djvu | 62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857

Analysis

max time kernel
299s
max time network
300s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
01-02-2024 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
Size

744KB
MD5

216eb4859117883f2cc50d593eae48b0
SHA1

b5ae357143d8b21b6918a7862a66aa2e5cebb6a6
SHA256

62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857
SHA512

993b2b1d883697a0b32f29a552efd02f123e5077669ced4064f4f30e9207684ed5e6b2e99bf68ca9a349e21efaccacd584027eb1477f31efc0ab428257dda864
SSDEEP

12288:MBWA0M3AbdrJNvAJ7rc9aqxC+JouNaEpqWwAHfU4X74uLiiFrhjPaFTbfL:VMu5JNvIckqxCjuN7ppM4r4I3xmvf

Score

10^/10

djvu vidar 1b9d7ec5a25ab9d78c31777a0016a097 discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdpo
offline_id
Bn3q97hwLouKbhkQRNO4SeV07gjdEQVm8NKhg0t1
payload_url
http://brusuax.com/dl/build2.exe

http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-FCWSCsjEWS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0844OSkw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Signatures

Detect Vidar Stealer 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2868-51-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/2868-52-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/2988-50-0x00000000006D0000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/2868-46-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/2868-66-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/3056-178-0x0000000000A70000-0x0000000000B70000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 16 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2980-3-0x00000000022C0000-0x00000000023DB000-memory.dmp	family_djvu
behavioral2/memory/3656-2-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3656-4-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3656-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3656-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3656-17-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/704-23-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/704-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/704-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/704-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/704-30-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/704-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/704-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/704-34-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/704-53-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/704-63-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 13 IoCs

Processes:

build2.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
2988	build2.exe
2868	build2.exe
4496	build3.exe
3324	build3.exe
1908	mstsca.exe
4644	mstsca.exe
4100	mstsca.exe
4916	mstsca.exe
4864	mstsca.exe
2124	mstsca.exe
3056	mstsca.exe
3848	mstsca.exe
4884	mstsca.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1828 icacls.exe

pid	process
1828	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\738dce87-d53d-4e03-8f0c-248710c50c6b\\62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe\" --AutoStart"	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.2ip.ua
2 api.2ip.ua
8 api.2ip.ua

flow	ioc
1	api.2ip.ua
2	api.2ip.ua
8	api.2ip.ua

Suspicious use of SetThreadContext 8 IoCs

Processes:

62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 2980 set thread context of 3656	2980	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 4228 set thread context of 704	4228	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 2988 set thread context of 2868	2988	build2.exe	build2.exe
PID 4496 set thread context of 3324	4496	build3.exe	build3.exe
PID 1908 set thread context of 4644	1908	mstsca.exe	mstsca.exe
PID 4100 set thread context of 4916	4100	mstsca.exe	mstsca.exe
PID 4864 set thread context of 2124	4864	mstsca.exe	mstsca.exe
PID 3056 set thread context of 3848	3056	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

888 2868 WerFault.exe build2.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1160 schtasks.exe
2872 schtasks.exe

pid	pid_target	process	target process
888	2868	WerFault.exe	build2.exe

pid	process
1160	schtasks.exe
2872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe

pid	process
3656	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
3656	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
704	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
704	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exe

description	pid	process	target process
PID 2980 wrote to memory of 3656	2980	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 2980 wrote to memory of 3656	2980	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 2980 wrote to memory of 3656	2980	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 2980 wrote to memory of 3656	2980	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 2980 wrote to memory of 3656	2980	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 2980 wrote to memory of 3656	2980	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 2980 wrote to memory of 3656	2980	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 2980 wrote to memory of 3656	2980	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 2980 wrote to memory of 3656	2980	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 2980 wrote to memory of 3656	2980	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 3656 wrote to memory of 1828	3656	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	icacls.exe
PID 3656 wrote to memory of 1828	3656	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	icacls.exe
PID 3656 wrote to memory of 1828	3656	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	icacls.exe
PID 3656 wrote to memory of 4228	3656	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 3656 wrote to memory of 4228	3656	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 3656 wrote to memory of 4228	3656	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 4228 wrote to memory of 704	4228	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 4228 wrote to memory of 704	4228	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 4228 wrote to memory of 704	4228	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 4228 wrote to memory of 704	4228	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 4228 wrote to memory of 704	4228	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 4228 wrote to memory of 704	4228	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 4228 wrote to memory of 704	4228	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 4228 wrote to memory of 704	4228	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 4228 wrote to memory of 704	4228	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 4228 wrote to memory of 704	4228	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
PID 704 wrote to memory of 2988	704	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	build2.exe
PID 704 wrote to memory of 2988	704	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	build2.exe
PID 704 wrote to memory of 2988	704	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	build2.exe
PID 2988 wrote to memory of 2868	2988	build2.exe	build2.exe
PID 2988 wrote to memory of 2868	2988	build2.exe	build2.exe
PID 2988 wrote to memory of 2868	2988	build2.exe	build2.exe
PID 2988 wrote to memory of 2868	2988	build2.exe	build2.exe
PID 2988 wrote to memory of 2868	2988	build2.exe	build2.exe
PID 2988 wrote to memory of 2868	2988	build2.exe	build2.exe
PID 2988 wrote to memory of 2868	2988	build2.exe	build2.exe
PID 2988 wrote to memory of 2868	2988	build2.exe	build2.exe
PID 2988 wrote to memory of 2868	2988	build2.exe	build2.exe
PID 2988 wrote to memory of 2868	2988	build2.exe	build2.exe
PID 704 wrote to memory of 4496	704	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	build3.exe
PID 704 wrote to memory of 4496	704	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	build3.exe
PID 704 wrote to memory of 4496	704	62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe	build3.exe
PID 4496 wrote to memory of 3324	4496	build3.exe	build3.exe
PID 4496 wrote to memory of 3324	4496	build3.exe	build3.exe
PID 4496 wrote to memory of 3324	4496	build3.exe	build3.exe
PID 4496 wrote to memory of 3324	4496	build3.exe	build3.exe
PID 4496 wrote to memory of 3324	4496	build3.exe	build3.exe
PID 4496 wrote to memory of 3324	4496	build3.exe	build3.exe
PID 4496 wrote to memory of 3324	4496	build3.exe	build3.exe
PID 4496 wrote to memory of 3324	4496	build3.exe	build3.exe
PID 4496 wrote to memory of 3324	4496	build3.exe	build3.exe
PID 3324 wrote to memory of 1160	3324	build3.exe	schtasks.exe
PID 3324 wrote to memory of 1160	3324	build3.exe	schtasks.exe
PID 3324 wrote to memory of 1160	3324	build3.exe	schtasks.exe
PID 1908 wrote to memory of 4644	1908	mstsca.exe	mstsca.exe
PID 1908 wrote to memory of 4644	1908	mstsca.exe	mstsca.exe
PID 1908 wrote to memory of 4644	1908	mstsca.exe	mstsca.exe
PID 1908 wrote to memory of 4644	1908	mstsca.exe	mstsca.exe
PID 1908 wrote to memory of 4644	1908	mstsca.exe	mstsca.exe
PID 1908 wrote to memory of 4644	1908	mstsca.exe	mstsca.exe
PID 1908 wrote to memory of 4644	1908	mstsca.exe	mstsca.exe
PID 1908 wrote to memory of 4644	1908	mstsca.exe	mstsca.exe
PID 1908 wrote to memory of 4644	1908	mstsca.exe	mstsca.exe
PID 4644 wrote to memory of 2872	4644	mstsca.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
"C:\Users\Admin\AppData\Local\Temp\62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
  "C:\Users\Admin\AppData\Local\Temp\62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\738dce87-d53d-4e03-8f0c-248710c50c6b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:1828
- - C:\Users\Admin\AppData\Local\Temp\62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
    "C:\Users\Admin\AppData\Local\Temp\62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4228
  - - C:\Users\Admin\AppData\Local\Temp\62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
      "C:\Users\Admin\AppData\Local\Temp\62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:704
    - - C:\Users\Admin\AppData\Local\24e02579-537c-4708-835d-4d1374d7fd03\build2.exe
        
        "C:\Users\Admin\AppData\Local\24e02579-537c-4708-835d-4d1374d7fd03\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2988
      - C:\Users\Admin\AppData\Local\24e02579-537c-4708-835d-4d1374d7fd03\build2.exe
        
        "C:\Users\Admin\AppData\Local\24e02579-537c-4708-835d-4d1374d7fd03\build2.exe"
        6⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 1852
        7⤵
        Program crash
        
        PID:888
    - - C:\Users\Admin\AppData\Local\24e02579-537c-4708-835d-4d1374d7fd03\build3.exe
        
        "C:\Users\Admin\AppData\Local\24e02579-537c-4708-835d-4d1374d7fd03\build3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4496
      - C:\Users\Admin\AppData\Local\24e02579-537c-4708-835d-4d1374d7fd03\build3.exe
        
        "C:\Users\Admin\AppData\Local\24e02579-537c-4708-835d-4d1374d7fd03\build3.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:1160

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2872

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4100
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  PID:4916

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4864
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  PID:2124

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3056
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  PID:3848

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
8112ab2a9d7578692e66734917d00015

SHA1
5dc1f7cb2c66c925d195fb98784917d108a001dd

SHA256
919561b1927726f5218e79f21184c4bf7117db4466686fc93d3d5dbc1380033b

SHA512
538f1f36b44d628d2ade163cc40deb58b50cb7fbd56019d9526c8233c30771db8542ed5786d311322dfd2e9d44e979da9513c4a0bbc7416b47bb7beca90013d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
611fb885a24860333e16f21317b85b9b

SHA1
fc480fe88cf071a52f47633c69d66cebb2cb622d

SHA256
0ecd373d31def25b13fe93424977c0c8fbc51ddc490b5e2bbdff7f52870bb419

SHA512
1357115c362820d1e378ae7783874729eb31ee76b8696a4d242ae210acd8d3cb88d53e3758bf216e1407e886bd63875b4b234171e27e921c2c7bab6bc138dd38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
2e4af05ca2899b7ddda12ee9c3a0d97c

SHA1
f1f042b0545579d9b9e2eebdf0b9e973ee9041f0

SHA256
9057ad0334290473a45bd0c8b6454b3d22fcbbfcd9cda34aff775ac4b1c17193

SHA512
7cc7caca0c579076009f651e8d51e4a610d4678a9900fb0ebbd43aa13036a01ee61de6c8cc465d3d611c9473a00ad1e9a9476be0216f78d0fd02fe583e2c1654

Download Submit
C:\Users\Admin\AppData\Local\24e02579-537c-4708-835d-4d1374d7fd03\build2.exe

Filesize
384KB

MD5
a2a8142ded2595cdc7ccb435d32ecbb8

SHA1
7d45a9e6b02b665d946de55fe6b2b4f321068cb8

SHA256
d27beeded9c2f4204fe1334a6f4336b5f379c4811b9ad9311db3eaca0049d0c9

SHA512
ae298a1c232ac065c7ed55ea974d80b19b812159a2aac7c8d39c038bd3bdf84bc8a8546e46b01c33844600880ce7fe6b9942fd8ed23ba7b799f5da8878acc0ed

Download Submit
C:\Users\Admin\AppData\Local\24e02579-537c-4708-835d-4d1374d7fd03\build2.exe

Filesize
271KB

MD5
06c73028c4782c8ece4fb6c30fd42d76

SHA1
7e05f3f170977622b8f9750679c5f03d926b084c

SHA256
d473e079bae74c2a45487081ba044f063aae168994b1482ad20e5a1416012130

SHA512
c54645b9e98f9e8074d09e15f497f0ab8acef97eef43e0d79b2e438bc0aa42af16d0f311bbd288e2f519f14b120919500c44b8021a62b39eb92b3f86ad4a91eb

Download Submit
C:\Users\Admin\AppData\Local\24e02579-537c-4708-835d-4d1374d7fd03\build2.exe

Filesize
385KB

MD5
63e4a9cd7a8b37335b5f18cefc5dd9d2

SHA1
c781a30935afc452b108cc78724b60f389b78874

SHA256
c1e75efde3fd1da605135e5c3ffab0073299c80632d136f8eeba9d4a7c98c70f

SHA512
3818b5966938704c5830acb5426db7791f6ae476853248d8984b1aff35a6722a0684bea54a53ef6ded1f301f6de9ed044d45f007457a9c0f3a7ea3afc7bf0ecc

Download Submit
C:\Users\Admin\AppData\Local\24e02579-537c-4708-835d-4d1374d7fd03\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Local\738dce87-d53d-4e03-8f0c-248710c50c6b\62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe

Filesize
333KB

MD5
bb3e41113b9ee6785dc9da97c207d1bd

SHA1
c238ae90f9cf44bd672aff7ce95fadd72cfcabfd

SHA256
bf92d4b689d86a72c4ef78706efc8ef28456aaf0d2c6f2846f989eb7da1b0fc1

SHA512
2108cceb6474cf80e72a97f92fa05652460f4d45744924fcad2c849878c3898f5d0733e5450551662934a13b920fc0a3560697f5b693ee32a7f6f8e1e07e9b14

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
67KB

MD5
cc80ac56ee4e7cbb8a7c8b930e07d39c

SHA1
0ed2f214ab6b4f9317386c3aa8ccd8357bef1c47

SHA256
3a51968cdebd3b6be0e534e191d9f3254ac488e66856c3accc3620236f896113

SHA512
a8ca5f2fa029eb43433c9c9afbdae43fd84f634b38e595c5afe650a33adb8701266b165f4d186ebc8c815424d0674cf2a4a9dbb890cec6d7548d053b69fef871

Download Submit
memory/704-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/704-53-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/704-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/704-23-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/704-63-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/704-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/704-30-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/704-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/704-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/704-34-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1908-98-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

Filesize
1024KB

Download
memory/2868-46-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2868-66-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2868-51-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2868-52-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2980-1-0x0000000002220000-0x00000000022B3000-memory.dmp

Filesize
588KB

Download
memory/2980-3-0x00000000022C0000-0x00000000023DB000-memory.dmp

Filesize
1.1MB

Download
memory/2988-50-0x00000000006D0000-0x0000000000700000-memory.dmp

Filesize
192KB

Download
memory/2988-49-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/3056-178-0x0000000000A70000-0x0000000000B70000-memory.dmp

Filesize
1024KB

Download
memory/3324-77-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3324-78-0x0000000000410000-0x00000000004D5000-memory.dmp

Filesize
788KB

Download
memory/3324-75-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3324-70-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3656-2-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3656-17-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3656-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3656-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3656-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4100-123-0x0000000000AC0000-0x0000000000BC0000-memory.dmp

Filesize
1024KB

Download
memory/4228-21-0x0000000001FD0000-0x0000000002062000-memory.dmp

Filesize
584KB

Download
memory/4496-71-0x0000000000B20000-0x0000000000C20000-memory.dmp

Filesize
1024KB

Download
memory/4496-73-0x0000000000920000-0x0000000000924000-memory.dmp

Filesize
16KB

Download
memory/4864-151-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download