djvu | c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6

Analysis

max time kernel
299s
max time network
301s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
01-02-2024 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
Size

680KB
MD5

422a2d14300bd479e24d7fbb9eaf44dc
SHA1

24b6005299fd8a3de98a1c5586ea7bf58e1ae528
SHA256

c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6
SHA512

2e60f8690eaaa047f0ef283db87ec930c12769b2581e4cf8ddeedcf8bf101ef6546e91a18bc6d674a7a8a15da032162522a1574ac4a2b29bf4e7c4af6dbd601d
SSDEEP

12288:pUGSQNEnmEK1IfCivcDDLEn+ImsVXVoLz1O4DxFqSsI26CdW7/InwbFNbCnp:pYSEnmET7k3wmaYz1bP8W7xbvkp

Score

10^/10

djvu vidar 1b9d7ec5a25ab9d78c31777a0016a097 discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Signatures

Detect Vidar Stealer 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/756-51-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/756-53-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/4640-52-0x00000000005B0000-0x00000000005E0000-memory.dmp	family_vidar_v7
behavioral2/memory/756-47-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/756-86-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/4020-106-0x0000000000A00000-0x0000000000B00000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 16 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4528-4-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4528-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4528-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4528-3-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2596-2-0x0000000004880000-0x000000000499B000-memory.dmp	family_djvu
behavioral2/memory/4528-17-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4612-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4612-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4612-23-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4612-30-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4612-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4612-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4612-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4612-34-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4612-41-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4612-72-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

build2.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
4640	build2.exe
756	build2.exe
3324	build3.exe
3088	build3.exe
4020	mstsca.exe
3620	mstsca.exe
2652	mstsca.exe
2392	mstsca.exe
712	mstsca.exe
2528	mstsca.exe
3632	mstsca.exe
5088	mstsca.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4132 icacls.exe

pid	process
4132	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-33539905-3698238643-2080195461-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1fb87864-2804-4ada-94a7-411d9ffcc824\\c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe\" --AutoStart"	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.2ip.ua
2 api.2ip.ua
10 api.2ip.ua

flow	ioc
1	api.2ip.ua
2	api.2ip.ua
10	api.2ip.ua

Suspicious use of SetThreadContext 8 IoCs

Processes:

c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exec7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 2596 set thread context of 4528	2596	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 832 set thread context of 4612	832	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 4640 set thread context of 756	4640	build2.exe	build2.exe
PID 3324 set thread context of 3088	3324	build3.exe	build3.exe
PID 4020 set thread context of 3620	4020	mstsca.exe	mstsca.exe
PID 2652 set thread context of 2392	2652	mstsca.exe	mstsca.exe
PID 712 set thread context of 2528	712	mstsca.exe	mstsca.exe
PID 3632 set thread context of 5088	3632	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2588 756 WerFault.exe build2.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2972 schtasks.exe
2800 schtasks.exe

pid	pid_target	process	target process
2588	756	WerFault.exe	build2.exe

pid	process
2972	schtasks.exe
2800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exec7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe

pid	process
4528	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
4528	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
4612	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
4612	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exec7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exec7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exec7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exe

description	pid	process	target process
PID 2596 wrote to memory of 4528	2596	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 2596 wrote to memory of 4528	2596	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 2596 wrote to memory of 4528	2596	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 2596 wrote to memory of 4528	2596	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 2596 wrote to memory of 4528	2596	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 2596 wrote to memory of 4528	2596	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 2596 wrote to memory of 4528	2596	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 2596 wrote to memory of 4528	2596	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 2596 wrote to memory of 4528	2596	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 2596 wrote to memory of 4528	2596	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 4528 wrote to memory of 4132	4528	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	icacls.exe
PID 4528 wrote to memory of 4132	4528	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	icacls.exe
PID 4528 wrote to memory of 4132	4528	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	icacls.exe
PID 4528 wrote to memory of 832	4528	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 4528 wrote to memory of 832	4528	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 4528 wrote to memory of 832	4528	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 832 wrote to memory of 4612	832	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 832 wrote to memory of 4612	832	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 832 wrote to memory of 4612	832	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 832 wrote to memory of 4612	832	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 832 wrote to memory of 4612	832	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 832 wrote to memory of 4612	832	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 832 wrote to memory of 4612	832	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 832 wrote to memory of 4612	832	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 832 wrote to memory of 4612	832	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 832 wrote to memory of 4612	832	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
PID 4612 wrote to memory of 4640	4612	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	build2.exe
PID 4612 wrote to memory of 4640	4612	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	build2.exe
PID 4612 wrote to memory of 4640	4612	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	build2.exe
PID 4640 wrote to memory of 756	4640	build2.exe	build2.exe
PID 4640 wrote to memory of 756	4640	build2.exe	build2.exe
PID 4640 wrote to memory of 756	4640	build2.exe	build2.exe
PID 4640 wrote to memory of 756	4640	build2.exe	build2.exe
PID 4640 wrote to memory of 756	4640	build2.exe	build2.exe
PID 4640 wrote to memory of 756	4640	build2.exe	build2.exe
PID 4640 wrote to memory of 756	4640	build2.exe	build2.exe
PID 4640 wrote to memory of 756	4640	build2.exe	build2.exe
PID 4640 wrote to memory of 756	4640	build2.exe	build2.exe
PID 4640 wrote to memory of 756	4640	build2.exe	build2.exe
PID 4612 wrote to memory of 3324	4612	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	build3.exe
PID 4612 wrote to memory of 3324	4612	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	build3.exe
PID 4612 wrote to memory of 3324	4612	c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe	build3.exe
PID 3324 wrote to memory of 3088	3324	build3.exe	build3.exe
PID 3324 wrote to memory of 3088	3324	build3.exe	build3.exe
PID 3324 wrote to memory of 3088	3324	build3.exe	build3.exe
PID 3324 wrote to memory of 3088	3324	build3.exe	build3.exe
PID 3324 wrote to memory of 3088	3324	build3.exe	build3.exe
PID 3324 wrote to memory of 3088	3324	build3.exe	build3.exe
PID 3324 wrote to memory of 3088	3324	build3.exe	build3.exe
PID 3324 wrote to memory of 3088	3324	build3.exe	build3.exe
PID 3324 wrote to memory of 3088	3324	build3.exe	build3.exe
PID 3088 wrote to memory of 2972	3088	build3.exe	schtasks.exe
PID 3088 wrote to memory of 2972	3088	build3.exe	schtasks.exe
PID 3088 wrote to memory of 2972	3088	build3.exe	schtasks.exe
PID 4020 wrote to memory of 3620	4020	mstsca.exe	mstsca.exe
PID 4020 wrote to memory of 3620	4020	mstsca.exe	mstsca.exe
PID 4020 wrote to memory of 3620	4020	mstsca.exe	mstsca.exe
PID 4020 wrote to memory of 3620	4020	mstsca.exe	mstsca.exe
PID 4020 wrote to memory of 3620	4020	mstsca.exe	mstsca.exe
PID 4020 wrote to memory of 3620	4020	mstsca.exe	mstsca.exe
PID 4020 wrote to memory of 3620	4020	mstsca.exe	mstsca.exe
PID 4020 wrote to memory of 3620	4020	mstsca.exe	mstsca.exe
PID 4020 wrote to memory of 3620	4020	mstsca.exe	mstsca.exe
PID 3620 wrote to memory of 2800	3620	mstsca.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
"C:\Users\Admin\AppData\Local\Temp\c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2596

C:\Users\Admin\AppData\Local\Temp\c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
"C:\Users\Admin\AppData\Local\Temp\c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\1fb87864-2804-4ada-94a7-411d9ffcc824" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:4132

C:\Users\Admin\AppData\Local\Temp\c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
"C:\Users\Admin\AppData\Local\Temp\c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:832

C:\Users\Admin\AppData\Local\Temp\c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
"C:\Users\Admin\AppData\Local\Temp\c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4612

C:\Users\Admin\AppData\Local\fab6ac9f-8624-428c-a31a-1e1ec91e7801\build2.exe
"C:\Users\Admin\AppData\Local\fab6ac9f-8624-428c-a31a-1e1ec91e7801\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4640

C:\Users\Admin\AppData\Local\fab6ac9f-8624-428c-a31a-1e1ec91e7801\build3.exe
"C:\Users\Admin\AppData\Local\fab6ac9f-8624-428c-a31a-1e1ec91e7801\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3324

C:\Users\Admin\AppData\Local\fab6ac9f-8624-428c-a31a-1e1ec91e7801\build3.exe
"C:\Users\Admin\AppData\Local\fab6ac9f-8624-428c-a31a-1e1ec91e7801\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088

C:\Users\Admin\AppData\Local\fab6ac9f-8624-428c-a31a-1e1ec91e7801\build2.exe
"C:\Users\Admin\AppData\Local\fab6ac9f-8624-428c-a31a-1e1ec91e7801\build2.exe"
1⤵
- Executes dropped EXE
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 2032
2⤵
- Program crash
PID:2588

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:2972

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4020

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:2800

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2652

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:2392

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:712

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:2528

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3632

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:5088

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
8112ab2a9d7578692e66734917d00015

SHA1
5dc1f7cb2c66c925d195fb98784917d108a001dd

SHA256
919561b1927726f5218e79f21184c4bf7117db4466686fc93d3d5dbc1380033b

SHA512
538f1f36b44d628d2ade163cc40deb58b50cb7fbd56019d9526c8233c30771db8542ed5786d311322dfd2e9d44e979da9513c4a0bbc7416b47bb7beca90013d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
19a04f97dbde8479d9c92012d0079466

SHA1
89635016362419209829e1949eed43c36e41bacc

SHA256
3e27c011c802f4e9d34afbdf636a6429ab697a95fdd253e7c75c39e3319413c3

SHA512
4240e0543e826c3358942a330aa8633d7d59cdd54487ec09c7daf4dab1210a23252e85dcbbae0bb6763e9687e829e858e2a0196cc3e6ee41a1f4315eac77df34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
eeb26ed7a0d53ad4accfd7b8ed531bb8

SHA1
bc3f5b7f3152dfb22a6aaf547c1cfacea95b6a32

SHA256
486b6d803dbb86d707812b0ce1a5144c67760c7d2bf044e4f97d71a67928b885

SHA512
41267d30fb0a4b9e4224e47056ca077a24f21634f0c05aed4cce4610d150c665e4efefc31c539da70c772934209a6c7733f75d68663d6a8cb05dd30603057243

Download Submit
C:\Users\Admin\AppData\Local\1fb87864-2804-4ada-94a7-411d9ffcc824\c7c2b9ec7d8324162f29a8eb989d749bbd602bc0f166db5bb02ec8f26803f7d6.exe
Filesize
108KB

MD5
fa40c4c7a693067bbe2c7fe514ebfbcc

SHA1
019be0945f1e04c6f2adda70e260cdbf7a2f566e

SHA256
bb8c0e192e2c6855c727ad8c526e9a3e24c5f8946641f851571713127a33ee8f

SHA512
644c45ac17335cda408498cfdc5ac7a52548018dd798d9db5101ccba3185cae4ba20a5963ed70fdad9af929f1b3949ab2334c549e82e6cf71cf1d4dd786f5b79

Download Submit
C:\Users\Admin\AppData\Local\fab6ac9f-8624-428c-a31a-1e1ec91e7801\build2.exe
Filesize
7KB

MD5
6aed81349667d7d0413a71846456e277

SHA1
bffc9b13fc0b62533b003129ba51be02fccbbfe0

SHA256
c39e26be04044677068a94169ff282e10af4bccb9d2e7341ed938057768bfd19

SHA512
fc689881a2d502440be6100006f29f808b714d8503cc396b1094de561cba918d72418b6e90286dfba1e293e18a40423afe4d663f25850ab91fc3e3629a8c5b0c

Download Submit
C:\Users\Admin\AppData\Local\fab6ac9f-8624-428c-a31a-1e1ec91e7801\build2.exe
Filesize
40KB

MD5
dd62d77687231d204a717c7e37d2d91e

SHA1
e4ec8d7811ce3544d1bfc11eff7a6659d7ccc8a9

SHA256
3a62d10623e39b435f68bad388de9f518aaedfcd39e790b67f5b5e75adf9653a

SHA512
13345c31fad932e384771a49125f3be3bd39c5726413d2057e9e26c03fbe2b72b047b8959d99922f3cace82e111dc88218892f4d602f1a43d794c024bb610525

Download Submit
C:\Users\Admin\AppData\Local\fab6ac9f-8624-428c-a31a-1e1ec91e7801\build2.exe
Filesize
52KB

MD5
badb81e9da1b8f2c988f090a945fc044

SHA1
8b579a6ad1808a15d00dbdef5520339e39489938

SHA256
baf5855f6ab86266ef530bc227c705af5a2e9cad79f59a4b430032acefd1436e

SHA512
01ed6e61d9e87cd05c3efad53f4700ef218b7073c0dd4f52f96d66afae675a39575736ab62d2655d1ca0335180e7cc882e64fdb562b1c6f2a4aa47be23b6313d

Download Submit
C:\Users\Admin\AppData\Local\fab6ac9f-8624-428c-a31a-1e1ec91e7801\build3.exe
Filesize
36KB

MD5
eac31b7fb2a7f68ee4ef9c5f7bce851b

SHA1
fbbf6c499d7403209cc357c8a99946d9ceded638

SHA256
f076d4350f28cb3f4b3aee30542a9d44851a371e566231ff8709f2adfd764ce8

SHA512
2bc50c663854eabb59e8da7d2e4ef790016c22cf32f5f0e3d03c917dc9a3e7638f5beab7c3be374e6acb721d10281e33c49e6ced0aba4bbace7003dc04c655f6

Download Submit
C:\Users\Admin\AppData\Local\fab6ac9f-8624-428c-a31a-1e1ec91e7801\build3.exe
Filesize
135KB

MD5
af9918b1d2c8c93e8b82d934fa02c758

SHA1
8b340a463ac99068c4ce8788594b77aba71b90df

SHA256
3fffa28203247525431bed058871a64a1142f09a67deca9f013b0104d8a95fb9

SHA512
3aa1ced1333431a9bfb95a11602042bce80cb68492e09a35548cc2050bc8b2b418fe456c9f15ef6fdcde18d8f639b8ff9ca2076fcb5d16a8ab38db35bc6135da

Download Submit
C:\Users\Admin\AppData\Local\fab6ac9f-8624-428c-a31a-1e1ec91e7801\build3.exe
Filesize
93KB

MD5
206cd8fe132eba4b614d09b1b9226291

SHA1
bf934cabb65c617b0d65771cac34e042472aaceb

SHA256
371bf0b8e826957e2b9652d2e08dd2e7263e16cb3e30d21c984fe44180e53e75

SHA512
d9f4b65ef8c4772cfa0b3928490dddb1920974a06713f64fb572ca20c0f89cdf4849b271037e9ce771a8b71b330a9fa50c77e57f265a03971a1ea82fe4dbc904

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
111KB

MD5
b25fe1b4f22bbf0b26042786e57dc2b3

SHA1
79bf3559e2dde43cc290e2651172c95c35e2c53e

SHA256
2dbf0005ca6749e1508fdabc49753e0367f9600f4b3ae2116b178a0a48157e71

SHA512
04f6b4819c2919a53de39c8ce195cdeaa6fa529172cd9477ca9389ae515dae8b0e9f1e4a7493b5eb7cf766ced2eb542314db92e6a3fd07887ba78f6c69308644

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
61KB

MD5
8622dc449a7655f6c6dcbfbd97664d0a

SHA1
4c03cb0477a793034d850c2a82e8f1bb840ca890

SHA256
7f1ac2a054a74c386fc6f735bb2d4d20107462e08f98069b55bda3ed6d114af3

SHA512
af1f19f2f282cc77c8f325cadae21f32f75028a7bf862623e9fb2298bd25345713c6346d0f84eeaca8c9e89a03aecf8bfd241384f1c70d239734fcae41d3c7fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
277KB

MD5
94b1c520fbcec738b48cd10a595a2172

SHA1
472913c66d404aa76e6f60980cbeccea7cf4e82e

SHA256
5f7727d018c1c9d5f45e92987a6520593d85640dc912d0395bf439ad9b9e2603

SHA512
a9a346c9d7a6ef0769d9e7d3b8f385a9fd3ff298ae99de52cd8f2116a5752dbe08621e436c6871f431895a4f6756c86ef84a15361d0bfeefd8ae5de28a0cdd25

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
238KB

MD5
76dd80a5769d46cc682cd5027fa811ad

SHA1
6057f5ad1df0dc8c9be6ccca18b240b6599b226f

SHA256
6dbe0d4380b57148cb67f46a2e253a91346995ea4b71a30d33f83ce4958c2635

SHA512
688f93bdd350a3c70c9250c01cbba7fd29f19f2524286bd2e531a51111247cd7bd786d19573176bd9a73d649ae87551e17a75d90af62c63725941929beb205b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
126KB

MD5
c98a88e491972905d9a091fe5913bcd4

SHA1
9d5b645a6daecb9b59d02be54347a829c068ac35

SHA256
ecfac8315a7890a1b7f4e9e3574068d05aa1ef27420c082481e2fc91a089e05f

SHA512
4f1080168578ef601324a3c8c3ddeb7b10be5073677ede32487cada4c9e539d7f6f019301b394d5884d17e7419172e9f10079daeb8d47232d847304772b96451

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
179KB

MD5
e6a8fd048666511c4566e8727e31f89f

SHA1
acaa78154c9d019150a75d1a688d298066ff7da5

SHA256
a290c7cb96f563ad6fdbed38c0c8a02309d694c76430da6d0a5b8e4b7ab835f2

SHA512
1c5cbb9bbbe49b719361351db45c3d365fe7a4266c2ba001c9f3f4d75b2f02e2c2d839d2fe756096a0abc097bd08b98cc475954b282becdae3461c3ffb1ae765

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
254KB

MD5
7784aa074e2536da1e8d3514f9e8ec34

SHA1
74a5bd61bafc7fbdc4975c1e2afb8b964226e891

SHA256
98ea5e893b105e6d0f5ded9c59b9535cbaf952b62ad941e6cfc250b050b3b369

SHA512
b73696fc1f454c915eca4b81050f276b005c0020d9d952e37ac1e7de168c479983117069dd8ba157977977e9086b5c7f6e1979f00c3a4a6e2a95c66e52df92ca

Download Submit
memory/712-156-0x00000000008F0000-0x00000000009F0000-memory.dmp

Filesize
1024KB

Download
memory/756-53-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/756-51-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/756-47-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/756-86-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/832-20-0x0000000002CC0000-0x0000000002D59000-memory.dmp

Filesize
612KB

Download
memory/2392-132-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/2528-158-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2596-1-0x0000000002D20000-0x0000000002DC2000-memory.dmp

Filesize
648KB

Download
memory/2596-2-0x0000000004880000-0x000000000499B000-memory.dmp

Filesize
1.1MB

Download
memory/2652-133-0x0000000000A80000-0x0000000000B80000-memory.dmp

Filesize
1024KB

Download
memory/3088-83-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3088-80-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3088-76-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3324-79-0x0000000000A79000-0x0000000000A8A000-memory.dmp

Filesize
68KB

Download
memory/3324-81-0x0000000000920000-0x0000000000924000-memory.dmp

Filesize
16KB

Download
memory/3632-183-0x0000000000A20000-0x0000000000B20000-memory.dmp

Filesize
1024KB

Download
memory/4020-106-0x0000000000A00000-0x0000000000B00000-memory.dmp

Filesize
1024KB

Download
memory/4528-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4528-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4528-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4528-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4528-17-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4612-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4612-72-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4612-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4612-41-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4612-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4612-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4612-23-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4612-34-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4612-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4612-30-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4640-52-0x00000000005B0000-0x00000000005E0000-memory.dmp

Filesize
192KB

Download
memory/4640-50-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download