djvu | 66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678

General

Target

66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
Size

737KB
MD5

93c82a57837aae4227b65a84b2e7c787
SHA1

469d0f9920d93029c4cdf2832d0df9939a17e5e4
SHA256

66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678
SHA512

be00ea6ed8b6c3948374d46a83873adf9f40af21db5dd42985fe736dc46cb03fe72ceb8b5593aa7f30937fd92d064486b3856afd5892f1c67b518e26eba0ae64
SSDEEP

12288:Q2IwAVLmgpXICA9qcs0gsq8TgvHDVEk25wZ5C2UGhh6a+Wh7P3auMkTQ9ymQAd:dAVLmAXku0gs6HDVEkXZ52Ghh9+23hQ

Score

10^/10

djvu vidar 1b9d7ec5a25ab9d78c31777a0016a097 discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

C2

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe

http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

C2

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Signatures

Detect Vidar Stealer 9 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4784-46-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/3216-48-0x00000000004B0000-0x00000000004E0000-memory.dmp	family_vidar_v7
behavioral2/memory/4784-51-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/4784-52-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/4784-86-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/2876-92-0x0000000000870000-0x0000000000970000-memory.dmp	family_vidar_v7
behavioral2/memory/4500-119-0x00000000007F0000-0x00000000008F0000-memory.dmp	family_vidar_v7
behavioral2/memory/4464-146-0x0000000000AF0000-0x0000000000BF0000-memory.dmp	family_vidar_v7
behavioral2/memory/4484-205-0x00000000009A0000-0x0000000000AA0000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 17 IoCs

Processes:

resource	yara_rule
behavioral2/memory/872-2-0x0000000002230000-0x000000000234B000-memory.dmp	family_djvu
behavioral2/memory/3840-3-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3840-4-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3840-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3840-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3840-17-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2968-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2968-23-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2968-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2968-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2968-30-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2968-34-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2968-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2968-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2968-53-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2968-71-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3864-77-0x0000000000AB0000-0x0000000000BB0000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

build2.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
3216	build2.exe
4784	build2.exe
3864	build3.exe
2132	build3.exe
2876	mstsca.exe
4020	mstsca.exe
4500	mstsca.exe
4156	mstsca.exe
4464	mstsca.exe
4560	mstsca.exe
192	mstsca.exe
3320	mstsca.exe
4484	mstsca.exe
432	mstsca.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1968 icacls.exe

pid	process
1968	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0c52d1f8-c2a4-4af4-836b-81930939fb1a\\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe\" --AutoStart"	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.2ip.ua
2 api.2ip.ua
10 api.2ip.ua

flow	ioc
1	api.2ip.ua
2	api.2ip.ua
10	api.2ip.ua

Suspicious use of SetThreadContext 9 IoCs

Processes:

66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 872 set thread context of 3840	872	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 4636 set thread context of 2968	4636	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3216 set thread context of 4784	3216	build2.exe	build2.exe
PID 3864 set thread context of 2132	3864	build3.exe	build3.exe
PID 2876 set thread context of 4020	2876	mstsca.exe	mstsca.exe
PID 4500 set thread context of 4156	4500	mstsca.exe	mstsca.exe
PID 4464 set thread context of 4560	4464	mstsca.exe	mstsca.exe
PID 192 set thread context of 3320	192	mstsca.exe	mstsca.exe
PID 4484 set thread context of 432	4484	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3844 4784 WerFault.exe build2.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4812 schtasks.exe
2072 schtasks.exe

pid	pid_target	process	target process
3844	4784	WerFault.exe	build2.exe

pid	process
4812	schtasks.exe
2072	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe

pid	process
3840	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
3840	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
2968	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
2968	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exe

description	pid	process	target process
PID 872 wrote to memory of 3840	872	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 872 wrote to memory of 3840	872	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 872 wrote to memory of 3840	872	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 872 wrote to memory of 3840	872	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 872 wrote to memory of 3840	872	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 872 wrote to memory of 3840	872	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 872 wrote to memory of 3840	872	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 872 wrote to memory of 3840	872	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 872 wrote to memory of 3840	872	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 872 wrote to memory of 3840	872	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3840 wrote to memory of 1968	3840	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	icacls.exe
PID 3840 wrote to memory of 1968	3840	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	icacls.exe
PID 3840 wrote to memory of 1968	3840	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	icacls.exe
PID 3840 wrote to memory of 4636	3840	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3840 wrote to memory of 4636	3840	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3840 wrote to memory of 4636	3840	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 4636 wrote to memory of 2968	4636	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 4636 wrote to memory of 2968	4636	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 4636 wrote to memory of 2968	4636	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 4636 wrote to memory of 2968	4636	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 4636 wrote to memory of 2968	4636	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 4636 wrote to memory of 2968	4636	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 4636 wrote to memory of 2968	4636	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 4636 wrote to memory of 2968	4636	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 4636 wrote to memory of 2968	4636	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 4636 wrote to memory of 2968	4636	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 2968 wrote to memory of 3216	2968	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	build2.exe
PID 2968 wrote to memory of 3216	2968	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	build2.exe
PID 2968 wrote to memory of 3216	2968	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	build2.exe
PID 3216 wrote to memory of 4784	3216	build2.exe	build2.exe
PID 3216 wrote to memory of 4784	3216	build2.exe	build2.exe
PID 3216 wrote to memory of 4784	3216	build2.exe	build2.exe
PID 3216 wrote to memory of 4784	3216	build2.exe	build2.exe
PID 3216 wrote to memory of 4784	3216	build2.exe	build2.exe
PID 3216 wrote to memory of 4784	3216	build2.exe	build2.exe
PID 3216 wrote to memory of 4784	3216	build2.exe	build2.exe
PID 3216 wrote to memory of 4784	3216	build2.exe	build2.exe
PID 3216 wrote to memory of 4784	3216	build2.exe	build2.exe
PID 3216 wrote to memory of 4784	3216	build2.exe	build2.exe
PID 2968 wrote to memory of 3864	2968	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	build3.exe
PID 2968 wrote to memory of 3864	2968	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	build3.exe
PID 2968 wrote to memory of 3864	2968	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	build3.exe
PID 3864 wrote to memory of 2132	3864	build3.exe	build3.exe
PID 3864 wrote to memory of 2132	3864	build3.exe	build3.exe
PID 3864 wrote to memory of 2132	3864	build3.exe	build3.exe
PID 3864 wrote to memory of 2132	3864	build3.exe	build3.exe
PID 3864 wrote to memory of 2132	3864	build3.exe	build3.exe
PID 3864 wrote to memory of 2132	3864	build3.exe	build3.exe
PID 3864 wrote to memory of 2132	3864	build3.exe	build3.exe
PID 3864 wrote to memory of 2132	3864	build3.exe	build3.exe
PID 3864 wrote to memory of 2132	3864	build3.exe	build3.exe
PID 2132 wrote to memory of 4812	2132	build3.exe	schtasks.exe
PID 2132 wrote to memory of 4812	2132	build3.exe	schtasks.exe
PID 2132 wrote to memory of 4812	2132	build3.exe	schtasks.exe
PID 2876 wrote to memory of 4020	2876	mstsca.exe	mstsca.exe
PID 2876 wrote to memory of 4020	2876	mstsca.exe	mstsca.exe
PID 2876 wrote to memory of 4020	2876	mstsca.exe	mstsca.exe
PID 2876 wrote to memory of 4020	2876	mstsca.exe	mstsca.exe
PID 2876 wrote to memory of 4020	2876	mstsca.exe	mstsca.exe
PID 2876 wrote to memory of 4020	2876	mstsca.exe	mstsca.exe
PID 2876 wrote to memory of 4020	2876	mstsca.exe	mstsca.exe
PID 2876 wrote to memory of 4020	2876	mstsca.exe	mstsca.exe
PID 2876 wrote to memory of 4020	2876	mstsca.exe	mstsca.exe
PID 4020 wrote to memory of 2072	4020	mstsca.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
"C:\Users\Admin\AppData\Local\Temp\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:872

C:\Users\Admin\AppData\Local\Temp\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
"C:\Users\Admin\AppData\Local\Temp\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3840

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\0c52d1f8-c2a4-4af4-836b-81930939fb1a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1968

C:\Users\Admin\AppData\Local\Temp\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
"C:\Users\Admin\AppData\Local\Temp\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4636

C:\Users\Admin\AppData\Local\Temp\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
"C:\Users\Admin\AppData\Local\Temp\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2968

C:\Users\Admin\AppData\Local\6842f4f8-e68e-42ed-b4d2-7c03dcd11ed3\build2.exe
"C:\Users\Admin\AppData\Local\6842f4f8-e68e-42ed-b4d2-7c03dcd11ed3\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3216

C:\Users\Admin\AppData\Local\6842f4f8-e68e-42ed-b4d2-7c03dcd11ed3\build2.exe
"C:\Users\Admin\AppData\Local\6842f4f8-e68e-42ed-b4d2-7c03dcd11ed3\build2.exe"
6⤵
- Executes dropped EXE
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 2012
7⤵
- Program crash
PID:3844

C:\Users\Admin\AppData\Local\6842f4f8-e68e-42ed-b4d2-7c03dcd11ed3\build3.exe
"C:\Users\Admin\AppData\Local\6842f4f8-e68e-42ed-b4d2-7c03dcd11ed3\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3864

C:\Users\Admin\AppData\Local\6842f4f8-e68e-42ed-b4d2-7c03dcd11ed3\build3.exe
"C:\Users\Admin\AppData\Local\6842f4f8-e68e-42ed-b4d2-7c03dcd11ed3\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:4812

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2876

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
3⤵
- Creates scheduled task(s)
PID:2072

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4500

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:4156

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4464

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:4560

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:192

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:3320

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4484

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
3769f53ac22cdf6658c874805d9983a5

SHA1
53ba470f9cd12bbfde1d1149bcad0029e0f8a84f

SHA256
87ec66df2ed0afbd05a6094ba5ad5bc5b3ef6807828d00323b1addb6addd1c17

SHA512
56ce76ea6aeaaafac14128912b31e12a16a2ca85b97ece7f3034bea5ca3b249c0cfe974b2823f35d38c46d6b3faa7278732b183a86c85f469c422384f08f2925

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
e1a4a2e1c67cddda61bbd023209bbb46

SHA1
d129e9b5e3ba35538d32ae13e7fb1eaba4eeed23

SHA256
0e6c79272d4ed5d3b0bf7266bc325256227614006e1d7607ae27fb66fdd46acb

SHA512
f24b85d2aca77abcbc97180da57eb502c70ea34e4fcebb51e220fc4186035a4017ed9720d38be5fbc6df63db35bc71ba7ed050edd2e506723f6051206a823586

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
f76c240730c65a024cdd5642f02df0c9

SHA1
be835d1be786a7b160a25b89262ff1c1c3122367

SHA256
4e13844c98f51d9c993b34a88a1fddb5eb900c2efbe03f5fcd0bd472a62cc494

SHA512
c5ab2479fd5337b654c837056f0bc93c72d0d8c71f1372b56ed00a7b004c6022655f2c59a294526df72fc74d9da078636a59abb3bfa3a4b28c2795908a7d051e

Download Submit
C:\Users\Admin\AppData\Local\0c52d1f8-c2a4-4af4-836b-81930939fb1a\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
Filesize
737KB

MD5
93c82a57837aae4227b65a84b2e7c787

SHA1
469d0f9920d93029c4cdf2832d0df9939a17e5e4

SHA256
66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678

SHA512
be00ea6ed8b6c3948374d46a83873adf9f40af21db5dd42985fe736dc46cb03fe72ceb8b5593aa7f30937fd92d064486b3856afd5892f1c67b518e26eba0ae64

Download Submit
C:\Users\Admin\AppData\Local\6842f4f8-e68e-42ed-b4d2-7c03dcd11ed3\build2.exe
Filesize
385KB

MD5
63e4a9cd7a8b37335b5f18cefc5dd9d2

SHA1
c781a30935afc452b108cc78724b60f389b78874

SHA256
c1e75efde3fd1da605135e5c3ffab0073299c80632d136f8eeba9d4a7c98c70f

SHA512
3818b5966938704c5830acb5426db7791f6ae476853248d8984b1aff35a6722a0684bea54a53ef6ded1f301f6de9ed044d45f007457a9c0f3a7ea3afc7bf0ecc

Download Submit
C:\Users\Admin\AppData\Local\6842f4f8-e68e-42ed-b4d2-7c03dcd11ed3\build3.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
239KB

MD5
c518b8411cc0d5bf1330e0aead693cfe

SHA1
0fbbcacfb2951abf2689b944eac51ac507f9e443

SHA256
87e5b56f98d3e78ab756362c440df911c369d4786d363b86f46dbb42f985e3fc

SHA512
66d722cc9d40f330033534c612c9cc5a94e3a6faab3382ea28b03472b6110ceaa17f62ba9f5b0f7af0cddf2a3757ab98a7785eaed5028037c8ac1ae3dcfcee54

Download Submit
memory/192-174-0x0000000000A90000-0x0000000000B90000-memory.dmp

Filesize
1024KB

Download
memory/872-1-0x0000000002100000-0x0000000002199000-memory.dmp

Filesize
612KB

Download
memory/872-2-0x0000000002230000-0x000000000234B000-memory.dmp

Filesize
1.1MB

Download
memory/2132-81-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2132-76-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2132-83-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2132-84-0x0000000000410000-0x00000000004D5000-memory.dmp

Filesize
788KB

Download
memory/2876-92-0x0000000000870000-0x0000000000970000-memory.dmp

Filesize
1024KB

Download
memory/2968-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2968-53-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2968-34-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2968-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2968-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2968-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2968-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2968-30-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2968-71-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2968-23-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3216-48-0x00000000004B0000-0x00000000004E0000-memory.dmp

Filesize
192KB

Download
memory/3216-47-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/3840-17-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3840-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3840-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3840-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3840-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3864-79-0x0000000000920000-0x0000000000924000-memory.dmp

Filesize
16KB

Download
memory/3864-77-0x0000000000AB0000-0x0000000000BB0000-memory.dmp

Filesize
1024KB

Download
memory/4464-146-0x0000000000AF0000-0x0000000000BF0000-memory.dmp

Filesize
1024KB

Download
memory/4484-205-0x00000000009A0000-0x0000000000AA0000-memory.dmp

Filesize
1024KB

Download
memory/4500-119-0x00000000007F0000-0x00000000008F0000-memory.dmp

Filesize
1024KB

Download
memory/4560-151-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4636-20-0x0000000001FC0000-0x000000000205B000-memory.dmp

Filesize
620KB

Download
memory/4784-46-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4784-86-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4784-52-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4784-51-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads