djvu | cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967

Analysis

max time kernel
296s
max time network
297s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
01-02-2024 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
Size

862KB
MD5

2ebbaa453f84b6190ac7e31505790871
SHA1

c29801a72428c479c5c9e48a0395b93267d6f85b
SHA256

cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967
SHA512

5bfe8d6c6b5aef663617d693a543041e52eea7a5fbb2bc26b9fd597d7c57ba5abfa9706c4176e29d7191b3ab3020479c984417e48036f31a25a413082da6c891
SSDEEP

24576:djKhL0znCNiCGR2Adu/ipE6cuQX/2Rafpno3SLHbg:JKSLWG7w/ipE6cF/2kfGSLH0

Score

10^/10

djvu vidar 1b9d7ec5a25ab9d78c31777a0016a097 discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Signatures

Detect Vidar Stealer 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/1820-51-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/1820-52-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/1004-48-0x00000000005D0000-0x0000000000600000-memory.dmp	family_vidar_v7
behavioral2/memory/1820-47-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/1820-66-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/2668-151-0x0000000000A20000-0x0000000000B20000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 17 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5108-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5108-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5108-4-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5108-2-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2656-3-0x0000000002270000-0x000000000238B000-memory.dmp	family_djvu
behavioral2/memory/5108-17-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4664-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4664-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4664-23-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2364-21-0x00000000021E0000-0x0000000002279000-memory.dmp	family_djvu
behavioral2/memory/4664-30-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4664-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4664-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4664-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4664-34-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4664-53-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4664-63-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 13 IoCs

Processes:

build2.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
1004	build2.exe
1820	build2.exe
2108	build3.exe
4076	build3.exe
4580	mstsca.exe
1324	mstsca.exe
2376	mstsca.exe
4756	mstsca.exe
2668	mstsca.exe
4008	mstsca.exe
4208	mstsca.exe
2168	mstsca.exe
344	mstsca.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4312 icacls.exe

pid	process
4312	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e947ebc3-bc24-4f8a-b1b3-08fe6a7739cd\\cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe\" --AutoStart"	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.2ip.ua
2 api.2ip.ua
8 api.2ip.ua

flow	ioc
1	api.2ip.ua
2	api.2ip.ua
8	api.2ip.ua

Suspicious use of SetThreadContext 8 IoCs

Processes:

cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.execbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 2656 set thread context of 5108	2656	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 2364 set thread context of 4664	2364	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 1004 set thread context of 1820	1004	build2.exe	build2.exe
PID 2108 set thread context of 4076	2108	build3.exe	build3.exe
PID 4580 set thread context of 1324	4580	mstsca.exe	mstsca.exe
PID 2376 set thread context of 4756	2376	mstsca.exe	mstsca.exe
PID 2668 set thread context of 4008	2668	mstsca.exe	mstsca.exe
PID 4208 set thread context of 2168	4208	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1332 1820 WerFault.exe build2.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3900 schtasks.exe
732 schtasks.exe

pid	pid_target	process	target process
1332	1820	WerFault.exe	build2.exe

pid	process
3900	schtasks.exe
732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.execbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe

pid	process
5108	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
5108	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
4664	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
4664	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.execbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.execbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.execbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exe

description	pid	process	target process
PID 2656 wrote to memory of 5108	2656	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 2656 wrote to memory of 5108	2656	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 2656 wrote to memory of 5108	2656	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 2656 wrote to memory of 5108	2656	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 2656 wrote to memory of 5108	2656	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 2656 wrote to memory of 5108	2656	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 2656 wrote to memory of 5108	2656	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 2656 wrote to memory of 5108	2656	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 2656 wrote to memory of 5108	2656	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 2656 wrote to memory of 5108	2656	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 5108 wrote to memory of 4312	5108	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	icacls.exe
PID 5108 wrote to memory of 4312	5108	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	icacls.exe
PID 5108 wrote to memory of 4312	5108	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	icacls.exe
PID 5108 wrote to memory of 2364	5108	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 5108 wrote to memory of 2364	5108	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 5108 wrote to memory of 2364	5108	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 2364 wrote to memory of 4664	2364	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 2364 wrote to memory of 4664	2364	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 2364 wrote to memory of 4664	2364	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 2364 wrote to memory of 4664	2364	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 2364 wrote to memory of 4664	2364	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 2364 wrote to memory of 4664	2364	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 2364 wrote to memory of 4664	2364	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 2364 wrote to memory of 4664	2364	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 2364 wrote to memory of 4664	2364	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 2364 wrote to memory of 4664	2364	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
PID 4664 wrote to memory of 1004	4664	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	build2.exe
PID 4664 wrote to memory of 1004	4664	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	build2.exe
PID 4664 wrote to memory of 1004	4664	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	build2.exe
PID 1004 wrote to memory of 1820	1004	build2.exe	build2.exe
PID 1004 wrote to memory of 1820	1004	build2.exe	build2.exe
PID 1004 wrote to memory of 1820	1004	build2.exe	build2.exe
PID 1004 wrote to memory of 1820	1004	build2.exe	build2.exe
PID 1004 wrote to memory of 1820	1004	build2.exe	build2.exe
PID 1004 wrote to memory of 1820	1004	build2.exe	build2.exe
PID 1004 wrote to memory of 1820	1004	build2.exe	build2.exe
PID 1004 wrote to memory of 1820	1004	build2.exe	build2.exe
PID 1004 wrote to memory of 1820	1004	build2.exe	build2.exe
PID 1004 wrote to memory of 1820	1004	build2.exe	build2.exe
PID 4664 wrote to memory of 2108	4664	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	build3.exe
PID 4664 wrote to memory of 2108	4664	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	build3.exe
PID 4664 wrote to memory of 2108	4664	cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe	build3.exe
PID 2108 wrote to memory of 4076	2108	build3.exe	build3.exe
PID 2108 wrote to memory of 4076	2108	build3.exe	build3.exe
PID 2108 wrote to memory of 4076	2108	build3.exe	build3.exe
PID 2108 wrote to memory of 4076	2108	build3.exe	build3.exe
PID 2108 wrote to memory of 4076	2108	build3.exe	build3.exe
PID 2108 wrote to memory of 4076	2108	build3.exe	build3.exe
PID 2108 wrote to memory of 4076	2108	build3.exe	build3.exe
PID 2108 wrote to memory of 4076	2108	build3.exe	build3.exe
PID 2108 wrote to memory of 4076	2108	build3.exe	build3.exe
PID 4076 wrote to memory of 3900	4076	build3.exe	schtasks.exe
PID 4076 wrote to memory of 3900	4076	build3.exe	schtasks.exe
PID 4076 wrote to memory of 3900	4076	build3.exe	schtasks.exe
PID 4580 wrote to memory of 1324	4580	mstsca.exe	mstsca.exe
PID 4580 wrote to memory of 1324	4580	mstsca.exe	mstsca.exe
PID 4580 wrote to memory of 1324	4580	mstsca.exe	mstsca.exe
PID 4580 wrote to memory of 1324	4580	mstsca.exe	mstsca.exe
PID 4580 wrote to memory of 1324	4580	mstsca.exe	mstsca.exe
PID 4580 wrote to memory of 1324	4580	mstsca.exe	mstsca.exe
PID 4580 wrote to memory of 1324	4580	mstsca.exe	mstsca.exe
PID 4580 wrote to memory of 1324	4580	mstsca.exe	mstsca.exe
PID 4580 wrote to memory of 1324	4580	mstsca.exe	mstsca.exe
PID 1324 wrote to memory of 732	1324	mstsca.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
"C:\Users\Admin\AppData\Local\Temp\cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2656

C:\Users\Admin\AppData\Local\Temp\cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
"C:\Users\Admin\AppData\Local\Temp\cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5108

C:\Users\Admin\AppData\Local\Temp\cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
"C:\Users\Admin\AppData\Local\Temp\cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2364

C:\Users\Admin\AppData\Local\Temp\cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
"C:\Users\Admin\AppData\Local\Temp\cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4664

C:\Users\Admin\AppData\Local\adda5dc5-47eb-402e-912f-bb01f5dfa335\build2.exe
"C:\Users\Admin\AppData\Local\adda5dc5-47eb-402e-912f-bb01f5dfa335\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1004

C:\Users\Admin\AppData\Local\adda5dc5-47eb-402e-912f-bb01f5dfa335\build3.exe
"C:\Users\Admin\AppData\Local\adda5dc5-47eb-402e-912f-bb01f5dfa335\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2108

C:\Users\Admin\AppData\Local\adda5dc5-47eb-402e-912f-bb01f5dfa335\build3.exe
"C:\Users\Admin\AppData\Local\adda5dc5-47eb-402e-912f-bb01f5dfa335\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:3900

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\e947ebc3-bc24-4f8a-b1b3-08fe6a7739cd" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:4312

C:\Users\Admin\AppData\Local\adda5dc5-47eb-402e-912f-bb01f5dfa335\build2.exe
"C:\Users\Admin\AppData\Local\adda5dc5-47eb-402e-912f-bb01f5dfa335\build2.exe"
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 1908
2⤵
- Program crash
PID:1332

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4580

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
3⤵
- Creates scheduled task(s)
PID:732

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2376

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:4756

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2668

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:4008

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4208

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:2168

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:344

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
8112ab2a9d7578692e66734917d00015

SHA1
5dc1f7cb2c66c925d195fb98784917d108a001dd

SHA256
919561b1927726f5218e79f21184c4bf7117db4466686fc93d3d5dbc1380033b

SHA512
538f1f36b44d628d2ade163cc40deb58b50cb7fbd56019d9526c8233c30771db8542ed5786d311322dfd2e9d44e979da9513c4a0bbc7416b47bb7beca90013d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
4331d57c71a492723d5faa69512c39d5

SHA1
4bcb1dba9c9fea836a0c44746c24d684dedbfe84

SHA256
7a1a1a84ca1b9eb245785243caa24a7f43e7ec2e2e26223a9b41e39a872e7760

SHA512
61a8e4de65d2e34d59a55555ea869f4021982f64a9a807783ca09a6d07ee9145e06f7991f39f6351764a677183edf19507834d4f913f5fb8637bb5dde11614d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
a197389118d5d0ea3d44397d546e3253

SHA1
32eca1078618ac662e991b5abd7c5caeb08d2d22

SHA256
610fac936da326e8eff5122822bfaaf2effc3560241d9862926b5b3bc1d18fa4

SHA512
9e85810b6dcb18417e0bda44f5e463641602aa7fe53d64598d634ac4456e8fa68bba690ec46923a83c1c5153d815780fa5655dd6c635edc81f9ac1cb3d15b419

Download Submit
C:\Users\Admin\AppData\Local\adda5dc5-47eb-402e-912f-bb01f5dfa335\build2.exe
Filesize
28KB

MD5
94297584640e0844f989eed082319055

SHA1
744213300cff1760b251d6c5a9badec904941999

SHA256
cd2784278e0e81dfb8fd0eb72e11986de6edfb965527114552664d6c8f8f020e

SHA512
783a6eec5c5bd8f7c619c8732f9b8eabf4d77cba509f51e7a661a720b63a840030ad3576ef76d26c58bb142d8a340c262a0925af5806a7ecba94c5ea8c7672cb

Download Submit
C:\Users\Admin\AppData\Local\adda5dc5-47eb-402e-912f-bb01f5dfa335\build2.exe
Filesize
29KB

MD5
6242af863928334a98f0ebc645c18a67

SHA1
0b4922e2a97da831a2830b7a1a90277e1b49f6ed

SHA256
632e10e4915829bd3f9b53934fb5ace6037ff08c8eb8c05913aae485e35cab6e

SHA512
7ffac9be5e89c305818366b78ae51bac6947007c17dcb181455ef454738ff2af0ab5d551ddbf6372a4523d5fc8b30d574c8d39ac550a86db892c10b2afdaf452

Download Submit
C:\Users\Admin\AppData\Local\adda5dc5-47eb-402e-912f-bb01f5dfa335\build2.exe
Filesize
68KB

MD5
24b181dbf5cd20568fa3245ca486edf8

SHA1
3554004ac800a3aee348f5e920514547a270c2a5

SHA256
1e394fe81e17cafbb1f8d7df6b0f3ded80e19fab8a52e4417550a82cb39657c7

SHA512
da2a8bcbf5f269d7f843de3d0ca2d06cf74670f3541435929b0dd4568db2c24abb693fc6564a09da8b13a79a15856f7639f8e02dd3af268992b165a9cb522b9a

Download Submit
C:\Users\Admin\AppData\Local\adda5dc5-47eb-402e-912f-bb01f5dfa335\build3.exe
Filesize
132KB

MD5
948090c86a635a5091eb72ad89ac020e

SHA1
9841422054d8951613ddb08e2a0813ab13c957f0

SHA256
b09f203d255eb07e5645e691908a8ace02b6e70d03ef45e099bec65136cc8e6d

SHA512
34eee8077f48e7a20e8ed5a83ff1f025c12813775f469a811f0f8140ddb82429b8d17547d247bd66354271b8f964e1bc1109e1f4c45e2577e5a07b531cfc2370

Download Submit
C:\Users\Admin\AppData\Local\adda5dc5-47eb-402e-912f-bb01f5dfa335\build3.exe
Filesize
110KB

MD5
5d40b14db520c2f8c8f7ef0f6db7d673

SHA1
ae6c59657ac2d7d2e0192dfc888a96617a07034a

SHA256
7a41f6c199de346aa79f57592b9572ef1f62c7966f2f95f9a0d8c3f5eed3c118

SHA512
adad50f467d047bdb3220202bac3bdcc9ecbd80633434a4bf43d48aff8094b2b9adae0c9698f1a345490048b03ed14801c284cc2133e4a16c0b808889697ed9e

Download Submit
C:\Users\Admin\AppData\Local\adda5dc5-47eb-402e-912f-bb01f5dfa335\build3.exe
Filesize
149KB

MD5
7abba8174677b3c4d585cd620e6f0c6b

SHA1
2de166d22c395e3d8fddc964b145a10f14653e5b

SHA256
5b32fbd2dde8751cc9db1e650703b8054f864b344f20bce83ecb79b9a77342a1

SHA512
8bac1c3c3ee0bb25870d1b288cd5d563294795681b0942a4b89182214b48ab8ece50d445f9faac0d4776e7395567b5ca867e1008e49d6e147e7e904682ae8d18

Download Submit
C:\Users\Admin\AppData\Local\e947ebc3-bc24-4f8a-b1b3-08fe6a7739cd\cbb4e198bd38eb973662e33128c585ebf5dcd0797136d4b5ced3c28cdb2fa967.exe
Filesize
216KB

MD5
dd1e9ee6cdde1d11e931c712f8f6cf52

SHA1
8f407d703aece341d49b12da84c755fc61790acc

SHA256
6490dc263f1398565aaa6243d6d17ca9be995ad8d7c5192f27f1e85fec1ddf84

SHA512
09211dda2e91111826d4ae0fb5baf2e3d6701088d19a7ed209166e98e54745f0a308c84c9babada860356aa6a684e222e33beb4869fc9c6dc08f9607f3635eed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
29KB

MD5
60c25f218d84d8fe2ad85bf10af0864f

SHA1
965d8a56d086acaa54b83c713568615b3089ccb5

SHA256
401249e1114759bcaf3a775332d44a201a2c6cbe504895494ccd9740a2bd4342

SHA512
d2c20e4e4a4735d1dabfd90314235c7ffbe5493f97b3a599383d54501df014917476dec1b8967e96bb73f6eedf2889d93da8e3bce3699aacde602d0279778de7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
47KB

MD5
16b4f3b1807c10d235c2192a8935a9e5

SHA1
25e6dcc6011588cf382036cb484d353417d096b8

SHA256
8b36dee6a7f2c12af97e6e85bd8e7b570c6ef871c6d89b870392d227c2af85e5

SHA512
ee5a7156abbd7c407997395d18c025c09569efc01c05855b2f5cd69ad5d86118613c4b5b125d74055c4f12ee0fc5a5328e382ecd84fd5fa5d880a50de5c798bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
131KB

MD5
b6a4d3a8b3eb89542c921345f8ed00b4

SHA1
1fb79abeecf7025168b79825b7c8cdbc72873560

SHA256
32f5d5a25a623d0eac8367f79bed9a7b27c99e5a56edf75d449fdf7cdc7d6331

SHA512
bfdf725327e9c02c651b9692b0b11d1f76d263246ea75565b2728f504fee494dd394a1ae7221b901334117393cb0f01a38660689acd355a33dd7edf79f46fe8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
memory/1004-48-0x00000000005D0000-0x0000000000600000-memory.dmp

Filesize
192KB

Download
memory/1004-46-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/1820-51-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1820-66-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1820-52-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1820-47-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2108-76-0x0000000000850000-0x0000000000854000-memory.dmp

Filesize
16KB

Download
memory/2108-75-0x00000000009F9000-0x0000000000A0A000-memory.dmp

Filesize
68KB

Download
memory/2364-21-0x00000000021E0000-0x0000000002279000-memory.dmp

Filesize
612KB

Download
memory/2376-125-0x0000000000A4E000-0x0000000000A5E000-memory.dmp

Filesize
64KB

Download
memory/2656-1-0x00000000020E0000-0x000000000217F000-memory.dmp

Filesize
636KB

Download
memory/2656-3-0x0000000002270000-0x000000000238B000-memory.dmp

Filesize
1.1MB

Download
memory/2668-158-0x0000000000A20000-0x0000000000B20000-memory.dmp

Filesize
1024KB

Download
memory/2668-151-0x0000000000A20000-0x0000000000B20000-memory.dmp

Filesize
1024KB

Download
memory/4076-77-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4076-72-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4076-79-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4208-175-0x000000000084E000-0x000000000085E000-memory.dmp

Filesize
64KB

Download
memory/4580-97-0x0000000000A5A000-0x0000000000A6A000-memory.dmp

Filesize
64KB

Download
memory/4664-23-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4664-63-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4664-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4664-53-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4664-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4664-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4664-34-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4664-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4664-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4664-30-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4756-123-0x0000000000410000-0x00000000004D5000-memory.dmp

Filesize
788KB

Download
memory/5108-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5108-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5108-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5108-17-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5108-2-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download