djvu | 66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678

Analysis

max time kernel
297s
max time network
241s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
05-02-2024 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
Size

737KB
MD5

93c82a57837aae4227b65a84b2e7c787
SHA1

469d0f9920d93029c4cdf2832d0df9939a17e5e4
SHA256

66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678
SHA512

be00ea6ed8b6c3948374d46a83873adf9f40af21db5dd42985fe736dc46cb03fe72ceb8b5593aa7f30937fd92d064486b3856afd5892f1c67b518e26eba0ae64
SSDEEP

12288:Q2IwAVLmgpXICA9qcs0gsq8TgvHDVEk25wZ5C2UGhh6a+Wh7P3auMkTQ9ymQAd:dAVLmAXku0gs6HDVEkXZ52Ghh9+23hQ

Score

10^/10

djvu vidar 1b9d7ec5a25ab9d78c31777a0016a097 discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Signatures

Detect Vidar Stealer 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4888-50-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/4616-54-0x00000000005C0000-0x00000000005F0000-memory.dmp	family_vidar_v7
behavioral2/memory/4888-55-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/4888-56-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/4888-70-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/3480-160-0x0000000000920000-0x0000000000A20000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 16 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3544-3-0x00000000021E0000-0x00000000022FB000-memory.dmp	family_djvu
behavioral2/memory/3884-2-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3884-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3884-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3884-4-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3884-19-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3500-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3500-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3500-25-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3500-34-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3500-33-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3500-40-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3500-41-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3500-38-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3500-57-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3500-68-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file
Executes dropped EXE 12 IoCs

Processes:

build2.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid process

4616 build2.exe
4888 build2.exe
3832 build3.exe
4936 build3.exe
868 mstsca.exe
3720 mstsca.exe
340 mstsca.exe
1876 mstsca.exe
3480 mstsca.exe
4036 mstsca.exe
4604 mstsca.exe
3820 mstsca.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4944 icacls.exe

pid	process
4616	build2.exe
4888	build2.exe
3832	build3.exe
4936	build3.exe
868	mstsca.exe
3720	mstsca.exe
340	mstsca.exe
1876	mstsca.exe
3480	mstsca.exe
4036	mstsca.exe
4604	mstsca.exe
3820	mstsca.exe

pid	process
4944	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\713d83c1-42e5-4714-bd1b-42191afb0669\\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe\" --AutoStart"	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 api.2ip.ua
10 api.2ip.ua
1 api.2ip.ua

flow	ioc
2	api.2ip.ua
10	api.2ip.ua
1	api.2ip.ua

Suspicious use of SetThreadContext 8 IoCs

Processes:

66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 3544 set thread context of 3884	3544	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3092 set thread context of 3500	3092	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 4616 set thread context of 4888	4616	build2.exe	build2.exe
PID 3832 set thread context of 4936	3832	build3.exe	build3.exe
PID 868 set thread context of 3720	868	mstsca.exe	mstsca.exe
PID 340 set thread context of 1876	340	mstsca.exe	mstsca.exe
PID 3480 set thread context of 4036	3480	mstsca.exe	mstsca.exe
PID 4604 set thread context of 3820	4604	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1120 4888 WerFault.exe build2.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3504 schtasks.exe
216 schtasks.exe

pid	pid_target	process	target process
1120	4888	WerFault.exe	build2.exe

pid	process
3504	schtasks.exe
216	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe

pid	process
3884	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
3884	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
3500	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
3500	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exe

description	pid	process	target process
PID 3544 wrote to memory of 3884	3544	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3544 wrote to memory of 3884	3544	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3544 wrote to memory of 3884	3544	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3544 wrote to memory of 3884	3544	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3544 wrote to memory of 3884	3544	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3544 wrote to memory of 3884	3544	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3544 wrote to memory of 3884	3544	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3544 wrote to memory of 3884	3544	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3544 wrote to memory of 3884	3544	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3544 wrote to memory of 3884	3544	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3884 wrote to memory of 4944	3884	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	icacls.exe
PID 3884 wrote to memory of 4944	3884	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	icacls.exe
PID 3884 wrote to memory of 4944	3884	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	icacls.exe
PID 3884 wrote to memory of 3092	3884	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3884 wrote to memory of 3092	3884	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3884 wrote to memory of 3092	3884	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3092 wrote to memory of 3500	3092	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3092 wrote to memory of 3500	3092	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3092 wrote to memory of 3500	3092	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3092 wrote to memory of 3500	3092	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3092 wrote to memory of 3500	3092	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3092 wrote to memory of 3500	3092	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3092 wrote to memory of 3500	3092	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3092 wrote to memory of 3500	3092	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3092 wrote to memory of 3500	3092	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3092 wrote to memory of 3500	3092	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
PID 3500 wrote to memory of 4616	3500	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	build2.exe
PID 3500 wrote to memory of 4616	3500	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	build2.exe
PID 3500 wrote to memory of 4616	3500	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	build2.exe
PID 4616 wrote to memory of 4888	4616	build2.exe	build2.exe
PID 4616 wrote to memory of 4888	4616	build2.exe	build2.exe
PID 4616 wrote to memory of 4888	4616	build2.exe	build2.exe
PID 4616 wrote to memory of 4888	4616	build2.exe	build2.exe
PID 4616 wrote to memory of 4888	4616	build2.exe	build2.exe
PID 4616 wrote to memory of 4888	4616	build2.exe	build2.exe
PID 4616 wrote to memory of 4888	4616	build2.exe	build2.exe
PID 4616 wrote to memory of 4888	4616	build2.exe	build2.exe
PID 4616 wrote to memory of 4888	4616	build2.exe	build2.exe
PID 4616 wrote to memory of 4888	4616	build2.exe	build2.exe
PID 3500 wrote to memory of 3832	3500	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	build3.exe
PID 3500 wrote to memory of 3832	3500	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	build3.exe
PID 3500 wrote to memory of 3832	3500	66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe	build3.exe
PID 3832 wrote to memory of 4936	3832	build3.exe	build3.exe
PID 3832 wrote to memory of 4936	3832	build3.exe	build3.exe
PID 3832 wrote to memory of 4936	3832	build3.exe	build3.exe
PID 3832 wrote to memory of 4936	3832	build3.exe	build3.exe
PID 3832 wrote to memory of 4936	3832	build3.exe	build3.exe
PID 3832 wrote to memory of 4936	3832	build3.exe	build3.exe
PID 3832 wrote to memory of 4936	3832	build3.exe	build3.exe
PID 3832 wrote to memory of 4936	3832	build3.exe	build3.exe
PID 3832 wrote to memory of 4936	3832	build3.exe	build3.exe
PID 4936 wrote to memory of 3504	4936	build3.exe	schtasks.exe
PID 4936 wrote to memory of 3504	4936	build3.exe	schtasks.exe
PID 4936 wrote to memory of 3504	4936	build3.exe	schtasks.exe
PID 868 wrote to memory of 3720	868	mstsca.exe	mstsca.exe
PID 868 wrote to memory of 3720	868	mstsca.exe	mstsca.exe
PID 868 wrote to memory of 3720	868	mstsca.exe	mstsca.exe
PID 868 wrote to memory of 3720	868	mstsca.exe	mstsca.exe
PID 868 wrote to memory of 3720	868	mstsca.exe	mstsca.exe
PID 868 wrote to memory of 3720	868	mstsca.exe	mstsca.exe
PID 868 wrote to memory of 3720	868	mstsca.exe	mstsca.exe
PID 868 wrote to memory of 3720	868	mstsca.exe	mstsca.exe
PID 868 wrote to memory of 3720	868	mstsca.exe	mstsca.exe
PID 3720 wrote to memory of 216	3720	mstsca.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
"C:\Users\Admin\AppData\Local\Temp\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3544

C:\Users\Admin\AppData\Local\Temp\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
"C:\Users\Admin\AppData\Local\Temp\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3884

C:\Users\Admin\AppData\Local\Temp\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
"C:\Users\Admin\AppData\Local\Temp\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3092

C:\Users\Admin\AppData\Local\Temp\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
"C:\Users\Admin\AppData\Local\Temp\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3500

C:\Users\Admin\AppData\Local\9b564772-cb36-4f3d-bcd4-b1582185bfc4\build2.exe
"C:\Users\Admin\AppData\Local\9b564772-cb36-4f3d-bcd4-b1582185bfc4\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4616

C:\Users\Admin\AppData\Local\9b564772-cb36-4f3d-bcd4-b1582185bfc4\build2.exe
"C:\Users\Admin\AppData\Local\9b564772-cb36-4f3d-bcd4-b1582185bfc4\build2.exe"
6⤵
- Executes dropped EXE
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1908
7⤵
- Program crash
PID:1120

C:\Users\Admin\AppData\Local\9b564772-cb36-4f3d-bcd4-b1582185bfc4\build3.exe
"C:\Users\Admin\AppData\Local\9b564772-cb36-4f3d-bcd4-b1582185bfc4\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3832

C:\Users\Admin\AppData\Local\9b564772-cb36-4f3d-bcd4-b1582185bfc4\build3.exe
"C:\Users\Admin\AppData\Local\9b564772-cb36-4f3d-bcd4-b1582185bfc4\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:3504

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\713d83c1-42e5-4714-bd1b-42191afb0669" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:4944

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
3⤵
- Creates scheduled task(s)
PID:216

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:340

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:1876

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3480

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:4036

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4604

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:3820

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
c59708a86e78530488f2356251e775a2

SHA1
17e33e077261cdd9e54d4e58dfb168f15ee93efb

SHA256
71719971666e64a4f767e8f9d0b52e822189c4bfb1fe449a0e7c8066c82813c2

SHA512
42afd4d2c791ea8cb239130cf4f4d43da0ec39c63049c56796e082282e2ba2f0cd0fd8934b7de3b359ca433b0609ad159fda6f92168168f2d4517f13fbbb3fbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
14b573f76204aebf5fc985a5abda78bd

SHA1
31f9ba0bc40a79a20bcc82b6c6b71ffb4e8582c2

SHA256
fe625ff5b152695346e1dbb2f5725dd6f66f5b2a7f7ca249da1c204ca1da9f0b

SHA512
dd7144afb9994737d30cfddf500e6dd6850a002bb7c974b66f38cd7d403404e9c4fd94c38fa71feb09b67ecbbd13c1992ce595a4f4986e2b4eefaf86812b7f5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
a48c200f35974443cb8a38dbc9702f7c

SHA1
67f41385ae20b4394b8b8bd91c842272572f6d06

SHA256
79d81f18262bb225cc264f6657bfdf4c2c31b8f45b37bc3c44cd3dfa717a4fac

SHA512
b8905baad46f62261d7c8908d90d47485fa81b3ccf5b4b7c6cec5aa135704bfdf7ecd43603484106cd4911dc6ff9636d32b065ae11370e1d5d33f9abf42216a8

Download Submit
C:\Users\Admin\AppData\Local\713d83c1-42e5-4714-bd1b-42191afb0669\66279c22a4fc8671cbf5e2aa2790c0a869921b12600d3d55e4056e5da81ee678.exe
Filesize
79KB

MD5
7b924a3c76207e6398fb419759489c1f

SHA1
8a1b10ad9af1ebd654590a735304513b97b9b2b9

SHA256
f91f5ce7f13552d65b07346d74ff114ef9cc86a05187cf4a75fb72807445ada4

SHA512
c45ef43a805cb8cdd7862753d9b263c67790ffef10dc01eacb5012728a5c466e22de93500cde223ec1a544b8c11806c8126dfb33b0f68d903905a2e6064cdfc7

Download Submit
C:\Users\Admin\AppData\Local\9b564772-cb36-4f3d-bcd4-b1582185bfc4\build2.exe
Filesize
241KB

MD5
7a13190e00667a982b7187fcef6e8c80

SHA1
6362728654bf48cb0949038c9a2ed3c67ac5af1f

SHA256
85c9faa5b847a45b9f3a36bbceb236f9de4e1e7e2c4ae0c59ffcb69f503be2ad

SHA512
34aa22624fa71b11c8b58818b1b9d8c59a135c0813d2ae9950d3e40020da122255c8a3442b33b5a57f8ac2faf33c46b827a916dc30da923201b16e1c48824a05

Download Submit
C:\Users\Admin\AppData\Local\9b564772-cb36-4f3d-bcd4-b1582185bfc4\build2.exe
Filesize
270KB

MD5
20ea36c6634aa87d4101ff1c254c149f

SHA1
7fe6f51a7e47ea2071544e562aca71752fcaa9d8

SHA256
d783614a56e740c4dda016ee1228923b5b0fba8a7cfa64d1d0659f7a0d7effac

SHA512
d98890eff9a8f3868d378af60313bfbbd77e366462e717c0b389baf724288c7f208d0a1606f89a67268e4287b461ff93113b3911dc56e9838d8d736bbc352489

Download Submit
C:\Users\Admin\AppData\Local\9b564772-cb36-4f3d-bcd4-b1582185bfc4\build2.exe
Filesize
360KB

MD5
98b1c66ab32c980bde74dafe58786638

SHA1
afbd97a4b095c44b2e73f3ee548f5552088e8856

SHA256
9764176705d8a0ce8a6e64d971abaa4b54badd0910a1382e0d9624a37ce926dd

SHA512
ac96852e763261b9776503b94abd9788430c3ae42e97773dd53377f52f3970633b26b9d67c2262d8201736d64e652a3a44532f7f312f289edf31e0d41953925f

Download Submit
C:\Users\Admin\AppData\Local\9b564772-cb36-4f3d-bcd4-b1582185bfc4\build3.exe
Filesize
129KB

MD5
0fb3699fe907a6721c211b92519e15d8

SHA1
93f9048c521c5bb9b6fad01c0094444b84a4cd1e

SHA256
fbb74d0c86330756bd6308dd91b9b9c194a256829fdffa83aaeff849745654f9

SHA512
a854018b2084e534be06786d815f698570539d93fdc5241f1cab6953f8ed461eb087115aef643c19af23180c2f7e8d3f47cc9ab34eb7f510f3b7604a8cde6bf8

Download Submit
C:\Users\Admin\AppData\Local\9b564772-cb36-4f3d-bcd4-b1582185bfc4\build3.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
memory/340-134-0x0000000000A80000-0x0000000000B80000-memory.dmp

Filesize
1024KB

Download
memory/868-107-0x0000000000AA0000-0x0000000000BA0000-memory.dmp

Filesize
1024KB

Download
memory/3092-22-0x0000000001FC0000-0x0000000002059000-memory.dmp

Filesize
612KB

Download
memory/3480-160-0x0000000000920000-0x0000000000A20000-memory.dmp

Filesize
1024KB

Download
memory/3500-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3500-68-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3500-34-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3500-33-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3500-40-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3500-41-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3500-38-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3500-57-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3500-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3500-25-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3544-1-0x0000000002140000-0x00000000021DD000-memory.dmp

Filesize
628KB

Download
memory/3544-3-0x00000000021E0000-0x00000000022FB000-memory.dmp

Filesize
1.1MB

Download
memory/3832-77-0x0000000000A90000-0x0000000000B90000-memory.dmp

Filesize
1024KB

Download
memory/3832-79-0x0000000000860000-0x0000000000864000-memory.dmp

Filesize
16KB

Download
memory/3884-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3884-19-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3884-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3884-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3884-2-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4604-187-0x000000000095E000-0x000000000096E000-memory.dmp

Filesize
64KB

Download
memory/4616-54-0x00000000005C0000-0x00000000005F0000-memory.dmp

Filesize
192KB

Download
memory/4616-73-0x00000000005C0000-0x00000000005F0000-memory.dmp

Filesize
192KB

Download
memory/4616-53-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/4888-50-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4888-70-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4888-56-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4888-55-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4936-81-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4936-83-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4936-76-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download