djvu | 81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3

Analysis

max time kernel
298s
max time network
293s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
04-02-2024 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
Size

736KB
MD5

adb72c7dec5dd45c7f172f4d2d01e1ae
SHA1

9a375b6d4a413807e7775b87722b3f10ce1fe511
SHA256

81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3
SHA512

e9da509a506028ee72cfb986bba23a158ee40f58f516b423b1cc7d20472299fc0791b7faf86ed13c94db7a98791a4bae63c783013793012dec43951783001c3c
SSDEEP

12288:k6B0LvP6A0BEE0/wPSZUh6p7N23h8ByUtgLtRGVA50z9btGdQCAP:kT7cgZUO7Y3WzgpchJGiCAP

Score

10^/10

djvu vidar 1b9d7ec5a25ab9d78c31777a0016a097 discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Signatures

Detect Vidar Stealer 7 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3752-52-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/3752-51-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/3696-50-0x0000000000610000-0x0000000000640000-memory.dmp	family_vidar_v7
behavioral2/memory/3752-46-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/3752-75-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/2932-95-0x00000000001F0000-0x00000000001F4000-memory.dmp	family_vidar_v7
behavioral2/memory/4116-101-0x0000000000850000-0x0000000000950000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 16 IoCs

Processes:

resource	yara_rule
behavioral2/memory/224-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/224-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/224-4-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/224-3-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4544-2-0x0000000002180000-0x000000000229B000-memory.dmp	family_djvu
behavioral2/memory/224-17-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/720-21-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/720-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/720-23-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/720-30-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/720-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/720-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/720-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/720-34-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/720-53-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/720-72-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 13 IoCs

Processes:

build2.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
3696	build2.exe
3752	build2.exe
2932	build3.exe
600	build3.exe
4116	mstsca.exe
5044	mstsca.exe
3164	mstsca.exe
1896	mstsca.exe
4876	mstsca.exe
3744	mstsca.exe
4264	mstsca.exe
3232	mstsca.exe
2812	mstsca.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3532 icacls.exe

pid	process
3532	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\9bf7e3e7-2191-4410-afd0-6cd2defe596b\\81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe\" --AutoStart"	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.2ip.ua
2 api.2ip.ua
10 api.2ip.ua

flow	ioc
1	api.2ip.ua
2	api.2ip.ua
10	api.2ip.ua

Suspicious use of SetThreadContext 8 IoCs

Processes:

81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 4544 set thread context of 224	4544	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 4640 set thread context of 720	4640	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 3696 set thread context of 3752	3696	build2.exe	build2.exe
PID 2932 set thread context of 600	2932	build3.exe	build3.exe
PID 4116 set thread context of 5044	4116	mstsca.exe	mstsca.exe
PID 3164 set thread context of 1896	3164	mstsca.exe	mstsca.exe
PID 4876 set thread context of 3744	4876	mstsca.exe	mstsca.exe
PID 4264 set thread context of 3232	4264	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2008 3752 WerFault.exe build2.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4808 schtasks.exe
364 schtasks.exe

pid	pid_target	process	target process
2008	3752	WerFault.exe	build2.exe

pid	process
4808	schtasks.exe
364	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe

pid	process
224	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
224	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
720	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
720	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exe

description	pid	process	target process
PID 4544 wrote to memory of 224	4544	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 4544 wrote to memory of 224	4544	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 4544 wrote to memory of 224	4544	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 4544 wrote to memory of 224	4544	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 4544 wrote to memory of 224	4544	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 4544 wrote to memory of 224	4544	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 4544 wrote to memory of 224	4544	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 4544 wrote to memory of 224	4544	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 4544 wrote to memory of 224	4544	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 4544 wrote to memory of 224	4544	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 224 wrote to memory of 3532	224	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	icacls.exe
PID 224 wrote to memory of 3532	224	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	icacls.exe
PID 224 wrote to memory of 3532	224	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	icacls.exe
PID 224 wrote to memory of 4640	224	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 224 wrote to memory of 4640	224	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 224 wrote to memory of 4640	224	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 4640 wrote to memory of 720	4640	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 4640 wrote to memory of 720	4640	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 4640 wrote to memory of 720	4640	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 4640 wrote to memory of 720	4640	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 4640 wrote to memory of 720	4640	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 4640 wrote to memory of 720	4640	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 4640 wrote to memory of 720	4640	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 4640 wrote to memory of 720	4640	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 4640 wrote to memory of 720	4640	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 4640 wrote to memory of 720	4640	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
PID 720 wrote to memory of 3696	720	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	build2.exe
PID 720 wrote to memory of 3696	720	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	build2.exe
PID 720 wrote to memory of 3696	720	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	build2.exe
PID 3696 wrote to memory of 3752	3696	build2.exe	build2.exe
PID 3696 wrote to memory of 3752	3696	build2.exe	build2.exe
PID 3696 wrote to memory of 3752	3696	build2.exe	build2.exe
PID 3696 wrote to memory of 3752	3696	build2.exe	build2.exe
PID 3696 wrote to memory of 3752	3696	build2.exe	build2.exe
PID 3696 wrote to memory of 3752	3696	build2.exe	build2.exe
PID 3696 wrote to memory of 3752	3696	build2.exe	build2.exe
PID 3696 wrote to memory of 3752	3696	build2.exe	build2.exe
PID 3696 wrote to memory of 3752	3696	build2.exe	build2.exe
PID 3696 wrote to memory of 3752	3696	build2.exe	build2.exe
PID 720 wrote to memory of 2932	720	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	build3.exe
PID 720 wrote to memory of 2932	720	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	build3.exe
PID 720 wrote to memory of 2932	720	81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe	build3.exe
PID 2932 wrote to memory of 600	2932	build3.exe	build3.exe
PID 2932 wrote to memory of 600	2932	build3.exe	build3.exe
PID 2932 wrote to memory of 600	2932	build3.exe	build3.exe
PID 2932 wrote to memory of 600	2932	build3.exe	build3.exe
PID 2932 wrote to memory of 600	2932	build3.exe	build3.exe
PID 2932 wrote to memory of 600	2932	build3.exe	build3.exe
PID 2932 wrote to memory of 600	2932	build3.exe	build3.exe
PID 2932 wrote to memory of 600	2932	build3.exe	build3.exe
PID 2932 wrote to memory of 600	2932	build3.exe	build3.exe
PID 600 wrote to memory of 4808	600	build3.exe	schtasks.exe
PID 600 wrote to memory of 4808	600	build3.exe	schtasks.exe
PID 600 wrote to memory of 4808	600	build3.exe	schtasks.exe
PID 4116 wrote to memory of 5044	4116	mstsca.exe	mstsca.exe
PID 4116 wrote to memory of 5044	4116	mstsca.exe	mstsca.exe
PID 4116 wrote to memory of 5044	4116	mstsca.exe	mstsca.exe
PID 4116 wrote to memory of 5044	4116	mstsca.exe	mstsca.exe
PID 4116 wrote to memory of 5044	4116	mstsca.exe	mstsca.exe
PID 4116 wrote to memory of 5044	4116	mstsca.exe	mstsca.exe
PID 4116 wrote to memory of 5044	4116	mstsca.exe	mstsca.exe
PID 4116 wrote to memory of 5044	4116	mstsca.exe	mstsca.exe
PID 4116 wrote to memory of 5044	4116	mstsca.exe	mstsca.exe
PID 5044 wrote to memory of 364	5044	mstsca.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
"C:\Users\Admin\AppData\Local\Temp\81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4544

C:\Users\Admin\AppData\Local\Temp\81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
"C:\Users\Admin\AppData\Local\Temp\81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\9bf7e3e7-2191-4410-afd0-6cd2defe596b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3532

C:\Users\Admin\AppData\Local\Temp\81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
"C:\Users\Admin\AppData\Local\Temp\81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4640

C:\Users\Admin\AppData\Local\Temp\81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
"C:\Users\Admin\AppData\Local\Temp\81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:720

C:\Users\Admin\AppData\Local\79c37ff8-035a-4e61-a538-37e98a8d31ed\build2.exe
"C:\Users\Admin\AppData\Local\79c37ff8-035a-4e61-a538-37e98a8d31ed\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3696

C:\Users\Admin\AppData\Local\79c37ff8-035a-4e61-a538-37e98a8d31ed\build3.exe
"C:\Users\Admin\AppData\Local\79c37ff8-035a-4e61-a538-37e98a8d31ed\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2932

C:\Users\Admin\AppData\Local\79c37ff8-035a-4e61-a538-37e98a8d31ed\build3.exe
"C:\Users\Admin\AppData\Local\79c37ff8-035a-4e61-a538-37e98a8d31ed\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:4808

C:\Users\Admin\AppData\Local\79c37ff8-035a-4e61-a538-37e98a8d31ed\build2.exe
"C:\Users\Admin\AppData\Local\79c37ff8-035a-4e61-a538-37e98a8d31ed\build2.exe"
1⤵
- Executes dropped EXE
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 2008
2⤵
- Program crash
PID:2008

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4116

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
3⤵
- Creates scheduled task(s)
PID:364

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3164

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:1896

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4876

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:3744

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4264

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:3232

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:2812

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
3769f53ac22cdf6658c874805d9983a5

SHA1
53ba470f9cd12bbfde1d1149bcad0029e0f8a84f

SHA256
87ec66df2ed0afbd05a6094ba5ad5bc5b3ef6807828d00323b1addb6addd1c17

SHA512
56ce76ea6aeaaafac14128912b31e12a16a2ca85b97ece7f3034bea5ca3b249c0cfe974b2823f35d38c46d6b3faa7278732b183a86c85f469c422384f08f2925

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
efbfc384914e633152a8c98d98193367

SHA1
6329dcc0cb0ca76d7b95f30083299ac4855f46b5

SHA256
ec273b47eaa5bae72a2bf8c1e3489a1cb41d1cb1d8dccf0126c7bbe72ade4d0a

SHA512
f88c8c8254a1ae10b86e49324bdd497502b5c15e10717bf4232f096e4a08262d94dd549ac6e28fecdad6ca8ec3e1f96d206c545a801792d8f409ea2d0afae2da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
de45133b27823569dc931ccc918de287

SHA1
ab7491b5878a65017562c41aac87267c498cd587

SHA256
e4adf8cf08a4f3b84cf3e10e46bca727a8c9cca3567469f6daaea5713c9cd417

SHA512
1e6b56f99b7fed6ceca5ef8a19bee52d08de0916f47053d318b543f788ae40319d31c3b1e8136735421af94ad16865faed542debc668ec8bb34ad874171a6b44

Download Submit
C:\Users\Admin\AppData\Local\79c37ff8-035a-4e61-a538-37e98a8d31ed\build2.exe
Filesize
49KB

MD5
0463dc021c37fa4b908d5ceb064f4004

SHA1
bd8ffc42676a23351feecf215a262736db0a8a49

SHA256
1eb07793b9432696d48f7fbf9e7cd6737576bf3b2a1b65e56b3d2b6f8503d74a

SHA512
034ffb5b09414164160818fb14db3ae8e5e569cdfa4ce21f4ab9a0bfc6d3ade4f72f06703fd81bdd2552166d9bd6442b5c1684bc0deb53dc09c5969d5f8ff2d8

Download Submit
C:\Users\Admin\AppData\Local\79c37ff8-035a-4e61-a538-37e98a8d31ed\build2.exe
Filesize
132KB

MD5
c17f2146b4edb69928a0a6088ea0d38c

SHA1
63092204dee65dcc3562a1f7990b1fcc173f8905

SHA256
4313bbe7bc8860eb1209a0d7f3bfe78685571fdff2c9255502f0fa6fc7bdb6d0

SHA512
03fc8e3bddf056b2b088e653e3bde982645622b77d6708342df44b9bea9f2af19606fa379e7f953a3ee2baf9dd8a97f39ba80947ec811a14879bbf4b3d3b3530

Download Submit
C:\Users\Admin\AppData\Local\79c37ff8-035a-4e61-a538-37e98a8d31ed\build2.exe
Filesize
78KB

MD5
be170e2b8f1ad445ab51e7e517b76e10

SHA1
12d7af5bdaa52bfef9070a924885e5fd5e8ccfb5

SHA256
f9df58d6213732bfaa18c0029e90d5451185dec5767cf24df8f6e74f38897741

SHA512
cec0f34cd68eab1714a0fd02838847b1f8c1ede5877ab75a80936e117e0b01a11f481a9db51cc27e38371a39eefb1c45a0fc5d72867d2a24860d6bd600bf6234

Download Submit
C:\Users\Admin\AppData\Local\79c37ff8-035a-4e61-a538-37e98a8d31ed\build3.exe
Filesize
168KB

MD5
f9f9082246a8e32f2b179336219d3a63

SHA1
b2c6e58c062ecbdfa84959ed7e03ffaade287233

SHA256
4e11be5e0b3369da092bd39f8056c12af589704f913daa96c3c81618c238b229

SHA512
dbc0120a6a00cb679c93cedc3cb777ea27a0d2199eb1fbc1ca1f9bb7fe9c7bca1f26673f7a369ec984f79f0d28e70c80d29fd623b04ff6227a8a78ccee9e926a

Download Submit
C:\Users\Admin\AppData\Local\79c37ff8-035a-4e61-a538-37e98a8d31ed\build3.exe
Filesize
101KB

MD5
36fd196973584cbdb10a302542d8ff4e

SHA1
40b81ff87cc256ca6eb3a505174221cdc83e8e10

SHA256
1a695118202275c74689bcfe42e930ad69dffd537c565b3d37743f251497267a

SHA512
9e4058d5d0d3cf560bc4e153a03022bb13c619e9790cdfe1cb9d5fac056f8fbb8d282de7b5fdc0617855e5ed49d03b010f532e3e32efcc0ca7ea55afda605278

Download Submit
C:\Users\Admin\AppData\Local\79c37ff8-035a-4e61-a538-37e98a8d31ed\build3.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Local\9bf7e3e7-2191-4410-afd0-6cd2defe596b\81bc674ece66294d98951305f4734f6ef520d3331901586efb895abf353b3be3.exe
Filesize
202KB

MD5
a3155b3a2aea1023ac3a914f17dd71c8

SHA1
9e7971b3589d454767da1d3fd1604b81bed54692

SHA256
dfb043fc260dea49c596e2982c21019e22cc2804e32b98cba62d0bd05f36d6b3

SHA512
43e83ffe498ea8a17b835301ba0bde81eafb015c0a36e4e7f139f7b4326050309a433788c49a536e25f277153c72a87ed435d1d1a48b1c2d4b51bb7ef2bd1e1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
187KB

MD5
d647fcbc88c9673e3a7f745662ff783c

SHA1
3a06d6716ca9430558c3295607378ec0310f2e7e

SHA256
1a94246b911d97378be811d066891f6cc8323c96dc69d009c656e09702b401ee

SHA512
5c79f860daf95b2e1cac5d5bf809a0fef377383fb3d9c11f5906b177c4588ef81c4b2b95e82e141f9c4ec38de289bdd87c497a460c9795f13e3d9210ad74b30d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
57KB

MD5
74ae9689cb04bde426e036319feeb49b

SHA1
b932fd3571f6113cacf1e5eb2b3453a05887963c

SHA256
b59f5c8dc70d0092f4257c3e13745f67e6324edeee709eff32336d3c93bca180

SHA512
642d69ab7ef11418b9d97cfa8882ba38ba5c08fcec428a8a758b9de8ee1d576b4d1fe1a2ca93dc4f1f5e6a8eba8c21f7309975c0c43033350d51e5efe7fcafca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
77KB

MD5
cfb441921b2dadfed89a713e8782ebb1

SHA1
1af9a779a43efc6ca928611ee0363a0e0ec1cead

SHA256
969b0c26c660b6afebd4c129eb2c0c315794329a153e53c6862974600ca26c73

SHA512
dcd4d2bae4cb6475463739231fbbd304f42b7d8680f258ed7f70f0c4e9e6aa88cf333f56edf268e6c3c3368fd32e9769918a8752a3668779b3ee79fa9269eaac

Download Submit
memory/224-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/224-17-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/224-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/224-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/224-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/600-83-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/600-87-0x0000000000410000-0x00000000004D5000-memory.dmp

Filesize
788KB

Download
memory/600-79-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/600-86-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/720-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/720-21-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/720-23-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/720-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/720-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/720-53-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/720-72-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/720-30-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/720-34-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/720-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1896-130-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/2812-212-0x0000000000ADE000-0x0000000000AEE000-memory.dmp

Filesize
64KB

Download
memory/2932-82-0x0000000000919000-0x000000000092A000-memory.dmp

Filesize
68KB

Download
memory/2932-95-0x00000000001F0000-0x00000000001F4000-memory.dmp

Filesize
16KB

Download
memory/2932-84-0x00000000001F0000-0x00000000001F4000-memory.dmp

Filesize
16KB

Download
memory/3164-141-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/3164-133-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/3696-49-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/3696-50-0x0000000000610000-0x0000000000640000-memory.dmp

Filesize
192KB

Download
memory/3744-160-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3752-75-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3752-46-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3752-51-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3752-52-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4116-101-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/4264-184-0x0000000000A50000-0x0000000000B50000-memory.dmp

Filesize
1024KB

Download
memory/4544-1-0x00000000020D0000-0x0000000002169000-memory.dmp

Filesize
612KB

Download
memory/4544-2-0x0000000002180000-0x000000000229B000-memory.dmp

Filesize
1.1MB

Download
memory/4640-22-0x0000000002050000-0x00000000020E2000-memory.dmp

Filesize
584KB

Download
memory/4876-159-0x0000000000890000-0x0000000000990000-memory.dmp

Filesize
1024KB

Download