djvu | 73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027

Analysis

max time kernel
295s
max time network
293s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
01-02-2024 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
Size

700KB
MD5

82b95c134ff0481c15adec3f77e413f3
SHA1

bf3f50f5a88f9f3efb40a1dce441824a24c5df1c
SHA256

73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027
SHA512

9bdc2c364fea0c28c5f3a8862e33119c5ebe3fb3f7b21037d148abd7d15f5e1fe74550cbad99e38b6c311bfe4e0f39430da124ea0f1483f317235ecf3f044921
SSDEEP

12288:kT9K0UmPjoKllWmrr28ueznY3efXlmEEHEuKRVbNGvrjlS2er0LZll/:wZ7ozmrrfPzYwmfHIVbNGHXeol9

Score

10^/10

djvu vidar 1b9d7ec5a25ab9d78c31777a0016a097 discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Signatures

Detect Vidar Stealer 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/1564-51-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/1564-52-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/1564-47-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/920-48-0x00000000005D0000-0x0000000000600000-memory.dmp	family_vidar_v7
behavioral2/memory/1564-75-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/4244-80-0x00000000009F0000-0x0000000000AF0000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 16 IoCs

Processes:

resource	yara_rule
behavioral2/memory/220-3-0x0000000003100000-0x000000000321B000-memory.dmp	family_djvu
behavioral2/memory/4144-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4144-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4144-4-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4144-2-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4144-17-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4528-23-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4528-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4528-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4528-30-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4528-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4528-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4528-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4528-34-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4528-53-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4528-72-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

build2.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
920	build2.exe
1564	build2.exe
4244	build3.exe
2600	build3.exe
4900	mstsca.exe
5116	mstsca.exe
1628	mstsca.exe
4148	mstsca.exe
4220	mstsca.exe
788	mstsca.exe
4568	mstsca.exe
4732	mstsca.exe
3064	mstsca.exe
3892	mstsca.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

5100 icacls.exe

pid	process
5100	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1b864fd5-1d20-4212-b1c5-4a8300f76c0f\\73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe\" --AutoStart"	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 api.2ip.ua
1 api.2ip.ua
2 api.2ip.ua

flow	ioc
9	api.2ip.ua
1	api.2ip.ua
2	api.2ip.ua

Suspicious use of SetThreadContext 9 IoCs

Processes:

73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 220 set thread context of 4144	220	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 4548 set thread context of 4528	4548	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 920 set thread context of 1564	920	build2.exe	build2.exe
PID 4244 set thread context of 2600	4244	build3.exe	build3.exe
PID 4900 set thread context of 5116	4900	mstsca.exe	mstsca.exe
PID 1628 set thread context of 4148	1628	mstsca.exe	mstsca.exe
PID 4220 set thread context of 788	4220	mstsca.exe	mstsca.exe
PID 4568 set thread context of 4732	4568	mstsca.exe	mstsca.exe
PID 3064 set thread context of 3892	3064	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2020 1564 WerFault.exe build2.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

828 schtasks.exe
596 schtasks.exe

pid	pid_target	process	target process
2020	1564	WerFault.exe	build2.exe

pid	process
828	schtasks.exe
596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe

pid	process
4144	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
4144	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
4528	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
4528	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exe

description	pid	process	target process
PID 220 wrote to memory of 4144	220	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 220 wrote to memory of 4144	220	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 220 wrote to memory of 4144	220	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 220 wrote to memory of 4144	220	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 220 wrote to memory of 4144	220	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 220 wrote to memory of 4144	220	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 220 wrote to memory of 4144	220	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 220 wrote to memory of 4144	220	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 220 wrote to memory of 4144	220	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 220 wrote to memory of 4144	220	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 4144 wrote to memory of 5100	4144	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	icacls.exe
PID 4144 wrote to memory of 5100	4144	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	icacls.exe
PID 4144 wrote to memory of 5100	4144	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	icacls.exe
PID 4144 wrote to memory of 4548	4144	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 4144 wrote to memory of 4548	4144	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 4144 wrote to memory of 4548	4144	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 4548 wrote to memory of 4528	4548	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 4548 wrote to memory of 4528	4548	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 4548 wrote to memory of 4528	4548	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 4548 wrote to memory of 4528	4548	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 4548 wrote to memory of 4528	4548	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 4548 wrote to memory of 4528	4548	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 4548 wrote to memory of 4528	4548	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 4548 wrote to memory of 4528	4548	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 4548 wrote to memory of 4528	4548	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 4548 wrote to memory of 4528	4548	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
PID 4528 wrote to memory of 920	4528	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	build2.exe
PID 4528 wrote to memory of 920	4528	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	build2.exe
PID 4528 wrote to memory of 920	4528	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	build2.exe
PID 920 wrote to memory of 1564	920	build2.exe	build2.exe
PID 920 wrote to memory of 1564	920	build2.exe	build2.exe
PID 920 wrote to memory of 1564	920	build2.exe	build2.exe
PID 920 wrote to memory of 1564	920	build2.exe	build2.exe
PID 920 wrote to memory of 1564	920	build2.exe	build2.exe
PID 920 wrote to memory of 1564	920	build2.exe	build2.exe
PID 920 wrote to memory of 1564	920	build2.exe	build2.exe
PID 920 wrote to memory of 1564	920	build2.exe	build2.exe
PID 920 wrote to memory of 1564	920	build2.exe	build2.exe
PID 920 wrote to memory of 1564	920	build2.exe	build2.exe
PID 4528 wrote to memory of 4244	4528	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	build3.exe
PID 4528 wrote to memory of 4244	4528	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	build3.exe
PID 4528 wrote to memory of 4244	4528	73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe	build3.exe
PID 4244 wrote to memory of 2600	4244	build3.exe	build3.exe
PID 4244 wrote to memory of 2600	4244	build3.exe	build3.exe
PID 4244 wrote to memory of 2600	4244	build3.exe	build3.exe
PID 4244 wrote to memory of 2600	4244	build3.exe	build3.exe
PID 4244 wrote to memory of 2600	4244	build3.exe	build3.exe
PID 4244 wrote to memory of 2600	4244	build3.exe	build3.exe
PID 4244 wrote to memory of 2600	4244	build3.exe	build3.exe
PID 4244 wrote to memory of 2600	4244	build3.exe	build3.exe
PID 4244 wrote to memory of 2600	4244	build3.exe	build3.exe
PID 2600 wrote to memory of 828	2600	build3.exe	schtasks.exe
PID 2600 wrote to memory of 828	2600	build3.exe	schtasks.exe
PID 2600 wrote to memory of 828	2600	build3.exe	schtasks.exe
PID 4900 wrote to memory of 5116	4900	mstsca.exe	mstsca.exe
PID 4900 wrote to memory of 5116	4900	mstsca.exe	mstsca.exe
PID 4900 wrote to memory of 5116	4900	mstsca.exe	mstsca.exe
PID 4900 wrote to memory of 5116	4900	mstsca.exe	mstsca.exe
PID 4900 wrote to memory of 5116	4900	mstsca.exe	mstsca.exe
PID 4900 wrote to memory of 5116	4900	mstsca.exe	mstsca.exe
PID 4900 wrote to memory of 5116	4900	mstsca.exe	mstsca.exe
PID 4900 wrote to memory of 5116	4900	mstsca.exe	mstsca.exe
PID 4900 wrote to memory of 5116	4900	mstsca.exe	mstsca.exe
PID 5116 wrote to memory of 596	5116	mstsca.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
"C:\Users\Admin\AppData\Local\Temp\73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:220

C:\Users\Admin\AppData\Local\Temp\73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
"C:\Users\Admin\AppData\Local\Temp\73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4144

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\1b864fd5-1d20-4212-b1c5-4a8300f76c0f" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:5100

C:\Users\Admin\AppData\Local\Temp\73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
"C:\Users\Admin\AppData\Local\Temp\73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4548

C:\Users\Admin\AppData\Local\Temp\73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
"C:\Users\Admin\AppData\Local\Temp\73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe" --Admin IsNotAutoStart IsNotTask
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4528

C:\Users\Admin\AppData\Local\9fa4a5b9-4496-44e4-a5a9-6a146047b350\build2.exe
"C:\Users\Admin\AppData\Local\9fa4a5b9-4496-44e4-a5a9-6a146047b350\build2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:920

C:\Users\Admin\AppData\Local\9fa4a5b9-4496-44e4-a5a9-6a146047b350\build3.exe
"C:\Users\Admin\AppData\Local\9fa4a5b9-4496-44e4-a5a9-6a146047b350\build3.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4244

C:\Users\Admin\AppData\Local\9fa4a5b9-4496-44e4-a5a9-6a146047b350\build3.exe
"C:\Users\Admin\AppData\Local\9fa4a5b9-4496-44e4-a5a9-6a146047b350\build3.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- Creates scheduled task(s)
PID:828

C:\Users\Admin\AppData\Local\9fa4a5b9-4496-44e4-a5a9-6a146047b350\build2.exe
"C:\Users\Admin\AppData\Local\9fa4a5b9-4496-44e4-a5a9-6a146047b350\build2.exe"
1⤵
- Executes dropped EXE
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 2008
2⤵
- Program crash
PID:2020

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4900

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
3⤵
- Creates scheduled task(s)
PID:596

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1628

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:4148

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4220

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:788

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4568

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:4732

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3064

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:3892

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
8112ab2a9d7578692e66734917d00015

SHA1
5dc1f7cb2c66c925d195fb98784917d108a001dd

SHA256
919561b1927726f5218e79f21184c4bf7117db4466686fc93d3d5dbc1380033b

SHA512
538f1f36b44d628d2ade163cc40deb58b50cb7fbd56019d9526c8233c30771db8542ed5786d311322dfd2e9d44e979da9513c4a0bbc7416b47bb7beca90013d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
981010a0f673fe2d96c36ab2d41b2953

SHA1
19c694c58dcd5acd71efd1b4a43fda8166dbabcc

SHA256
2339044a44021d4da969fa11f9c4c4d5cd89597840218266f74f803d1c62d30c

SHA512
d1a01b1af23f46da36bfb84b5cdfa9899c2161211ec09a1bc61fd55541f024146d507229122060e1a67148394c691385bb60d323db0ec2e79a49f976ab649e81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
a791eda9aa3cfdae284943ad0c367e33

SHA1
2625e172f5a122052da6500fd58f764faa6e9b9b

SHA256
fc283faf7384ee1936b81645080a3cee560331c17d7e3f7b160a2ca8dad5cd6a

SHA512
6579592ffaa6425ab174cc5a4708bcac7418905542d9f6beb1b87c5c60409c577c21a3317353b99b70085edb2d263a97e01c4ba305e09c4e4df7fc39f83d87f8

Download Submit
C:\Users\Admin\AppData\Local\1b864fd5-1d20-4212-b1c5-4a8300f76c0f\73dbcb05d7ca048213fdb1c083b084f7a87e208ee6dfd9634840c5cedbfc5027.exe
Filesize
234KB

MD5
fb0a37838d6962e585997cd2c6faf864

SHA1
12a2ff0e7f860bda94c0dedf4a82d0151145b1d2

SHA256
17a6722e584e9b84eb6f30d38135ce3487a133cd1b89e13a85703604cf48e942

SHA512
04675eca2f32a8222a3ae21ed53761cc9b0b1aed7cfc380c16d7dfc8653504cdd592bbf2004a67e978ee237c7c9b2084ed3e1ec68733f18417565dd47beb4f24

Download Submit
C:\Users\Admin\AppData\Local\9fa4a5b9-4496-44e4-a5a9-6a146047b350\build2.exe
Filesize
62KB

MD5
243231070d237d520a57fb1027e90cf5

SHA1
b61aeb01a846174e66f060857106e5b61b30b2cd

SHA256
20802809505b8dce16463dfcfec4d701455897e64e236e376d88055ad63a9908

SHA512
7ce67c2a1da21a3545167eef80c24d2457ba652b093b5006adf3540eb49907f015ace4952f1c4f74c52d5e9c96db4812994da421946aeeced95e1de7179c79d0

Download Submit
C:\Users\Admin\AppData\Local\9fa4a5b9-4496-44e4-a5a9-6a146047b350\build2.exe
Filesize
83KB

MD5
e39fa874abecd3e119f453b8e42c6156

SHA1
f8c1d4e77c814bdbe888a27e8c8feb17cd19f52f

SHA256
a298b7e8c4ab69508a710f994e4c7e4428342ec788258ff454f09940f8069454

SHA512
080d5e51f288f778ecb047bb75cb10f0409e1bc00b0279f421b3dc3e95c1e4f22619575ba43eccbfb87c83625f165e772573328c8a781ae0a9959c81f52fcbb9

Download Submit
C:\Users\Admin\AppData\Local\9fa4a5b9-4496-44e4-a5a9-6a146047b350\build2.exe
Filesize
64KB

MD5
712bad158c28fc59f359fcb462a20130

SHA1
0170150a7f1549d6555220987cd4e93532497379

SHA256
9ae6aa392471747511ca4d2643096e224f40e0aa45c0b8b884f6aa89fdaa19bf

SHA512
2d85900e91e5d59f46bba9161b97db72f627726bebfaf131d94f47412fb26c4d976e7f33fe8ea74d335c2d1ddf3a04cb9f66923a27b4840df2ba01ce9f0940ee

Download Submit
C:\Users\Admin\AppData\Local\9fa4a5b9-4496-44e4-a5a9-6a146047b350\build3.exe
Filesize
119KB

MD5
cda0d0e1a45af964f59ae65f7c5c65ec

SHA1
d09461640605c4f832603470f42848adf766052a

SHA256
d76566ce553f42f897141cdd0a9268b4c5df938c4501f628c2d3a43b9e7b00b8

SHA512
0babb11c1ff2df83a053394398656dd0ec8e05367e67c776640f26034764cdde42ddacb47d123af51d539e3c05619110d1f3059f34ddd9e4d6388f5be4221f97

Download Submit
C:\Users\Admin\AppData\Local\9fa4a5b9-4496-44e4-a5a9-6a146047b350\build3.exe
Filesize
141KB

MD5
c682d66c880cb9a8cde6465cd23c1f6c

SHA1
d295ea46a3711dfe4dd04f50d0b26061baa1ff30

SHA256
dae31ba0b7e7f6665afbad90d7cb9fa9abeff216114ce2591bcff8545f6208d2

SHA512
98c21728c5e78a64e3f730140b47e61a0f90c19f08b04a90fc8fd7bcdbd1165557ec10e06bf217540e4f9e3f34d561f03438bd74f8fb1ccd70f7055af659b253

Download Submit
C:\Users\Admin\AppData\Local\9fa4a5b9-4496-44e4-a5a9-6a146047b350\build3.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
10KB

MD5
7f84787afd22d7dc9559120283cbab95

SHA1
ad67bb3e7dc74bcc033221eaef3da02620847073

SHA256
6783b55c6e6df601ae0497700d52bbdf61323efd08cd995eb751a3fd374fc613

SHA512
f1f75512b8e56bee1b0a3c46c6336aa84033fc428fba3dbca070f75fbc2b0e4ef25233de3b5ff2f4fc2df0703b9996a6d364399fbe30e04fe2d29d505ad1fcf6

Download Submit
memory/220-3-0x0000000003100000-0x000000000321B000-memory.dmp

Filesize
1.1MB

Download
memory/220-1-0x0000000002E30000-0x0000000002EC2000-memory.dmp

Filesize
584KB

Download
memory/920-46-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/920-48-0x00000000005D0000-0x0000000000600000-memory.dmp

Filesize
192KB

Download
memory/1564-51-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1564-75-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1564-47-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1564-52-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1628-124-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

Filesize
1024KB

Download
memory/2600-86-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2600-87-0x0000000000410000-0x00000000004D5000-memory.dmp

Filesize
788KB

Download
memory/2600-84-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2600-79-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3064-207-0x000000000081E000-0x000000000082E000-memory.dmp

Filesize
64KB

Download
memory/4144-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4144-17-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4144-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4144-2-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4144-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4220-153-0x0000000000A7E000-0x0000000000A8E000-memory.dmp

Filesize
64KB

Download
memory/4244-80-0x00000000009F0000-0x0000000000AF0000-memory.dmp

Filesize
1024KB

Download
memory/4244-81-0x0000000000850000-0x0000000000854000-memory.dmp

Filesize
16KB

Download
memory/4528-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4528-34-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4528-23-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4528-72-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4528-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4528-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4528-53-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4528-30-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4528-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4528-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4548-20-0x0000000002F60000-0x0000000002FF4000-memory.dmp

Filesize
592KB

Download
memory/4568-183-0x00000000009BE000-0x00000000009CE000-memory.dmp

Filesize
64KB

Download
memory/4900-97-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download