djvu | 7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4

Analysis

max time kernel
299s
max time network
295s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
05-02-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
Size

729KB
MD5

3f51b9adc83302f0a3a63a9ce89b5a25
SHA1

934d5c5b4e3c86c9ae3e7df7150cbdee9d24c113
SHA256

7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4
SHA512

d7f5d7a15bb6df80234c818e8e92c310643f3493030ac6cf02f7c8865e97125ed530c0a9819b22aec0311b34d329239f33cd4563238d198e6a43b1ca5a90efc4
SSDEEP

12288:Yd+RYmXPSXL6YOcrS0sKN+mR7Z1JFVFaM1Nolw6OWqY:YcXX6LOcrSwNXR7TOMXcOWH

Score

10^/10

djvu vidar 1b9d7ec5a25ab9d78c31777a0016a097 discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Signatures

Detect Vidar Stealer 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2556-45-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/2556-44-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/3124-41-0x00000000006F0000-0x0000000000720000-memory.dmp	family_vidar_v7
behavioral2/memory/2556-40-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/2556-58-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/2160-127-0x0000000000A60000-0x0000000000B60000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 17 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4080-1-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4080-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4080-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/628-4-0x0000000002250000-0x000000000236B000-memory.dmp	family_djvu
behavioral2/memory/4080-2-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4080-17-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/432-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/432-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/432-23-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/432-30-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/432-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/432-54-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/432-55-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/432-52-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/432-56-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/432-65-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1720-157-0x0000000000A10000-0x0000000000B10000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

build2.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
3124	build2.exe
2556	build2.exe
3044	build3.exe
2188	build3.exe
1752	mstsca.exe
196	mstsca.exe
2160	mstsca.exe
3588	mstsca.exe
1720	mstsca.exe
2564	mstsca.exe
4168	mstsca.exe
4216	mstsca.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3596 icacls.exe

pid	process
3596	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4905a76e-0988-4f8c-9c1a-b29ffd7fe496\\7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe\" --AutoStart"	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.2ip.ua
2 api.2ip.ua
8 api.2ip.ua

flow	ioc
1	api.2ip.ua
2	api.2ip.ua
8	api.2ip.ua

Suspicious use of SetThreadContext 8 IoCs

Processes:

7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 628 set thread context of 4080	628	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 4368 set thread context of 432	4368	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 3124 set thread context of 2556	3124	build2.exe	build2.exe
PID 3044 set thread context of 2188	3044	build3.exe	build3.exe
PID 1752 set thread context of 196	1752	mstsca.exe	mstsca.exe
PID 2160 set thread context of 3588	2160	mstsca.exe	mstsca.exe
PID 1720 set thread context of 2564	1720	mstsca.exe	mstsca.exe
PID 4168 set thread context of 4216	4168	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4972 2556 WerFault.exe build2.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4940 schtasks.exe
3732 schtasks.exe

pid	pid_target	process	target process
4972	2556	WerFault.exe	build2.exe

pid	process
4940	schtasks.exe
3732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe

pid	process
4080	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
4080	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
432	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
432	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exe

description	pid	process	target process
PID 628 wrote to memory of 4080	628	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 628 wrote to memory of 4080	628	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 628 wrote to memory of 4080	628	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 628 wrote to memory of 4080	628	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 628 wrote to memory of 4080	628	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 628 wrote to memory of 4080	628	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 628 wrote to memory of 4080	628	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 628 wrote to memory of 4080	628	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 628 wrote to memory of 4080	628	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 628 wrote to memory of 4080	628	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 4080 wrote to memory of 3596	4080	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	icacls.exe
PID 4080 wrote to memory of 3596	4080	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	icacls.exe
PID 4080 wrote to memory of 3596	4080	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	icacls.exe
PID 4080 wrote to memory of 4368	4080	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 4080 wrote to memory of 4368	4080	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 4080 wrote to memory of 4368	4080	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 4368 wrote to memory of 432	4368	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 4368 wrote to memory of 432	4368	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 4368 wrote to memory of 432	4368	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 4368 wrote to memory of 432	4368	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 4368 wrote to memory of 432	4368	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 4368 wrote to memory of 432	4368	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 4368 wrote to memory of 432	4368	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 4368 wrote to memory of 432	4368	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 4368 wrote to memory of 432	4368	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 4368 wrote to memory of 432	4368	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
PID 432 wrote to memory of 3124	432	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	build2.exe
PID 432 wrote to memory of 3124	432	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	build2.exe
PID 432 wrote to memory of 3124	432	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	build2.exe
PID 3124 wrote to memory of 2556	3124	build2.exe	build2.exe
PID 3124 wrote to memory of 2556	3124	build2.exe	build2.exe
PID 3124 wrote to memory of 2556	3124	build2.exe	build2.exe
PID 3124 wrote to memory of 2556	3124	build2.exe	build2.exe
PID 3124 wrote to memory of 2556	3124	build2.exe	build2.exe
PID 3124 wrote to memory of 2556	3124	build2.exe	build2.exe
PID 3124 wrote to memory of 2556	3124	build2.exe	build2.exe
PID 3124 wrote to memory of 2556	3124	build2.exe	build2.exe
PID 3124 wrote to memory of 2556	3124	build2.exe	build2.exe
PID 3124 wrote to memory of 2556	3124	build2.exe	build2.exe
PID 432 wrote to memory of 3044	432	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	build3.exe
PID 432 wrote to memory of 3044	432	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	build3.exe
PID 432 wrote to memory of 3044	432	7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe	build3.exe
PID 3044 wrote to memory of 2188	3044	build3.exe	build3.exe
PID 3044 wrote to memory of 2188	3044	build3.exe	build3.exe
PID 3044 wrote to memory of 2188	3044	build3.exe	build3.exe
PID 3044 wrote to memory of 2188	3044	build3.exe	build3.exe
PID 3044 wrote to memory of 2188	3044	build3.exe	build3.exe
PID 3044 wrote to memory of 2188	3044	build3.exe	build3.exe
PID 3044 wrote to memory of 2188	3044	build3.exe	build3.exe
PID 3044 wrote to memory of 2188	3044	build3.exe	build3.exe
PID 3044 wrote to memory of 2188	3044	build3.exe	build3.exe
PID 2188 wrote to memory of 4940	2188	build3.exe	schtasks.exe
PID 2188 wrote to memory of 4940	2188	build3.exe	schtasks.exe
PID 2188 wrote to memory of 4940	2188	build3.exe	schtasks.exe
PID 1752 wrote to memory of 196	1752	mstsca.exe	mstsca.exe
PID 1752 wrote to memory of 196	1752	mstsca.exe	mstsca.exe
PID 1752 wrote to memory of 196	1752	mstsca.exe	mstsca.exe
PID 1752 wrote to memory of 196	1752	mstsca.exe	mstsca.exe
PID 1752 wrote to memory of 196	1752	mstsca.exe	mstsca.exe
PID 1752 wrote to memory of 196	1752	mstsca.exe	mstsca.exe
PID 1752 wrote to memory of 196	1752	mstsca.exe	mstsca.exe
PID 1752 wrote to memory of 196	1752	mstsca.exe	mstsca.exe
PID 1752 wrote to memory of 196	1752	mstsca.exe	mstsca.exe
PID 196 wrote to memory of 3732	196	mstsca.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
"C:\Users\Admin\AppData\Local\Temp\7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:628

C:\Users\Admin\AppData\Local\Temp\7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
"C:\Users\Admin\AppData\Local\Temp\7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\4905a76e-0988-4f8c-9c1a-b29ffd7fe496" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3596

C:\Users\Admin\AppData\Local\Temp\7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
"C:\Users\Admin\AppData\Local\Temp\7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4368

C:\Users\Admin\AppData\Local\Temp\7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
"C:\Users\Admin\AppData\Local\Temp\7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\d5f7ee14-65bf-4c99-bca1-2c2d64c6848e\build2.exe
"C:\Users\Admin\AppData\Local\d5f7ee14-65bf-4c99-bca1-2c2d64c6848e\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3124

C:\Users\Admin\AppData\Local\d5f7ee14-65bf-4c99-bca1-2c2d64c6848e\build2.exe
"C:\Users\Admin\AppData\Local\d5f7ee14-65bf-4c99-bca1-2c2d64c6848e\build2.exe"
6⤵
- Executes dropped EXE
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 816
7⤵
- Program crash
PID:4972

C:\Users\Admin\AppData\Local\d5f7ee14-65bf-4c99-bca1-2c2d64c6848e\build3.exe
"C:\Users\Admin\AppData\Local\d5f7ee14-65bf-4c99-bca1-2c2d64c6848e\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\d5f7ee14-65bf-4c99-bca1-2c2d64c6848e\build3.exe
"C:\Users\Admin\AppData\Local\d5f7ee14-65bf-4c99-bca1-2c2d64c6848e\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:4940

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:196

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
3⤵
- Creates scheduled task(s)
PID:3732

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2160

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:3588

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1720

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:2564

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4168

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:4216

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
c59708a86e78530488f2356251e775a2

SHA1
17e33e077261cdd9e54d4e58dfb168f15ee93efb

SHA256
71719971666e64a4f767e8f9d0b52e822189c4bfb1fe449a0e7c8066c82813c2

SHA512
42afd4d2c791ea8cb239130cf4f4d43da0ec39c63049c56796e082282e2ba2f0cd0fd8934b7de3b359ca433b0609ad159fda6f92168168f2d4517f13fbbb3fbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
9e83f4a69260806c341b9659f26f0d55

SHA1
1356a372c1e88ebc3ed5b5b052f2dcf35222d56e

SHA256
4894fa15b24e31f31931e5ac19b2d8c6fa73247fb32be851a37a600a3a3dffbc

SHA512
06338135c32fa4b3bd9faf944e85581c9d1100d5aaaa9c66ee8ffdcd0562ec564f0d4764693a9576971c66cf13fe9e79eec6ebaf77bd78c885d37eb5ff051200

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
d93f86c24687daec2bf515147f134c56

SHA1
ad943b286670a1ab30696c3a82e03822d2ed27d8

SHA256
fe43b7d109854727bd2ac9aa483e518fe6cae397c3f7bcbb98e6ee5d6c834b3c

SHA512
f2751e860dcdffa071a0ec35f7276a348d2e0d474a4afc4d5cf7345ddc1ff49caa3f0bcfffd09c1144304ce36cdba104b7bf03e43e5481deb0f887f266d8659b

Download Submit
C:\Users\Admin\AppData\Local\4905a76e-0988-4f8c-9c1a-b29ffd7fe496\7c7654e6f0c8b70f2317787fe7b17ba8f42349786243b8438596d89404f968e4.exe
Filesize
272KB

MD5
0e6cf787f24a448f15b1b6cd8bb21b5e

SHA1
66d9cf6c2c0ed411aaaf7aa418c9a0cecfce5a2e

SHA256
89d0b30e4fe3e06415001b232d9111d5905d49c0b95bb9432eb6e38e1c5667d0

SHA512
471bd948e7ea28b8a11e4c5092c15666921b0bf3c908022af5f8ee1baa0d06c395c8df4dc5763c77ef223a12e1ccb3638c796878d9c057642f6e592be9bc6b41

Download Submit
C:\Users\Admin\AppData\Local\d5f7ee14-65bf-4c99-bca1-2c2d64c6848e\build2.exe
Filesize
82KB

MD5
4eca0ba73dd8fb16dc0e28696f3a0588

SHA1
e86163e32bb754ee9bf33aafae48d1863fece999

SHA256
8c327595d8ee25e9da453d605d214525210fcfb02ec36318e9a738b7c671401a

SHA512
d9aaf6b8835a3fd6b5a913759b1f0a6a8455df0e05c1e43a73a2b678ce81ee70df4370a830b96dad0c333bcb8a821076797df0689f96b735dd8476bbd8e0caf9

Download Submit
C:\Users\Admin\AppData\Local\d5f7ee14-65bf-4c99-bca1-2c2d64c6848e\build2.exe
Filesize
44KB

MD5
ffbfe1c48b6482c057b97327a661982a

SHA1
1619419d64b38fd58fbb94b953551168b104b934

SHA256
d720c9d90bf2a8d2e0fda2dc926a6110a807d01171d05ff651827812da081ff8

SHA512
bdcf618b9204c9e5feb411dbc13dcf522b2a94127846000e259c3a01fa3ea0e84e00914742c437318b9e846c0b60aa1c35f2fe2d2d7d255d9b1ee2934f047fff

Download Submit
C:\Users\Admin\AppData\Local\d5f7ee14-65bf-4c99-bca1-2c2d64c6848e\build2.exe
Filesize
105KB

MD5
ad2e0f28c9cd76b5462166ec1cead7a5

SHA1
fe4913fbf3495174c78da35411ebdd3365e27a5c

SHA256
3ad25db425cee52f40117e28913cb7320ce85d76651798a1d68dec3c1b7ae850

SHA512
537076630ed81fd2cd09b4e7c7dda6d99941e0e1e8e710f0eea63b9b97c9404924b8fb1d270e03eb0809e5982f3b57302362851c30136c4234d21debd986fe20

Download Submit
C:\Users\Admin\AppData\Local\d5f7ee14-65bf-4c99-bca1-2c2d64c6848e\build3.exe
Filesize
187KB

MD5
9263efeba2ec1e7a071e36787b9576bc

SHA1
cb65b842f91f01554980fc092005d9744f31dbe4

SHA256
68e2b9d69652a5374f761131c6b3213ef9d4c40aebd7618ac728df19b302e625

SHA512
0fa1a11f4c8194b3af768b5ddcc557f9944d9e9b061583f0a7e9e535e8a29c10640e8ca70128f7ac48add644695c5923cf3ee362921ab92b932c3f4c5c651f1a

Download Submit
C:\Users\Admin\AppData\Local\d5f7ee14-65bf-4c99-bca1-2c2d64c6848e\build3.exe
Filesize
41KB

MD5
57c547c55287a1e4df38294280efb249

SHA1
88c001c95c0d39202e35c95b0cba5932cdc1f80e

SHA256
e4e4e59f279e1c0d21781eb4a9f2ee1518b6c838297d659806bb7b7e18190324

SHA512
efaccdabd37a2ca7eb6eeacfb9fcb49a383b2d312ae68da4ca2a1a4fc36d657247b33dda3cad58d02c4e4646c68e780506e0b2db90110d10fb3a88bad0ec2b83

Download Submit
C:\Users\Admin\AppData\Local\d5f7ee14-65bf-4c99-bca1-2c2d64c6848e\build3.exe
Filesize
220KB

MD5
881e551f4c91afad043ea459bf8b1b7d

SHA1
5ee8e111d6c4974aad472bdf2e0b845f53930775

SHA256
51ef480d4fa6c1b68509872ed86f93addf09e6622c723e56e6a480d319020c52

SHA512
ea16ff5b84229e794e472f1d2f79f25f79f7404b390195678c1e0bfcea0254ab472cbb6d7644c46365c9c6407bbd65b1ce51d7c9df8ee31113792e3b94d57b5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
256KB

MD5
dad4698391b70f3871cd9afc427816bd

SHA1
9570efe3bee459c289fbcca10ba14cabd5a1f3a4

SHA256
3427ab84ea6f578a103e44b68ecbd9a99fc5defb9c3b0690c8f3ef7d8ba361e6

SHA512
00975f045fdfdf188e4fa3650908c5e636b2de5419ae1edad447369a15fc6180176827064fa269eb06ba7616bf515f1f35a3d2129e479e5a4d91a73406cd2f44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
39KB

MD5
09ae8bc3ffba1011be2640675830cf12

SHA1
0770ca0eadce34e8fa45de3226c6331521f1a23a

SHA256
734bcc1acde254747ddd55bbba4d35fecc0f8df3ea165d87340050289e286360

SHA512
10da365dd2bda227901143c291eb38c81ea91f78eab1c0ada7353ad3e5823d154db7a6207a76afba62d01d1a07824a21fa3ec1fe2b64bc71b69274905fec7803

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
165KB

MD5
b2b41a65563879948e09e17771194092

SHA1
2ed0b8a5b67ac1078f8c115997b00de0266f4b17

SHA256
487bf7d55cc33b3bcddc1505f4968c275089464d52812c3da5473b7b60576e09

SHA512
e34e305564699df798bcb7d003765c248e35d984d0897ca901922c9ef982831a4a62c8c9a24e79d82aef5121b320f93d1123b5ecedab2327e8d37eac0d297070

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
33KB

MD5
e1f87746d2ae61d00e037aa33fb64786

SHA1
55e6c728d3595373e65c1ec3e4c7989f3aeb50f4

SHA256
6146acd18a6fe1992ec0832941727124c3f85e4fdcc4ca0ceb286c48d10c259a

SHA512
cc2a72a2b5f1c4bf24ac407e178f72d38be1bbea0cd21b33767bc9cfca5f061f51dc7e65c757f840ffee681111d5780bbf3bf6235fee447ed8b88f574fbb1aab

Download Submit
memory/432-54-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/432-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/432-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/432-30-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/432-56-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/432-52-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/432-23-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/432-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/432-65-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/432-55-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/628-4-0x0000000002250000-0x000000000236B000-memory.dmp

Filesize
1.1MB

Download
memory/628-3-0x00000000021B0000-0x000000000224A000-memory.dmp

Filesize
616KB

Download
memory/1720-157-0x0000000000A10000-0x0000000000B10000-memory.dmp

Filesize
1024KB

Download
memory/1752-102-0x0000000000B60000-0x0000000000C60000-memory.dmp

Filesize
1024KB

Download
memory/2160-127-0x0000000000A60000-0x0000000000B60000-memory.dmp

Filesize
1024KB

Download
memory/2188-82-0x0000000000410000-0x00000000004D5000-memory.dmp

Filesize
788KB

Download
memory/2188-81-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2188-79-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2188-74-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2556-45-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2556-40-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2556-58-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2556-44-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3044-77-0x00000000009A9000-0x00000000009BA000-memory.dmp

Filesize
68KB

Download
memory/3044-78-0x0000000000930000-0x0000000000934000-memory.dmp

Filesize
16KB

Download
memory/3124-39-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/3124-41-0x00000000006F0000-0x0000000000720000-memory.dmp

Filesize
192KB

Download
memory/4080-1-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4080-17-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4080-2-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4080-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4080-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4168-181-0x0000000000880000-0x0000000000980000-memory.dmp

Filesize
1024KB

Download
memory/4368-20-0x0000000002050000-0x00000000020ED000-memory.dmp

Filesize
628KB

Download