djvu | ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb

Analysis

max time kernel
295s
max time network
305s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
01-02-2024 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
Size

726KB
MD5

61c4d9f394531ddcfc3189c3da7589d7
SHA1

4df7149dc944eb928cfc81b73df456bd730ec77d
SHA256

ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb
SHA512

df9b67d73a3e327d6d0b60efda8844e92bec85da2273a0489e74b34039b361014a7a49bbbdd8a901e85e06dba83ee3bc08306751ff6d60a09e52fa87bbfd4f80
SSDEEP

12288:ihXRwaswqCwg3AOXbNLItSgrZgu8jCrbg9XIrV/Nxb36YQDDv:CRwaswq4wOrNLIHbSIrV/j3Kv

Score

10^/10

djvu vidar 1b9d7ec5a25ab9d78c31777a0016a097 discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Signatures

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4140-52-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/4212-50-0x00000000005F0000-0x0000000000620000-memory.dmp	family_vidar_v7
behavioral2/memory/4140-51-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/4140-46-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/4140-67-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 16 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2676-2-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2396-3-0x0000000004920000-0x0000000004A3B000-memory.dmp	family_djvu
behavioral2/memory/2676-1-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2676-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2676-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5064-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5064-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5064-23-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2676-17-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5064-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5064-30-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5064-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5064-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5064-34-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5064-53-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5064-62-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

build2.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
4212	build2.exe
4140	build2.exe
1628	build3.exe
1584	build3.exe
3240	mstsca.exe
4508	mstsca.exe
1328	mstsca.exe
2380	mstsca.exe
3252	mstsca.exe
1424	mstsca.exe
4260	mstsca.exe
604	mstsca.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

5084 icacls.exe

pid	process
5084	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3a88c36d-3b1f-436c-a064-2908ebacd4b6\\ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe\" --AutoStart"	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.2ip.ua
2 api.2ip.ua
9 api.2ip.ua

flow	ioc
1	api.2ip.ua
2	api.2ip.ua
9	api.2ip.ua

Suspicious use of SetThreadContext 8 IoCs

Processes:

ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exead77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 2396 set thread context of 2676	2396	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2588 set thread context of 5064	2588	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 4212 set thread context of 4140	4212	build2.exe	build2.exe
PID 1628 set thread context of 1584	1628	build3.exe	build3.exe
PID 3240 set thread context of 4508	3240	mstsca.exe	mstsca.exe
PID 1328 set thread context of 2380	1328	mstsca.exe	mstsca.exe
PID 3252 set thread context of 1424	3252	mstsca.exe	mstsca.exe
PID 4260 set thread context of 604	4260	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1392 4140 WerFault.exe build2.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4116 schtasks.exe
4108 schtasks.exe

pid	pid_target	process	target process
1392	4140	WerFault.exe	build2.exe

pid	process
4116	schtasks.exe
4108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exead77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe

pid	process
2676	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
2676	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
5064	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
5064	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exead77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exead77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exead77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exe

description	pid	process	target process
PID 2396 wrote to memory of 2676	2396	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2396 wrote to memory of 2676	2396	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2396 wrote to memory of 2676	2396	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2396 wrote to memory of 2676	2396	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2396 wrote to memory of 2676	2396	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2396 wrote to memory of 2676	2396	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2396 wrote to memory of 2676	2396	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2396 wrote to memory of 2676	2396	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2396 wrote to memory of 2676	2396	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2396 wrote to memory of 2676	2396	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2676 wrote to memory of 5084	2676	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	icacls.exe
PID 2676 wrote to memory of 5084	2676	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	icacls.exe
PID 2676 wrote to memory of 5084	2676	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	icacls.exe
PID 2676 wrote to memory of 2588	2676	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2676 wrote to memory of 2588	2676	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2676 wrote to memory of 2588	2676	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2588 wrote to memory of 5064	2588	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2588 wrote to memory of 5064	2588	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2588 wrote to memory of 5064	2588	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2588 wrote to memory of 5064	2588	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2588 wrote to memory of 5064	2588	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2588 wrote to memory of 5064	2588	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2588 wrote to memory of 5064	2588	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2588 wrote to memory of 5064	2588	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2588 wrote to memory of 5064	2588	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 2588 wrote to memory of 5064	2588	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
PID 5064 wrote to memory of 4212	5064	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	build2.exe
PID 5064 wrote to memory of 4212	5064	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	build2.exe
PID 5064 wrote to memory of 4212	5064	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	build2.exe
PID 4212 wrote to memory of 4140	4212	build2.exe	build2.exe
PID 4212 wrote to memory of 4140	4212	build2.exe	build2.exe
PID 4212 wrote to memory of 4140	4212	build2.exe	build2.exe
PID 4212 wrote to memory of 4140	4212	build2.exe	build2.exe
PID 4212 wrote to memory of 4140	4212	build2.exe	build2.exe
PID 4212 wrote to memory of 4140	4212	build2.exe	build2.exe
PID 4212 wrote to memory of 4140	4212	build2.exe	build2.exe
PID 4212 wrote to memory of 4140	4212	build2.exe	build2.exe
PID 4212 wrote to memory of 4140	4212	build2.exe	build2.exe
PID 4212 wrote to memory of 4140	4212	build2.exe	build2.exe
PID 5064 wrote to memory of 1628	5064	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	build3.exe
PID 5064 wrote to memory of 1628	5064	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	build3.exe
PID 5064 wrote to memory of 1628	5064	ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe	build3.exe
PID 1628 wrote to memory of 1584	1628	build3.exe	build3.exe
PID 1628 wrote to memory of 1584	1628	build3.exe	build3.exe
PID 1628 wrote to memory of 1584	1628	build3.exe	build3.exe
PID 1628 wrote to memory of 1584	1628	build3.exe	build3.exe
PID 1628 wrote to memory of 1584	1628	build3.exe	build3.exe
PID 1628 wrote to memory of 1584	1628	build3.exe	build3.exe
PID 1628 wrote to memory of 1584	1628	build3.exe	build3.exe
PID 1628 wrote to memory of 1584	1628	build3.exe	build3.exe
PID 1628 wrote to memory of 1584	1628	build3.exe	build3.exe
PID 1584 wrote to memory of 4116	1584	build3.exe	schtasks.exe
PID 1584 wrote to memory of 4116	1584	build3.exe	schtasks.exe
PID 1584 wrote to memory of 4116	1584	build3.exe	schtasks.exe
PID 3240 wrote to memory of 4508	3240	mstsca.exe	mstsca.exe
PID 3240 wrote to memory of 4508	3240	mstsca.exe	mstsca.exe
PID 3240 wrote to memory of 4508	3240	mstsca.exe	mstsca.exe
PID 3240 wrote to memory of 4508	3240	mstsca.exe	mstsca.exe
PID 3240 wrote to memory of 4508	3240	mstsca.exe	mstsca.exe
PID 3240 wrote to memory of 4508	3240	mstsca.exe	mstsca.exe
PID 3240 wrote to memory of 4508	3240	mstsca.exe	mstsca.exe
PID 3240 wrote to memory of 4508	3240	mstsca.exe	mstsca.exe
PID 3240 wrote to memory of 4508	3240	mstsca.exe	mstsca.exe
PID 4508 wrote to memory of 4108	4508	mstsca.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
"C:\Users\Admin\AppData\Local\Temp\ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2396

C:\Users\Admin\AppData\Local\Temp\ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
"C:\Users\Admin\AppData\Local\Temp\ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\3a88c36d-3b1f-436c-a064-2908ebacd4b6" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:5084

C:\Users\Admin\AppData\Local\Temp\ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
"C:\Users\Admin\AppData\Local\Temp\ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2588

C:\Users\Admin\AppData\Local\Temp\ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
"C:\Users\Admin\AppData\Local\Temp\ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5064

C:\Users\Admin\AppData\Local\ee64eb6e-694c-4e28-90d5-8be25eb729e1\build2.exe
"C:\Users\Admin\AppData\Local\ee64eb6e-694c-4e28-90d5-8be25eb729e1\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4212

C:\Users\Admin\AppData\Local\ee64eb6e-694c-4e28-90d5-8be25eb729e1\build3.exe
"C:\Users\Admin\AppData\Local\ee64eb6e-694c-4e28-90d5-8be25eb729e1\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\ee64eb6e-694c-4e28-90d5-8be25eb729e1\build3.exe
"C:\Users\Admin\AppData\Local\ee64eb6e-694c-4e28-90d5-8be25eb729e1\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:4116

C:\Users\Admin\AppData\Local\ee64eb6e-694c-4e28-90d5-8be25eb729e1\build2.exe
"C:\Users\Admin\AppData\Local\ee64eb6e-694c-4e28-90d5-8be25eb729e1\build2.exe"
1⤵
- Executes dropped EXE
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1920
2⤵
- Program crash
PID:1392

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3240

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
3⤵
- Creates scheduled task(s)
PID:4108

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1328

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:2380

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3252

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:1424

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4260

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:604

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
8112ab2a9d7578692e66734917d00015

SHA1
5dc1f7cb2c66c925d195fb98784917d108a001dd

SHA256
919561b1927726f5218e79f21184c4bf7117db4466686fc93d3d5dbc1380033b

SHA512
538f1f36b44d628d2ade163cc40deb58b50cb7fbd56019d9526c8233c30771db8542ed5786d311322dfd2e9d44e979da9513c4a0bbc7416b47bb7beca90013d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
002c471f83ac2dfa68be406843e1e26c

SHA1
40d5036bce778a28b09e5b17c5f2ad567d1e7c5e

SHA256
79c9a556801166b5c12f252f9c8cbaa257c082762ae05b5e8f0b4841e2b49102

SHA512
b3128b33066fe26fef22da2bd142139c450b8b9e08fa298eb5a559d3f8882b7a07585c518d018b1fbc37bde92e86cc84996c478a97561758f4b062bf18ba4c59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
d672a90d584dd127a1e7621e1b9b6b37

SHA1
af4ffd5df04a373d6e643633d43f716ade5c0872

SHA256
89e812a7e87f996a1b8e739264544d03d2d17619462b6ff9bce0671d2cc27b7f

SHA512
6582818a4babbba25bfd7ebd00176357871913e908e10e63c2d087b0a59fb61ff32f6d3c346a87f3d6c82c2664f7b394e0fbb3129308c59dffab6a008a1ee019

Download Submit
C:\Users\Admin\AppData\Local\3a88c36d-3b1f-436c-a064-2908ebacd4b6\ad77f5ec3c9dfee928926d4eda4577ceccd3cdef707a198e46bdd654caa7ecbb.exe
Filesize
132KB

MD5
8baa642ed03e7ed61cee5016e05f8da4

SHA1
10f616eee50d575e2c19cfd9cc61f20fd7b259b7

SHA256
b552d36427e1734f240874ffbdc59042147d1cb1965f42591ec7e802709ef424

SHA512
6889192f3b72e95f59c8316cca15c92dcce1057344543a550f79ae91de5e9cd859a17a51d08f0f6cb4c8322fab379693546d7460906abf159f3f56254713b1f9

Download Submit
C:\Users\Admin\AppData\Local\ee64eb6e-694c-4e28-90d5-8be25eb729e1\build2.exe
Filesize
134KB

MD5
67b2a6ef9ae80eba75e082cc2d4817fe

SHA1
99b417c13347098a2eec541278c3f409772b1a0d

SHA256
dcbbdfcfedd4db8857e7f177d96eb0cec7e5a34031dd938af44ba8df5741e22b

SHA512
dc5129af6511e9e00c77e457d8b34a71c606b4e3c230f9faa1c86d49cfee88ae23c92db568db9278d6029a79b3137f4c31e308b36533416e8114fd4c57036716

Download Submit
C:\Users\Admin\AppData\Local\ee64eb6e-694c-4e28-90d5-8be25eb729e1\build2.exe
Filesize
171KB

MD5
5ded36ce72cc8bfcdc3321c1f83f9323

SHA1
a98249a244eece41471b033f70259d635d7b4413

SHA256
d8f0336e02e1f47fccc77008288eb353e595e156faf47fa6cf185c37fd8b5f6e

SHA512
88d81dca896076e5681df70c5b34e4d818a9ee5fb394aa2374aba0c8a475736c6dcfebd05c3c1933187522ef42ebc3d45637b24f61f79cd03804f69c1983c97f

Download Submit
C:\Users\Admin\AppData\Local\ee64eb6e-694c-4e28-90d5-8be25eb729e1\build2.exe
Filesize
133KB

MD5
a62f3d64b8e4c3ab0f9c1248d147cfac

SHA1
960d5eff68d98c9afc00f67a207092a555ac606e

SHA256
03e53bd7e6d6612c1d640a42a3974ea7657627ab5bb87b183a872687212d405b

SHA512
dfcd12fd96f12d02de26e78616529259db85bfa6190a0bf88e1f1701bb50ee8f3e6527a0112708c4e553f8f3b59a4e46f6e7ef66636cc2d6273c7d1792575feb

Download Submit
C:\Users\Admin\AppData\Local\ee64eb6e-694c-4e28-90d5-8be25eb729e1\build3.exe
Filesize
92KB

MD5
e554b16187716017093a0cc7fa197ad1

SHA1
88f39292f248bd693c0793ee9d15c2be20e4c51e

SHA256
4c936ad39c814c4193c54ffab6ca2ab7675e8d0dde0a9d72ada31f4ef3314efe

SHA512
939b723055e5168e3acbca6a82b8155f0297922e9d4a6e3ff5d6ffc0b2b18b6f12d550c4b8b43954797010e0424def3891a34ba1fee008dac09d9ee1a20716c3

Download Submit
C:\Users\Admin\AppData\Local\ee64eb6e-694c-4e28-90d5-8be25eb729e1\build3.exe
Filesize
61KB

MD5
78723aa884bc88f8472c813273661f48

SHA1
cc48db2f3f97afee810de69ba89ab6a9b602f548

SHA256
661b315178789faf9a8aeb320c09193818637f0ad289687aa65045bf3c430132

SHA512
046f84e62be915885e9ee1317cb3a4769025b32250d2a9ab9a34400330a497f0ed2add73452dad2d01aaae5e0c50d623b4079c8de0ff8797cc8fa72d907d9c30

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
68KB

MD5
d6828aca2f4337f5c45c29f284e8033b

SHA1
b3da9e27072b9c6b75cfd937c485b4e15a9b86a8

SHA256
60bff81e6665e0a1c9ef6f14e6c208c73ddf10ebfc332546992dd2ab1804d539

SHA512
236c6da6fb91194f984325b09b9ab165371fb7facc3f6c9549033d83cf3172db6c3bb9a981992b4d8f973d8ad269bf54e9a6b2ef92913f59860963b4b68f90a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
memory/1328-122-0x0000000000A80000-0x0000000000B80000-memory.dmp

Filesize
1024KB

Download
memory/1584-78-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1584-76-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1584-71-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1628-73-0x0000000000920000-0x0000000000924000-memory.dmp

Filesize
16KB

Download
memory/1628-72-0x0000000000AF0000-0x0000000000BF0000-memory.dmp

Filesize
1024KB

Download
memory/2380-127-0x0000000000410000-0x00000000004D5000-memory.dmp

Filesize
788KB

Download
memory/2396-66-0x00000000030E0000-0x000000000317E000-memory.dmp

Filesize
632KB

Download
memory/2396-3-0x0000000004920000-0x0000000004A3B000-memory.dmp

Filesize
1.1MB

Download
memory/2396-4-0x00000000030E0000-0x000000000317E000-memory.dmp

Filesize
632KB

Download
memory/2588-20-0x0000000002CB0000-0x0000000002D4F000-memory.dmp

Filesize
636KB

Download
memory/2676-17-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2676-2-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2676-1-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2676-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2676-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3240-102-0x00000000009C0000-0x0000000000AC0000-memory.dmp

Filesize
1024KB

Download
memory/3252-151-0x0000000000860000-0x0000000000960000-memory.dmp

Filesize
1024KB

Download
memory/4140-67-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4140-52-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4140-51-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4140-46-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4212-49-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/4212-50-0x00000000005F0000-0x0000000000620000-memory.dmp

Filesize
192KB

Download
memory/4260-176-0x0000000000A50000-0x0000000000B50000-memory.dmp

Filesize
1024KB

Download
memory/5064-30-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5064-23-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5064-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5064-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5064-62-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5064-53-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5064-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5064-34-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5064-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5064-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download