djvu | 75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c

Analysis

max time kernel
300s
max time network
307s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
01-02-2024 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
Size

686KB
MD5

591894f561823c1fef63ee244705a392
SHA1

38fc6af7e15cd9a3cf2794e42e1f0de43a03eaab
SHA256

75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c
SHA512

b696dcbe1d20bf7cc567136d15738daa76f1f059c016671fab4fa30bd13794a4bb12caf82f2b03fa618753d0a7d69b736c6acab21bcda0ae1b08b538782fcead
SSDEEP

12288:5+/jLVJgJL3/bR0Lp4z+ZUh5RuQjpSJhcRKWycAVWIs4LxQzLwyMQ5:5IVJgJPhz/3RuGSfYnycAkmxZQ5

Score

10^/10

djvu vidar 1b9d7ec5a25ab9d78c31777a0016a097 discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Signatures

Detect Vidar Stealer 8 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4996-46-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/920-50-0x00000000005C0000-0x00000000005F0000-memory.dmp	family_vidar_v7
behavioral2/memory/4996-52-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/4996-53-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/4996-86-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/4256-93-0x0000000000B30000-0x0000000000C30000-memory.dmp	family_vidar_v7
behavioral2/memory/3716-173-0x0000000000820000-0x0000000000920000-memory.dmp	family_vidar_v7
behavioral2/memory/1444-205-0x00000000008A0000-0x00000000009A0000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 16 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4536-2-0x00000000048A0000-0x00000000049BB000-memory.dmp	family_djvu
behavioral2/memory/2440-4-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2440-3-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2440-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2440-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2440-17-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/680-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/680-23-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/680-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/680-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/680-30-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/680-34-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/680-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/680-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/680-47-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/680-71-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

build2.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
920	build2.exe
4996	build2.exe
3816	build3.exe
868	build3.exe
4256	mstsca.exe
4596	mstsca.exe
2500	mstsca.exe
4660	mstsca.exe
2304	mstsca.exe
4832	mstsca.exe
3716	mstsca.exe
3108	mstsca.exe
1444	mstsca.exe
1200	mstsca.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4872 icacls.exe

pid	process
4872	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-33539905-3698238643-2080195461-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\46af7114-56e5-4f53-80c9-e549b662670e\\75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe\" --AutoStart"	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 api.2ip.ua
12 api.2ip.ua
1 api.2ip.ua

flow	ioc
2	api.2ip.ua
12	api.2ip.ua
1	api.2ip.ua

Suspicious use of SetThreadContext 9 IoCs

Processes:

75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 4536 set thread context of 2440	4536	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 4852 set thread context of 680	4852	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 920 set thread context of 4996	920	build2.exe	build2.exe
PID 3816 set thread context of 868	3816	build3.exe	build3.exe
PID 4256 set thread context of 4596	4256	mstsca.exe	mstsca.exe
PID 2500 set thread context of 4660	2500	mstsca.exe	mstsca.exe
PID 2304 set thread context of 4832	2304	mstsca.exe	mstsca.exe
PID 3716 set thread context of 3108	3716	mstsca.exe	mstsca.exe
PID 1444 set thread context of 1200	1444	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4140 4996 WerFault.exe build2.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1740 schtasks.exe
4828 schtasks.exe

pid	pid_target	process	target process
4140	4996	WerFault.exe	build2.exe

pid	process
1740	schtasks.exe
4828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe

pid	process
2440	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
2440	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
680	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
680	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exe

description	pid	process	target process
PID 4536 wrote to memory of 2440	4536	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 4536 wrote to memory of 2440	4536	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 4536 wrote to memory of 2440	4536	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 4536 wrote to memory of 2440	4536	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 4536 wrote to memory of 2440	4536	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 4536 wrote to memory of 2440	4536	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 4536 wrote to memory of 2440	4536	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 4536 wrote to memory of 2440	4536	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 4536 wrote to memory of 2440	4536	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 4536 wrote to memory of 2440	4536	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 2440 wrote to memory of 4872	2440	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	icacls.exe
PID 2440 wrote to memory of 4872	2440	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	icacls.exe
PID 2440 wrote to memory of 4872	2440	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	icacls.exe
PID 2440 wrote to memory of 4852	2440	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 2440 wrote to memory of 4852	2440	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 2440 wrote to memory of 4852	2440	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 4852 wrote to memory of 680	4852	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 4852 wrote to memory of 680	4852	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 4852 wrote to memory of 680	4852	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 4852 wrote to memory of 680	4852	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 4852 wrote to memory of 680	4852	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 4852 wrote to memory of 680	4852	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 4852 wrote to memory of 680	4852	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 4852 wrote to memory of 680	4852	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 4852 wrote to memory of 680	4852	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 4852 wrote to memory of 680	4852	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
PID 680 wrote to memory of 920	680	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	build2.exe
PID 680 wrote to memory of 920	680	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	build2.exe
PID 680 wrote to memory of 920	680	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	build2.exe
PID 920 wrote to memory of 4996	920	build2.exe	build2.exe
PID 920 wrote to memory of 4996	920	build2.exe	build2.exe
PID 920 wrote to memory of 4996	920	build2.exe	build2.exe
PID 920 wrote to memory of 4996	920	build2.exe	build2.exe
PID 920 wrote to memory of 4996	920	build2.exe	build2.exe
PID 920 wrote to memory of 4996	920	build2.exe	build2.exe
PID 920 wrote to memory of 4996	920	build2.exe	build2.exe
PID 920 wrote to memory of 4996	920	build2.exe	build2.exe
PID 920 wrote to memory of 4996	920	build2.exe	build2.exe
PID 920 wrote to memory of 4996	920	build2.exe	build2.exe
PID 680 wrote to memory of 3816	680	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	build3.exe
PID 680 wrote to memory of 3816	680	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	build3.exe
PID 680 wrote to memory of 3816	680	75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe	build3.exe
PID 3816 wrote to memory of 868	3816	build3.exe	build3.exe
PID 3816 wrote to memory of 868	3816	build3.exe	build3.exe
PID 3816 wrote to memory of 868	3816	build3.exe	build3.exe
PID 3816 wrote to memory of 868	3816	build3.exe	build3.exe
PID 3816 wrote to memory of 868	3816	build3.exe	build3.exe
PID 3816 wrote to memory of 868	3816	build3.exe	build3.exe
PID 3816 wrote to memory of 868	3816	build3.exe	build3.exe
PID 3816 wrote to memory of 868	3816	build3.exe	build3.exe
PID 3816 wrote to memory of 868	3816	build3.exe	build3.exe
PID 868 wrote to memory of 1740	868	build3.exe	schtasks.exe
PID 868 wrote to memory of 1740	868	build3.exe	schtasks.exe
PID 868 wrote to memory of 1740	868	build3.exe	schtasks.exe
PID 4256 wrote to memory of 4596	4256	mstsca.exe	mstsca.exe
PID 4256 wrote to memory of 4596	4256	mstsca.exe	mstsca.exe
PID 4256 wrote to memory of 4596	4256	mstsca.exe	mstsca.exe
PID 4256 wrote to memory of 4596	4256	mstsca.exe	mstsca.exe
PID 4256 wrote to memory of 4596	4256	mstsca.exe	mstsca.exe
PID 4256 wrote to memory of 4596	4256	mstsca.exe	mstsca.exe
PID 4256 wrote to memory of 4596	4256	mstsca.exe	mstsca.exe
PID 4256 wrote to memory of 4596	4256	mstsca.exe	mstsca.exe
PID 4256 wrote to memory of 4596	4256	mstsca.exe	mstsca.exe
PID 4596 wrote to memory of 4828	4596	mstsca.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
"C:\Users\Admin\AppData\Local\Temp\75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4536

C:\Users\Admin\AppData\Local\Temp\75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
"C:\Users\Admin\AppData\Local\Temp\75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\46af7114-56e5-4f53-80c9-e549b662670e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:4872

C:\Users\Admin\AppData\Local\Temp\75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
"C:\Users\Admin\AppData\Local\Temp\75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4852

C:\Users\Admin\AppData\Local\Temp\75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
"C:\Users\Admin\AppData\Local\Temp\75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:680

C:\Users\Admin\AppData\Local\b466bfe2-eb56-4d56-bde1-6bfa7ebec631\build2.exe
"C:\Users\Admin\AppData\Local\b466bfe2-eb56-4d56-bde1-6bfa7ebec631\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:920

C:\Users\Admin\AppData\Local\b466bfe2-eb56-4d56-bde1-6bfa7ebec631\build2.exe
"C:\Users\Admin\AppData\Local\b466bfe2-eb56-4d56-bde1-6bfa7ebec631\build2.exe"
6⤵
- Executes dropped EXE
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 2056
7⤵
- Program crash
PID:4140

C:\Users\Admin\AppData\Local\b466bfe2-eb56-4d56-bde1-6bfa7ebec631\build3.exe
"C:\Users\Admin\AppData\Local\b466bfe2-eb56-4d56-bde1-6bfa7ebec631\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3816

C:\Users\Admin\AppData\Local\b466bfe2-eb56-4d56-bde1-6bfa7ebec631\build3.exe
"C:\Users\Admin\AppData\Local\b466bfe2-eb56-4d56-bde1-6bfa7ebec631\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:1740

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4256

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:4828

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2500

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:4660

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2304

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:4832

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3716

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:3108

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1444

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:1200

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
8112ab2a9d7578692e66734917d00015

SHA1
5dc1f7cb2c66c925d195fb98784917d108a001dd

SHA256
919561b1927726f5218e79f21184c4bf7117db4466686fc93d3d5dbc1380033b

SHA512
538f1f36b44d628d2ade163cc40deb58b50cb7fbd56019d9526c8233c30771db8542ed5786d311322dfd2e9d44e979da9513c4a0bbc7416b47bb7beca90013d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
76bf209e4f643aefdce0873e7bc37a17

SHA1
ef95c824ae44aa8c90916786de0bb618c206d54c

SHA256
7e0ace257d0f90b09c52e5d08a7a647b430b3e93040d6973fde97a179113c06e

SHA512
4d662b061b6e57a3831417a7f4657df349c75a28ad74e3594df8cc34d4ef09ae80b1f7b06549f29435c05b8a3e9b2ff568e03990623cd8475abfd05d36ba4e03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
95dad531f62cce31f5275e7f6f1c68e7

SHA1
d50475ffec7862305665b86900d20d81e688dbf7

SHA256
6a5fff3b88267df0fb9f919f171f86f876fce082902627814c1d2889fb737fbe

SHA512
ba6392e82b67a467365ac5c735c502c63b2070dd985759bb1c872402fe8850ae1bc856d9f9a8439ab90d9e71b32c701f27717bc4c47d54557197302d73feaa2b

Download Submit
C:\Users\Admin\AppData\Local\46af7114-56e5-4f53-80c9-e549b662670e\75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c.exe
Filesize
686KB

MD5
591894f561823c1fef63ee244705a392

SHA1
38fc6af7e15cd9a3cf2794e42e1f0de43a03eaab

SHA256
75134ad6babd2b55ea9823261ee5a7af0442065260c1085ae449e90095615b8c

SHA512
b696dcbe1d20bf7cc567136d15738daa76f1f059c016671fab4fa30bd13794a4bb12caf82f2b03fa618753d0a7d69b736c6acab21bcda0ae1b08b538782fcead

Download Submit
C:\Users\Admin\AppData\Local\b466bfe2-eb56-4d56-bde1-6bfa7ebec631\build2.exe
Filesize
385KB

MD5
63e4a9cd7a8b37335b5f18cefc5dd9d2

SHA1
c781a30935afc452b108cc78724b60f389b78874

SHA256
c1e75efde3fd1da605135e5c3ffab0073299c80632d136f8eeba9d4a7c98c70f

SHA512
3818b5966938704c5830acb5426db7791f6ae476853248d8984b1aff35a6722a0684bea54a53ef6ded1f301f6de9ed044d45f007457a9c0f3a7ea3afc7bf0ecc

Download Submit
C:\Users\Admin\AppData\Local\b466bfe2-eb56-4d56-bde1-6bfa7ebec631\build3.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
80KB

MD5
600f3ae5f430ae2b86b73cd3e05821ab

SHA1
1b8a9f49ecb6bb3cdf17cb008aa2e3aef85bc8dd

SHA256
3ebbedc883b2c11fd311f0d5c990e528c759ac3f1b918004ad831d491369c218

SHA512
4ab66b8b873d4752d4d12a264c4e05360086c3edeb2a771a5e7828c945b92f6717afff7a20c9bce4c96058fe65c5710e8f1090ce4b592c9efa773a70c9d12d45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
116KB

MD5
28a2a6e9f4adb79261e929ec6f1dc817

SHA1
e1e7940aae7cbb6f08d8642fd10a7da8764dde72

SHA256
920e6db6038bb4d006f7de2ebe05147be968bc4c68b35e8f617d6fab800e9342

SHA512
0bb02e2c7b7f57f3de754182eb1e50cc83f7db3f7538397a96c8b900056c7fe9396d951aba6516e9cfb847e205673dc675b33e268c21caed70bb35c211b10322

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
148KB

MD5
d447ad94ddb7553f5cc4f9ef4a19ebe7

SHA1
7fa7217922c95e04ee66ea8f5d9540480f05b3b1

SHA256
058a1eaa2ca460e71965b2ece30ed8a54887b30b0ca00b952545bc101c011b39

SHA512
b1ff009653c12481da51d0c272145e583b2931c4b18d1a46f47e85144dfe74a65976bc469f2019901dada863a0cfa73fcf2a6cbfc02c13fb88a9d6459cd4a812

Download Submit
memory/680-47-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/680-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/680-23-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/680-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/680-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/680-71-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/680-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/680-30-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/680-34-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/680-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/868-84-0x0000000000410000-0x00000000004D5000-memory.dmp

Filesize
788KB

Download
memory/868-76-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/868-83-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/868-81-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/920-50-0x00000000005C0000-0x00000000005F0000-memory.dmp

Filesize
192KB

Download
memory/920-48-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1444-205-0x00000000008A0000-0x00000000009A0000-memory.dmp

Filesize
1024KB

Download
memory/2304-150-0x0000000000A00000-0x0000000000B00000-memory.dmp

Filesize
1024KB

Download
memory/2440-17-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2440-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2440-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2440-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2440-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2500-121-0x0000000000BCE000-0x0000000000BDE000-memory.dmp

Filesize
64KB

Download
memory/3716-173-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/3816-79-0x0000000000810000-0x0000000000814000-memory.dmp

Filesize
16KB

Download
memory/3816-77-0x00000000009D0000-0x0000000000AD0000-memory.dmp

Filesize
1024KB

Download
memory/4256-93-0x0000000000B30000-0x0000000000C30000-memory.dmp

Filesize
1024KB

Download
memory/4536-2-0x00000000048A0000-0x00000000049BB000-memory.dmp

Filesize
1.1MB

Download
memory/4536-1-0x0000000004800000-0x0000000004897000-memory.dmp

Filesize
604KB

Download
memory/4660-124-0x0000000000410000-0x00000000004BE000-memory.dmp

Filesize
696KB

Download
memory/4852-20-0x0000000004880000-0x0000000004916000-memory.dmp

Filesize
600KB

Download
memory/4996-86-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4996-53-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4996-52-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4996-46-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download