 1748 build2.exe build2.exe PID 1748 wrote to memory of 1148 1748 build2.exe build2.exe PID 1748 wrote to memory of 1148 1748 build2.exe build2.exe PID 1748 wrote to memory of 1148 1748 build2.exe build2.exe PID 1748 wrote to memory of 1148 1748 build2.exe build2.exe PID 1748 wrote to memory of 1148 1748 build2.exe build2.exe PID 1748 wrote to memory of 1148 1748 build2.exe build2.exe PID 1748 wrote to memory of 1148 1748 build2.exe build2.exe PID 1748 wrote to memory of 1148 1748 build2.exe build2.exe PID 1748 wrote to memory of 1148 1748 build2.exe build2.exe PID 1188 wrote to memory of 524 1188 1815.exe PID 1188 wrote to memory of 524 1188 1815.exe PID 1188 wrote to memory of 524 1188 1815.exe PID 1188 wrote to memory of 524 1188 1815.exe PID 1188 wrote to memory of 524 1188 1815.exe PID 1188 wrote to memory of 524 1188 1815.exe PID 1188 wrote to memory of 524 1188 1815.exe PID 364 wrote to memory of 1080 364 F3B3.exe build3.exe PID 364 wrote to memory of 1080 364 F3B3.exe build3.exe PID 364 wrote to memory of 1080 364 F3B3.exe build3.exe PID 364 wrote to memory of 1080 364 F3B3.exe build3.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1180
-
C:\Users\Admin\AppData\Local\Temp\DCD7.exeC:\Users\Admin\AppData\Local\Temp\DCD7.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2776
-
C:\Users\Admin\AppData\Local\Temp\F3B3.exeC:\Users\Admin\AppData\Local\Temp\F3B3.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\F3B3.exeC:\Users\Admin\AppData\Local\Temp\F3B3.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\c3a8c530-bcda-4351-ba1f-b57a633447f3" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\F3B3.exe"C:\Users\Admin\AppData\Local\Temp\F3B3.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\F3B3.exe"C:\Users\Admin\AppData\Local\Temp\F3B3.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Users\Admin\AppData\Local\6ff35b4b-7125-408e-b34a-0965f53ef299\build2.exe"C:\Users\Admin\AppData\Local\6ff35b4b-7125-408e-b34a-0965f53ef299\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\6ff35b4b-7125-408e-b34a-0965f53ef299\build2.exe"C:\Users\Admin\AppData\Local\6ff35b4b-7125-408e-b34a-0965f53ef299\build2.exe"6⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1148 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 14527⤵
- Loads dropped DLL
- Program crash
PID:2420 -
C:\Users\Admin\AppData\Local\6ff35b4b-7125-408e-b34a-0965f53ef299\build3.exe"C:\Users\Admin\AppData\Local\6ff35b4b-7125-408e-b34a-0965f53ef299\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1080 -
C:\Users\Admin\AppData\Local\6ff35b4b-7125-408e-b34a-0965f53ef299\build3.exe"C:\Users\Admin\AppData\Local\6ff35b4b-7125-408e-b34a-0965f53ef299\build3.exe"6⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Creates scheduled task(s)
PID:2776
-
C:\Users\Admin\AppData\Local\Temp\1815.exeC:\Users\Admin\AppData\Local\Temp\1815.exe1⤵
- Executes dropped EXE
PID:524
-
C:\Users\Admin\AppData\Local\Temp\8E3E.exeC:\Users\Admin\AppData\Local\Temp\8E3E.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:532 -
C:\Users\Admin\AppData\Local\Temp\8E3E.exeC:\Users\Admin\AppData\Local\Temp\8E3E.exe2⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 268 -s 1563⤵
- Loads dropped DLL
- Program crash
PID:1776
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1704
-
C:\Windows\system32\taskeng.exetaskeng.exe {18EC1BD3-BF22-47FB-AD12-584909B504C2} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]1⤵PID:3008
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:904 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- Creates scheduled task(s)
PID:2448
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5b0e04da50e22c31e5a1bcd823b31bc0a
SHA1834ed42ea8cc071f41030231dfd38dbdd3a92c33
SHA256b97307b15450163273d276f2918012e7afbcb2dfe9359886402fc7acbc198031
SHA51237f70063bf02ed58b18dba6b1986fae9d57a6b54cded5d929098dab98fe450e81a8461c59e3f19a7e45c2b59295494264322747427cd1a30cdb3cbdd12238df5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5ba198b4894ac9aeb07c3705b2c434a38
SHA17d1addf14782ff1d411690fad708f999f948ad68
SHA25632f87c710484007513f27de5e0872a2591b661d6d3e63c0ff0685c6d42b5abfa
SHA51233af107de382fb0b0ffa60aaf6df67cf66d57b791471f8476b0ea40810e2388f24985860294e1732846d1fb2ec873d2f4f9cef7b3166650497c3f199821b0122
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5386580322f33ae57397fec6d5243623e
SHA1d093ba6803b646168e0d391817c92d19e10e899f
SHA256a2d910f554900db7ac97de417f059dce673837571a4b5b5da487e8099008e38c
SHA5129a8a077debb956c497b593316cafe91e9e58116d4045e1f8cea50a7d0a85a58be2eed3bcee4009403d50863adc7846cecafa8da6d549e8fd372ef0928e398470
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD542e95c54af5fe68c893d53302e425e87
SHA1d37c11bb6b87ce5f6e852f058ba7fa75f21ce8ed
SHA25674fc20551fbb4b904a0e9133f940b4ef70d1f33db9aeff42e065ec916e572b68
SHA512bffa559fbd73866df30f2b587c71651713463555f196e3a384567c45632fb7e693183ef18a6e1483491ce91480e786a63cc5182c32d128c32a332fdd3ef3cb37
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
5.3MB
MD52b82eb950c4b07624724358abaee1e17
SHA135b7e43f3e60c7c9423773458715f65d010c854e
SHA256883e014f638041cc942d1125a65846156b6a0af20f3a27883817ecc2ab0d6727
SHA5122099a58cfd73290572793c6a9f36b5f3fdb20117eb601dfd7f62246465901cc56449c6a5e6a852a383d7a44534221aca91405ef2a6f96c76ad30ad82f16f24af
-
Filesize
640KB
MD556e62dc1069db724cc54b467947fb9f8
SHA18a5a1a9499a9b7a1d4ac52aeeceda2cf5e3f4745
SHA256f118b3001c4bf7db2e44c8956eb639ae7412d9a4e3f7e677994cf761784feb1f
SHA512b9856323468de2b1fb6dec35866e2b85141cb92ec24650589fc14a4bf78e3d4fb4f7deae6eb6b8421647717bc182155deb63169fc1e77b49314223a9de705188
-
Filesize
763KB
MD514f7c4b98e2c837e555d030bfbe740c4
SHA1695e50ac70754d449445343764d8a0c339323a04
SHA256585892aac1dd2104c9dc5badf75efbc0d5f363456c084741af5e251402473de0
SHA512c72065546378ea95362d370b6e5fe6aa75e197c2a156193057f6ffe0f4c010ad3a2d7b6d024b02f7aee91b97dd6740833911107bcdb8a7fae2316e0ef8228cc5
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
222KB
MD511ac7990dacb8fed9a583f69660a8310
SHA1a891612189e2db49a16704a9ac08850c5a76be3d
SHA256b6d7d2ab6d7e66ba154aac8266fd5e0f6667c11d3cc682b241da586a5577581a
SHA5127613b538549467fb21b3d3a4c25c82a6ab44a384b832efc6cd420b32083bf81e4563f4e558cf316532cc7d8fed68f5d232c9bfeb4335230e8c6db20c036a20d5
-
Filesize
750KB
MD5fb41f20c1783dee1ff3ff24e9320ef44
SHA1873e409ee8fd52a51031269bee1b5e56207b8cf8
SHA2563f8c53cc5aff0effc748241349db40bff4d9c3004b557c091c00ed192d8f4226
SHA512b83682f64c79dab3ac134a2f42fa111882a6e7555d59b112599953a532091e67b76a1fd0da3426e516912c3e650ebed79d0bdc0ba9b4317f0bfb341e0b4cd481
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
262KB
MD59b00df1cca53e81d90dfc2548f8d9114
SHA1a783bde9346c8ece56aa6fec12348fea40fdf6ec
SHA2561ae4509fb8949fab80d4cc0fefec087af17e7c5654f2a66ac04f7372edaec5fe
SHA512406e14898fadc9aa63021d15c1e23cc812f472c6dd1fb59a29de2c4660b573e26ba13b892b2d3755e29d6fe5fe30a4d1c0550e0aca9d0bf5ae936e59d3141ffc
-
Filesize
128KB
MD54ffa6ea1daeb329c44d96258d49df616
SHA1bb09631bf3e40e8d9fdc8f8c105a9a699eea6d2d
SHA2566d8286ca072cd2bcd7ee66a5785c1efeab04e52e8d50b3198b1492576b141e2a
SHA512cee5276eb322d92101cc5f4c5e7151135cd654df5e0c5ccae4d778a5a6607aa1f3c00263210b6676e74accdd0904b5849e32a6a1a2a1cbddb32ff6db9bd7db62
-
Filesize
448KB
MD584e4f5b630da12c165b1e9b001eb9caf
SHA1e033dede1f1b392a4f48fbb2ccb76975e9a1e45d
SHA2562162b42f639b20cb1b20bb9e3a48abdee97bd94408c3149760dab953d73b8a8e
SHA51222803fdd47df888757c3d43ed6fa1bf801c9b4fc8f837672ffb4a42bfd129c8bc7b06d0887bdaa60d178959d343a9854f988e5f08fd7ca6c07389e04774b9640
-
Filesize
384KB
MD53a320224046261873725ed77c969095d
SHA1f770f4cf431bcec47d10f4397eb3ec75205b0d41
SHA256a5fce1916749a3c2bcdcb9183ef8f777f096cf99cb3da94e186e8f5a0dd45480
SHA5129787bb71bc0b42a3c5b9dd8f2df2557e270be38a6e374fe8765a42f074f75e47f60b4a318e57cbcb169804bb6227d20c9f3010cbd067241b6166c950b847d671
-
Filesize
320KB
MD54e35c59e25f78b7e5b8aeaccba8974be
SHA15fe6cb6eca6ebf59971ceccfdacfd1580fb88d0a
SHA2569d48456d1b1f2ead21b94b88c6f55b59e33c46de6630b5437a037c621f02b9bb
SHA51246e5d682fc44f4507a4bee389280cfd2ac07a18a60b286c68730490743b1df4617be8c31cfbca67a0df3654dddd4751c6af5b13ce31d0752e1635975f8378875
-
Filesize
256KB
MD5416d2df04ae8012128bec7197bb81f96
SHA1344f74731835c138d6f1ee4f0bc708e1ecdde20f
SHA256db24032c3a6bd09a7745c39f6e91b2ba6f0a92517057626e8a8554d7316e2f88
SHA512cc404077a4fc88afd01ce43553848c04c95c7f407084f885bcfa08b5e146efae93d5a0c8d10c794cc5ee60feb697f5770c4b99bcdb1fbad166a2365eae94d880
-
Filesize
42KB
MD50c6305017aaf90d0681298c5c1ce3f8d
SHA1cea3d6dde37866576f3c9570c8b57342246f9d5a
SHA256e09fc5ef473416f32c2fd1f7a2c4ebd85232848565804dcaefa0d602db52d3ce
SHA512f3c29403303ebc5f9bb840b4b90a800620c332f05beffc885534d6ebcc76fd1d235f230f1294deaf84e967093e725de12e9c453b3ff79343e5470f217cf625f6