djvu | cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658

Analysis

max time kernel
296s
max time network
300s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
01-02-2024 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
Size

834KB
MD5

393ff21e0c8d0a8b32e005d2fdbc97db
SHA1

771cab72d0be3164a6be638b515af36481e70cf4
SHA256

cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658
SHA512

09f80c7615faa84418b01a6b78c800e66c917999c366ba26dd28ff61735b9bb23c61024b1b3107cabfdd46aa8ce8973123536b79cf3e47ab9a554db4a14b2844
SSDEEP

12288:0MhDTx3xk7WtKS2wnWRnSgB6kOyw8I6E7f0CbWdso0hS5yX7woTXIzSXG4:04Nl2LSZk1kQCbWdwS5yXJXeSv

Score

10^/10

djvu vidar 1b9d7ec5a25ab9d78c31777a0016a097 discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe

http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Signatures

Detect Vidar Stealer 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2440-51-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/2440-52-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/2440-48-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/932-47-0x00000000005F0000-0x0000000000620000-memory.dmp	family_vidar_v7
behavioral2/memory/2440-66-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/1824-96-0x0000000000AE0000-0x0000000000BE0000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 16 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4348-3-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4348-4-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4348-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4064-2-0x0000000002270000-0x000000000238B000-memory.dmp	family_djvu
behavioral2/memory/4348-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4348-17-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4428-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4428-23-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4428-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4428-30-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4428-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4428-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4428-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4428-34-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4428-53-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4428-63-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 13 IoCs

Processes:

build2.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
932	build2.exe
2440	build2.exe
3396	build3.exe
1752	build3.exe
1824	mstsca.exe
1408	mstsca.exe
2020	mstsca.exe
3832	mstsca.exe
4856	mstsca.exe
1108	mstsca.exe
4616	mstsca.exe
4172	mstsca.exe
2348	mstsca.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4536 icacls.exe

pid	process
4536	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c2190e99-582e-4cde-a4cc-21346672fcc9\\cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe\" --AutoStart"	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.2ip.ua
2 api.2ip.ua
9 api.2ip.ua

flow	ioc
1	api.2ip.ua
2	api.2ip.ua
9	api.2ip.ua

Suspicious use of SetThreadContext 8 IoCs

Processes:

cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.execc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 4064 set thread context of 4348	4064	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 660 set thread context of 4428	660	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 932 set thread context of 2440	932	build2.exe	build2.exe
PID 3396 set thread context of 1752	3396	build3.exe	build3.exe
PID 1824 set thread context of 1408	1824	mstsca.exe	mstsca.exe
PID 2020 set thread context of 3832	2020	mstsca.exe	mstsca.exe
PID 4856 set thread context of 1108	4856	mstsca.exe	mstsca.exe
PID 4616 set thread context of 4172	4616	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4556 2440 WerFault.exe build2.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4160 schtasks.exe
1856 schtasks.exe

pid	pid_target	process	target process
4556	2440	WerFault.exe	build2.exe

pid	process
4160	schtasks.exe
1856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.execc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe

pid	process
4348	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
4348	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
4428	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
4428	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.execc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.execc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.execc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exe

description	pid	process	target process
PID 4064 wrote to memory of 4348	4064	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 4064 wrote to memory of 4348	4064	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 4064 wrote to memory of 4348	4064	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 4064 wrote to memory of 4348	4064	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 4064 wrote to memory of 4348	4064	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 4064 wrote to memory of 4348	4064	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 4064 wrote to memory of 4348	4064	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 4064 wrote to memory of 4348	4064	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 4064 wrote to memory of 4348	4064	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 4064 wrote to memory of 4348	4064	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 4348 wrote to memory of 4536	4348	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	icacls.exe
PID 4348 wrote to memory of 4536	4348	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	icacls.exe
PID 4348 wrote to memory of 4536	4348	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	icacls.exe
PID 4348 wrote to memory of 660	4348	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 4348 wrote to memory of 660	4348	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 4348 wrote to memory of 660	4348	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 660 wrote to memory of 4428	660	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 660 wrote to memory of 4428	660	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 660 wrote to memory of 4428	660	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 660 wrote to memory of 4428	660	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 660 wrote to memory of 4428	660	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 660 wrote to memory of 4428	660	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 660 wrote to memory of 4428	660	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 660 wrote to memory of 4428	660	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 660 wrote to memory of 4428	660	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 660 wrote to memory of 4428	660	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
PID 4428 wrote to memory of 932	4428	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	build2.exe
PID 4428 wrote to memory of 932	4428	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	build2.exe
PID 4428 wrote to memory of 932	4428	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	build2.exe
PID 932 wrote to memory of 2440	932	build2.exe	build2.exe
PID 932 wrote to memory of 2440	932	build2.exe	build2.exe
PID 932 wrote to memory of 2440	932	build2.exe	build2.exe
PID 932 wrote to memory of 2440	932	build2.exe	build2.exe
PID 932 wrote to memory of 2440	932	build2.exe	build2.exe
PID 932 wrote to memory of 2440	932	build2.exe	build2.exe
PID 932 wrote to memory of 2440	932	build2.exe	build2.exe
PID 932 wrote to memory of 2440	932	build2.exe	build2.exe
PID 932 wrote to memory of 2440	932	build2.exe	build2.exe
PID 932 wrote to memory of 2440	932	build2.exe	build2.exe
PID 4428 wrote to memory of 3396	4428	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	build3.exe
PID 4428 wrote to memory of 3396	4428	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	build3.exe
PID 4428 wrote to memory of 3396	4428	cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe	build3.exe
PID 3396 wrote to memory of 1752	3396	build3.exe	build3.exe
PID 3396 wrote to memory of 1752	3396	build3.exe	build3.exe
PID 3396 wrote to memory of 1752	3396	build3.exe	build3.exe
PID 3396 wrote to memory of 1752	3396	build3.exe	build3.exe
PID 3396 wrote to memory of 1752	3396	build3.exe	build3.exe
PID 3396 wrote to memory of 1752	3396	build3.exe	build3.exe
PID 3396 wrote to memory of 1752	3396	build3.exe	build3.exe
PID 3396 wrote to memory of 1752	3396	build3.exe	build3.exe
PID 3396 wrote to memory of 1752	3396	build3.exe	build3.exe
PID 1752 wrote to memory of 4160	1752	build3.exe	schtasks.exe
PID 1752 wrote to memory of 4160	1752	build3.exe	schtasks.exe
PID 1752 wrote to memory of 4160	1752	build3.exe	schtasks.exe
PID 1824 wrote to memory of 1408	1824	mstsca.exe	mstsca.exe
PID 1824 wrote to memory of 1408	1824	mstsca.exe	mstsca.exe
PID 1824 wrote to memory of 1408	1824	mstsca.exe	mstsca.exe
PID 1824 wrote to memory of 1408	1824	mstsca.exe	mstsca.exe
PID 1824 wrote to memory of 1408	1824	mstsca.exe	mstsca.exe
PID 1824 wrote to memory of 1408	1824	mstsca.exe	mstsca.exe
PID 1824 wrote to memory of 1408	1824	mstsca.exe	mstsca.exe
PID 1824 wrote to memory of 1408	1824	mstsca.exe	mstsca.exe
PID 1824 wrote to memory of 1408	1824	mstsca.exe	mstsca.exe
PID 1408 wrote to memory of 1856	1408	mstsca.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
"C:\Users\Admin\AppData\Local\Temp\cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Users\Admin\AppData\Local\Temp\cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
  "C:\Users\Admin\AppData\Local\Temp\cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\c2190e99-582e-4cde-a4cc-21346672fcc9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:4536
- - C:\Users\Admin\AppData\Local\Temp\cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
    "C:\Users\Admin\AppData\Local\Temp\cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Users\Admin\AppData\Local\Temp\cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe
      "C:\Users\Admin\AppData\Local\Temp\cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4428
    - - C:\Users\Admin\AppData\Local\c10fd8dd-e8b3-4618-bff5-5c0eddba735f\build2.exe
        
        "C:\Users\Admin\AppData\Local\c10fd8dd-e8b3-4618-bff5-5c0eddba735f\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:932
    - - C:\Users\Admin\AppData\Local\c10fd8dd-e8b3-4618-bff5-5c0eddba735f\build3.exe
        
        "C:\Users\Admin\AppData\Local\c10fd8dd-e8b3-4618-bff5-5c0eddba735f\build3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3396
      - C:\Users\Admin\AppData\Local\c10fd8dd-e8b3-4618-bff5-5c0eddba735f\build3.exe
        
        "C:\Users\Admin\AppData\Local\c10fd8dd-e8b3-4618-bff5-5c0eddba735f\build3.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:4160

C:\Users\Admin\AppData\Local\c10fd8dd-e8b3-4618-bff5-5c0eddba735f\build2.exe
"C:\Users\Admin\AppData\Local\c10fd8dd-e8b3-4618-bff5-5c0eddba735f\build2.exe"
1⤵
- Executes dropped EXE
PID:2440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 2088
  2⤵
  - Program crash
  PID:4556

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1856

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2020
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  PID:3832

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4856
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  PID:1108

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4616
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  PID:4172

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
8112ab2a9d7578692e66734917d00015

SHA1
5dc1f7cb2c66c925d195fb98784917d108a001dd

SHA256
919561b1927726f5218e79f21184c4bf7117db4466686fc93d3d5dbc1380033b

SHA512
538f1f36b44d628d2ade163cc40deb58b50cb7fbd56019d9526c8233c30771db8542ed5786d311322dfd2e9d44e979da9513c4a0bbc7416b47bb7beca90013d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
66a4bb0894cce2ac070bfa7dabfb474b

SHA1
0f15559dc9a73872a3c3ad5fcbb377f63639a91a

SHA256
32c107f6440a9bae48086283a54140e6aa4e80921c2ea83c64a54a086775722b

SHA512
aa8d1277b7f0950492670ae0d791d425d799911c8fc04076b4eed61f1cc9394e9b80d6f900f6050ada9a05bc1ac6d2bb9ab61674a9cf1e8911fa861cec69237b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
afe7e8f26fe23915409d00b2ae8b97f8

SHA1
204018fe6876b1ce80ea6dc94a0d40268613f15e

SHA256
be67cf5c30945449616003b81f9e01dd8c87e27ac643b2c99fcde00730f0c9dc

SHA512
e93a876157a25e587e968c80c24fb5ab2e6eeb8cb81cd5e86fe67ac34a05c3c1acd63121937f0c9fa0047b3868f500b517b3702dc7fc2c8eb12b7d7cad0c6ae0

Download Submit
C:\Users\Admin\AppData\Local\c10fd8dd-e8b3-4618-bff5-5c0eddba735f\build2.exe

Filesize
158KB

MD5
b1fa72f70452c75de93926885eb760ba

SHA1
4a4e7deee64378b5b3678ad5fa14f3563cfea33e

SHA256
c380fd07b4dd8fc57ff52f15ef7daadb551036b1fa2b90bcdb2c7cf2f9955669

SHA512
62b8c32a8ef1d9e6590ab25a1c7f4af76f8072ca85f4f2f0c898c90ffe08cecdf6bb0f08dde37035e5c2aa8fa0132a455a738be5e86409c9a60707e8d73dd4fe

Download Submit
C:\Users\Admin\AppData\Local\c10fd8dd-e8b3-4618-bff5-5c0eddba735f\build2.exe

Filesize
145KB

MD5
254fca06e8e5a018fa2b9bf2e84c0681

SHA1
36418e73d717f1c83a2fd44ff0903f0a51caacc6

SHA256
acd65badb8b15bf0a4acbbec12e92f459916c3244e232b9f95750b63c047a4a0

SHA512
e382c68357b9f266eecafaefa80713bed04ca7ffa3c22c1f2250d5332d316999cc3d3fa1db473f16737b23a4ab54639d972d7ebda5972d2aede043613007cb5f

Download Submit
C:\Users\Admin\AppData\Local\c10fd8dd-e8b3-4618-bff5-5c0eddba735f\build2.exe

Filesize
78KB

MD5
5529f22ce89618040f25b39a1da96e28

SHA1
e09a5ff4c85c60aeeb0c0dd65ce863d3d2380cdf

SHA256
da6375ab097452d2bfdbddf7a2deefa894c65ab48a2310add6f33bf276bcf84e

SHA512
7e25ed37547749577a4dd988642bd8d5ee4d48ce6dcfaf2a614ede72226eae5f680a37e758f9fccfce51bdf863c677d57be528d5f8e5d2e2e2b09b915d3ae4a2

Download Submit
C:\Users\Admin\AppData\Local\c10fd8dd-e8b3-4618-bff5-5c0eddba735f\build3.exe

Filesize
169KB

MD5
aef8d00abb28d12a106effc3f416d2c4

SHA1
5ef119bc7cd4e7687a7c6e1d65cdf57c44c0083b

SHA256
07aa9add49f936314d3b466f25d9bb96fb613e024966eff924569657703017ae

SHA512
0307f4eb9355b4d5714270e9938d5199ab8b42a686c737b157bf381e9db0ed8bccdf0e21316f0122fd8c2b3b625a2936687626347d3fdf56079c9f5ce1b67ff8

Download Submit
C:\Users\Admin\AppData\Local\c10fd8dd-e8b3-4618-bff5-5c0eddba735f\build3.exe

Filesize
237KB

MD5
cd31264b600822d8aa25413b59cd2386

SHA1
b71411ed22af4040471af45faa88846ecd5013ae

SHA256
22759990b409a335c828024d0fb17a2efef0187477f16897fd9e6b56a1682ff2

SHA512
d964f3aee4e49bc13f2a5827e2bede825328ddcb498c415a104fdc5322943302ef41cf31c060b8768da1d6cba2fffe0a936855e3fcff73aab4f1af3f2f56955a

Download Submit
C:\Users\Admin\AppData\Local\c10fd8dd-e8b3-4618-bff5-5c0eddba735f\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Local\c2190e99-582e-4cde-a4cc-21346672fcc9\cc9f95a4bb127cda832c37ba53dc86b8d21b67b0793d3d4039e2f2459fd36658.exe

Filesize
101KB

MD5
925694a5819c80fe9c0b22719018fe43

SHA1
93262d0b94e3da7e4881f368a4b3794de450e4b4

SHA256
99f38b03141839e4191ebadf3a44fd58d429f83709dc426297d69202b6a3aa91

SHA512
7ed32426841fe6519e63f81743bb3c03f51b7087187a38bd8046c97b5d1bbbb29d3a1f968be191d785a369ec4c993b1722aecb9d7537017e71386c2aef4c9da2

Download Submit
memory/660-21-0x0000000002040000-0x00000000020D3000-memory.dmp

Filesize
588KB

Download
memory/932-46-0x0000000000690000-0x0000000000790000-memory.dmp

Filesize
1024KB

Download
memory/932-47-0x00000000005F0000-0x0000000000620000-memory.dmp

Filesize
192KB

Download
memory/1752-70-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1752-75-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1752-77-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1752-78-0x0000000000410000-0x00000000004D5000-memory.dmp

Filesize
788KB

Download
memory/1824-96-0x0000000000AE0000-0x0000000000BE0000-memory.dmp

Filesize
1024KB

Download
memory/2020-123-0x00000000009D0000-0x0000000000AD0000-memory.dmp

Filesize
1024KB

Download
memory/2440-66-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2440-51-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2440-52-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2440-48-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3396-74-0x0000000000810000-0x0000000000814000-memory.dmp

Filesize
16KB

Download
memory/3396-73-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/3832-122-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/4064-2-0x0000000002270000-0x000000000238B000-memory.dmp

Filesize
1.1MB

Download
memory/4064-1-0x00000000021D0000-0x0000000002270000-memory.dmp

Filesize
640KB

Download
memory/4348-17-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4348-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4348-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4348-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4348-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4428-63-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4428-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4428-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4428-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4428-30-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4428-34-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4428-23-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4428-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4428-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4428-53-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4616-174-0x00000000009AE000-0x00000000009BE000-memory.dmp

Filesize
64KB

Download
memory/4856-148-0x00000000008D0000-0x00000000009D0000-memory.dmp

Filesize
1024KB

Download