djvu | 4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d

Analysis

max time kernel
296s
max time network
297s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
01-02-2024 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
Size

833KB
MD5

02e6b05a5b3bccc63fb6b3fa09bd4f70
SHA1

5623fe73980bbd64b70adc6ceaf92f414aae097f
SHA256

4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d
SHA512

d8079833c6e7d2a53b497f037306c74ea7705c95e27c54771bb1220e843d08f373261e72ec04b8353f4cc358779fa97702c43d9b9f4332cec37bbe4ff1a1d6ce
SSDEEP

24576:oGvU6wUbW4oVU9FZhQRUZ/fXCHpxjuDTv:HvaUtoiZhQq/fd

Score

10^/10

djvu vidar 1b9d7ec5a25ab9d78c31777a0016a097 discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Signatures

Detect Vidar Stealer 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4960-48-0x00000000005F0000-0x0000000000620000-memory.dmp	family_vidar_v7
behavioral2/memory/5040-51-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/5040-52-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/5040-47-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/5040-66-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/4208-156-0x0000000000A60000-0x0000000000B60000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 17 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2976-3-0x00000000022B0000-0x00000000023CB000-memory.dmp	family_djvu
behavioral2/memory/5096-2-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5096-4-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5096-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5096-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5096-17-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1048-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1048-23-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1048-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1048-30-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1048-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1048-34-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1048-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1048-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1048-53-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1048-60-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3040-103-0x0000000000A10000-0x0000000000B10000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

build2.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
4960	build2.exe
5040	build2.exe
3284	build3.exe
1548	build3.exe
3040	mstsca.exe
2876	mstsca.exe
1056	mstsca.exe
2388	mstsca.exe
4208	mstsca.exe
1584	mstsca.exe
4376	mstsca.exe
4328	mstsca.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2780 icacls.exe

pid	process
2780	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3e81c02d-7ef3-466d-bb72-ba1a3437eadb\\4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe\" --AutoStart"	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 api.2ip.ua
1 api.2ip.ua
2 api.2ip.ua

flow	ioc
8	api.2ip.ua
1	api.2ip.ua
2	api.2ip.ua

Suspicious use of SetThreadContext 8 IoCs

Processes:

4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 2976 set thread context of 5096	2976	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 4488 set thread context of 1048	4488	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 4960 set thread context of 5040	4960	build2.exe	build2.exe
PID 3284 set thread context of 1548	3284	build3.exe	build3.exe
PID 3040 set thread context of 2876	3040	mstsca.exe	mstsca.exe
PID 1056 set thread context of 2388	1056	mstsca.exe	mstsca.exe
PID 4208 set thread context of 1584	4208	mstsca.exe	mstsca.exe
PID 4376 set thread context of 4328	4376	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1256 5040 WerFault.exe build2.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1784 schtasks.exe
308 schtasks.exe

pid	pid_target	process	target process
1256	5040	WerFault.exe	build2.exe

pid	process
1784	schtasks.exe
308	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe

pid	process
5096	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
5096	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
1048	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
1048	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exe

description	pid	process	target process
PID 2976 wrote to memory of 5096	2976	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 2976 wrote to memory of 5096	2976	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 2976 wrote to memory of 5096	2976	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 2976 wrote to memory of 5096	2976	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 2976 wrote to memory of 5096	2976	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 2976 wrote to memory of 5096	2976	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 2976 wrote to memory of 5096	2976	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 2976 wrote to memory of 5096	2976	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 2976 wrote to memory of 5096	2976	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 2976 wrote to memory of 5096	2976	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 5096 wrote to memory of 2780	5096	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	icacls.exe
PID 5096 wrote to memory of 2780	5096	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	icacls.exe
PID 5096 wrote to memory of 2780	5096	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	icacls.exe
PID 5096 wrote to memory of 4488	5096	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 5096 wrote to memory of 4488	5096	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 5096 wrote to memory of 4488	5096	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 4488 wrote to memory of 1048	4488	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 4488 wrote to memory of 1048	4488	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 4488 wrote to memory of 1048	4488	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 4488 wrote to memory of 1048	4488	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 4488 wrote to memory of 1048	4488	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 4488 wrote to memory of 1048	4488	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 4488 wrote to memory of 1048	4488	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 4488 wrote to memory of 1048	4488	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 4488 wrote to memory of 1048	4488	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 4488 wrote to memory of 1048	4488	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
PID 1048 wrote to memory of 4960	1048	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	build2.exe
PID 1048 wrote to memory of 4960	1048	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	build2.exe
PID 1048 wrote to memory of 4960	1048	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	build2.exe
PID 4960 wrote to memory of 5040	4960	build2.exe	build2.exe
PID 4960 wrote to memory of 5040	4960	build2.exe	build2.exe
PID 4960 wrote to memory of 5040	4960	build2.exe	build2.exe
PID 4960 wrote to memory of 5040	4960	build2.exe	build2.exe
PID 4960 wrote to memory of 5040	4960	build2.exe	build2.exe
PID 4960 wrote to memory of 5040	4960	build2.exe	build2.exe
PID 4960 wrote to memory of 5040	4960	build2.exe	build2.exe
PID 4960 wrote to memory of 5040	4960	build2.exe	build2.exe
PID 4960 wrote to memory of 5040	4960	build2.exe	build2.exe
PID 4960 wrote to memory of 5040	4960	build2.exe	build2.exe
PID 1048 wrote to memory of 3284	1048	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	build3.exe
PID 1048 wrote to memory of 3284	1048	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	build3.exe
PID 1048 wrote to memory of 3284	1048	4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe	build3.exe
PID 3284 wrote to memory of 1548	3284	build3.exe	build3.exe
PID 3284 wrote to memory of 1548	3284	build3.exe	build3.exe
PID 3284 wrote to memory of 1548	3284	build3.exe	build3.exe
PID 3284 wrote to memory of 1548	3284	build3.exe	build3.exe
PID 3284 wrote to memory of 1548	3284	build3.exe	build3.exe
PID 3284 wrote to memory of 1548	3284	build3.exe	build3.exe
PID 3284 wrote to memory of 1548	3284	build3.exe	build3.exe
PID 3284 wrote to memory of 1548	3284	build3.exe	build3.exe
PID 3284 wrote to memory of 1548	3284	build3.exe	build3.exe
PID 1548 wrote to memory of 1784	1548	build3.exe	schtasks.exe
PID 1548 wrote to memory of 1784	1548	build3.exe	schtasks.exe
PID 1548 wrote to memory of 1784	1548	build3.exe	schtasks.exe
PID 3040 wrote to memory of 2876	3040	mstsca.exe	mstsca.exe
PID 3040 wrote to memory of 2876	3040	mstsca.exe	mstsca.exe
PID 3040 wrote to memory of 2876	3040	mstsca.exe	mstsca.exe
PID 3040 wrote to memory of 2876	3040	mstsca.exe	mstsca.exe
PID 3040 wrote to memory of 2876	3040	mstsca.exe	mstsca.exe
PID 3040 wrote to memory of 2876	3040	mstsca.exe	mstsca.exe
PID 3040 wrote to memory of 2876	3040	mstsca.exe	mstsca.exe
PID 3040 wrote to memory of 2876	3040	mstsca.exe	mstsca.exe
PID 3040 wrote to memory of 2876	3040	mstsca.exe	mstsca.exe
PID 2876 wrote to memory of 308	2876	mstsca.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
"C:\Users\Admin\AppData\Local\Temp\4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2976

C:\Users\Admin\AppData\Local\Temp\4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
"C:\Users\Admin\AppData\Local\Temp\4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\3e81c02d-7ef3-466d-bb72-ba1a3437eadb" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2780

C:\Users\Admin\AppData\Local\Temp\4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
"C:\Users\Admin\AppData\Local\Temp\4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4488

C:\Users\Admin\AppData\Local\Temp\4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
"C:\Users\Admin\AppData\Local\Temp\4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\d5543d14-a8df-4a7f-98f3-363477d624c1\build2.exe
"C:\Users\Admin\AppData\Local\d5543d14-a8df-4a7f-98f3-363477d624c1\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4960

C:\Users\Admin\AppData\Local\d5543d14-a8df-4a7f-98f3-363477d624c1\build2.exe
"C:\Users\Admin\AppData\Local\d5543d14-a8df-4a7f-98f3-363477d624c1\build2.exe"
6⤵
- Executes dropped EXE
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 1936
7⤵
- Program crash
PID:1256

C:\Users\Admin\AppData\Local\d5543d14-a8df-4a7f-98f3-363477d624c1\build3.exe
"C:\Users\Admin\AppData\Local\d5543d14-a8df-4a7f-98f3-363477d624c1\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3284

C:\Users\Admin\AppData\Local\d5543d14-a8df-4a7f-98f3-363477d624c1\build3.exe
"C:\Users\Admin\AppData\Local\d5543d14-a8df-4a7f-98f3-363477d624c1\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:1784

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
3⤵
- Creates scheduled task(s)
PID:308

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1056

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:2388

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4208

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:1584

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4376

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:4328

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
8112ab2a9d7578692e66734917d00015

SHA1
5dc1f7cb2c66c925d195fb98784917d108a001dd

SHA256
919561b1927726f5218e79f21184c4bf7117db4466686fc93d3d5dbc1380033b

SHA512
538f1f36b44d628d2ade163cc40deb58b50cb7fbd56019d9526c8233c30771db8542ed5786d311322dfd2e9d44e979da9513c4a0bbc7416b47bb7beca90013d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
77af13ce61914cec567c4099f37c36a0

SHA1
bd7dd19c5e174e25a2b3601b103c87b23fb809c6

SHA256
d94831b1ec3144da78412540caa5dbf4e54f28a4dbc5bb984ae4015930a49ee7

SHA512
dadc7b95dcbcfe3e46533b0d6203d95202ecca8db8361125dc1e3e8caa2e95b30f6a284dd2019d8b211e79c6d7ecba2f951164cc6b40ab929883d0f0ec0c6e73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
93c24ee9d02c7bc75b42f945097d469d

SHA1
d4030428a5f9d7448345d394b60e5f351d39638e

SHA256
4c550ecba667fb6c4bce9817bb319e55bf376af8d309af49946c2d573a75fc2d

SHA512
4ada592d2ca5289c8cbff23b64dda8ec2f7e46a77696344a3e50dcaa71d49333cf08dab984defcb931c8f592cbe356f96d831cbe72799471da1217a0c5106cfb

Download Submit
C:\Users\Admin\AppData\Local\3e81c02d-7ef3-466d-bb72-ba1a3437eadb\4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d.exe
Filesize
833KB

MD5
02e6b05a5b3bccc63fb6b3fa09bd4f70

SHA1
5623fe73980bbd64b70adc6ceaf92f414aae097f

SHA256
4db3c3cbc49012848a0be2614f4510ae1c29b43aa35973ebf431c7fe1c6c4c8d

SHA512
d8079833c6e7d2a53b497f037306c74ea7705c95e27c54771bb1220e843d08f373261e72ec04b8353f4cc358779fa97702c43d9b9f4332cec37bbe4ff1a1d6ce

Download Submit
C:\Users\Admin\AppData\Local\d5543d14-a8df-4a7f-98f3-363477d624c1\build2.exe
Filesize
385KB

MD5
63e4a9cd7a8b37335b5f18cefc5dd9d2

SHA1
c781a30935afc452b108cc78724b60f389b78874

SHA256
c1e75efde3fd1da605135e5c3ffab0073299c80632d136f8eeba9d4a7c98c70f

SHA512
3818b5966938704c5830acb5426db7791f6ae476853248d8984b1aff35a6722a0684bea54a53ef6ded1f301f6de9ed044d45f007457a9c0f3a7ea3afc7bf0ecc

Download Submit
C:\Users\Admin\AppData\Local\d5543d14-a8df-4a7f-98f3-363477d624c1\build2.exe
Filesize
348KB

MD5
864e5789ff8b110c0da8038c56c7bbe4

SHA1
f7f6f52bbd61ec4e81031e3b1ee8d45a2ccbbb13

SHA256
8c894f6faa1ce404138155ecf7e6e69f06737a14fedc6b77b98877d522678ae4

SHA512
a34770b44fe3ea68650f31505ceba0789b7a5a6cce632cefc0e1e92886572a186a19dfbbe15afd1081c9f00c05469dbad1f2b798dd65826e3644fdbc35602476

Download Submit
C:\Users\Admin\AppData\Local\d5543d14-a8df-4a7f-98f3-363477d624c1\build2.exe
Filesize
380KB

MD5
75826e2b6ae6dddf334f0cbb15741d2c

SHA1
bc626945f06f3544931e6c42d608bfc5b31c09d8

SHA256
a370c97577df2d9f0d6f38c632b331fecf993a14f484e1fababb622c614590b2

SHA512
72ce31da1e71fc0886d19ba70206ed872227a42b4a7ca852587b0e543808181d0e94f5db00092050e58e05d8432b41ac7ae34a7632807d0f3d66b4fb43b3a015

Download Submit
C:\Users\Admin\AppData\Local\d5543d14-a8df-4a7f-98f3-363477d624c1\build3.exe
Filesize
77KB

MD5
7991b340379d8dc52f5b4c8a206b31d9

SHA1
a4177b7241e784dd6e46429708020fa9d58ce4b7

SHA256
fb540605c740da36a6da9f127775117e00e1b96dcbfd4f14b0a035f6b751ab7f

SHA512
8f8b020bff6fa0f94f86959a27a9e9ef97aa66dec9f4aa85286cffb1f9e4461871b7753f84f42c3a2d180eae64e9c27973b039b71257215c938edb817fffb5df

Download Submit
C:\Users\Admin\AppData\Local\d5543d14-a8df-4a7f-98f3-363477d624c1\build3.exe
Filesize
118KB

MD5
a14dc0e9def33a2555140f235935b72f

SHA1
ef767aa658d0142aa452134c6e9a73561b8fbee8

SHA256
d5f858da7d0f36f24a8a2700fcc6b1512fd6e4f4699cc39f8a24d63c29365134

SHA512
280ddb35481ee4c7c31c037b5f38b48243738e2ed7ffe24daee0bead458f45f6185cd7e46f2bdf2bb9ae68565779bd16cf6a216dcc7d62b161baa5512ccf87b2

Download Submit
C:\Users\Admin\AppData\Local\d5543d14-a8df-4a7f-98f3-363477d624c1\build3.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
memory/1048-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1048-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1048-60-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1048-23-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1048-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1048-30-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1048-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1048-34-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1048-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1048-53-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1056-130-0x0000000000B30000-0x0000000000C30000-memory.dmp

Filesize
1024KB

Download
memory/1548-74-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1548-78-0x0000000000410000-0x00000000004D5000-memory.dmp

Filesize
788KB

Download
memory/1548-77-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1548-70-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2976-1-0x0000000000610000-0x00000000006A7000-memory.dmp

Filesize
604KB

Download
memory/2976-3-0x00000000022B0000-0x00000000023CB000-memory.dmp

Filesize
1.1MB

Download
memory/3040-103-0x0000000000A10000-0x0000000000B10000-memory.dmp

Filesize
1024KB

Download
memory/3284-73-0x0000000000809000-0x000000000081A000-memory.dmp

Filesize
68KB

Download
memory/3284-75-0x0000000000950000-0x0000000000954000-memory.dmp

Filesize
16KB

Download
memory/4208-156-0x0000000000A60000-0x0000000000B60000-memory.dmp

Filesize
1024KB

Download
memory/4376-182-0x0000000000B10000-0x0000000000C10000-memory.dmp

Filesize
1024KB

Download
memory/4488-21-0x0000000000790000-0x0000000000831000-memory.dmp

Filesize
644KB

Download
memory/4960-48-0x00000000005F0000-0x0000000000620000-memory.dmp

Filesize
192KB

Download
memory/4960-46-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/5040-66-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/5040-51-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/5040-52-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/5040-47-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/5096-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5096-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5096-17-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5096-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5096-2-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download