djvu | ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c

Analysis

max time kernel
299s
max time network
296s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
05-02-2024 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
Size

772KB
MD5

bab1ea0e1eba81e7bf661766ac1ac177
SHA1

12e1aa39059fd8a727214592f415bee1c9905177
SHA256

ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c
SHA512

066a0b3a2daad8a888a5b2d968ed5ab897b742d28da98b28e39d6d538a729ab5331f566e3f57d1c89978c597e97dd64fe9fd050986741be2bb1ca9b42458b234
SSDEEP

12288:9vhycdmFgKk2gjva8foyadXAcF78F1oXWcUDwW7yPwJ1SFBAPUy9Fq6UUF/2:dQxlevpwvAFawDwW7hJ1oBSUyUUR

Score

10^/10

djvu vidar 1b9d7ec5a25ab9d78c31777a0016a097 discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Signatures

Detect Vidar Stealer 7 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/5048-49-0x00000000005F0000-0x0000000000620000-memory.dmp	family_vidar_v7
behavioral2/memory/920-51-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/920-53-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/920-46-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/920-66-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/4276-101-0x0000000000900000-0x0000000000A00000-memory.dmp	family_vidar_v7
behavioral2/memory/4820-123-0x0000000000990000-0x0000000000A90000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 16 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2564-2-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3520-3-0x0000000002190000-0x00000000022AB000-memory.dmp	family_djvu
behavioral2/memory/2564-4-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2564-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2564-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2564-17-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3788-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3788-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3788-23-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3788-30-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3788-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3788-34-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3788-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3788-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3788-52-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3788-60-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

build2.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
5048	build2.exe
920	build2.exe
1216	build3.exe
4748	build3.exe
4276	mstsca.exe
832	mstsca.exe
4820	mstsca.exe
1516	mstsca.exe
5076	mstsca.exe
4336	mstsca.exe
2288	mstsca.exe
1880	mstsca.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4300 icacls.exe

pid	process
4300	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2595843030-3811137303-3031389247-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\277a2490-bba0-4e83-92b1-18f85a524e35\\ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe\" --AutoStart"	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.2ip.ua
2 api.2ip.ua
9 api.2ip.ua

flow	ioc
1	api.2ip.ua
2	api.2ip.ua
9	api.2ip.ua

Suspicious use of SetThreadContext 8 IoCs

Processes:

ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exeee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 3520 set thread context of 2564	3520	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 212 set thread context of 3788	212	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 5048 set thread context of 920	5048	build2.exe	build2.exe
PID 1216 set thread context of 4748	1216	build3.exe	build3.exe
PID 4276 set thread context of 832	4276	mstsca.exe	mstsca.exe
PID 4820 set thread context of 1516	4820	mstsca.exe	mstsca.exe
PID 5076 set thread context of 4336	5076	mstsca.exe	mstsca.exe
PID 2288 set thread context of 1880	2288	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

800 920 WerFault.exe build2.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1736 schtasks.exe
1752 schtasks.exe

pid	pid_target	process	target process
800	920	WerFault.exe	build2.exe

pid	process
1736	schtasks.exe
1752	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exeee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe

pid	process
2564	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
2564	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
3788	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
3788	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exeee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exeee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exeee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exe

description	pid	process	target process
PID 3520 wrote to memory of 2564	3520	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 3520 wrote to memory of 2564	3520	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 3520 wrote to memory of 2564	3520	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 3520 wrote to memory of 2564	3520	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 3520 wrote to memory of 2564	3520	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 3520 wrote to memory of 2564	3520	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 3520 wrote to memory of 2564	3520	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 3520 wrote to memory of 2564	3520	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 3520 wrote to memory of 2564	3520	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 3520 wrote to memory of 2564	3520	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 2564 wrote to memory of 4300	2564	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	icacls.exe
PID 2564 wrote to memory of 4300	2564	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	icacls.exe
PID 2564 wrote to memory of 4300	2564	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	icacls.exe
PID 2564 wrote to memory of 212	2564	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 2564 wrote to memory of 212	2564	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 2564 wrote to memory of 212	2564	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 212 wrote to memory of 3788	212	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 212 wrote to memory of 3788	212	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 212 wrote to memory of 3788	212	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 212 wrote to memory of 3788	212	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 212 wrote to memory of 3788	212	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 212 wrote to memory of 3788	212	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 212 wrote to memory of 3788	212	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 212 wrote to memory of 3788	212	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 212 wrote to memory of 3788	212	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 212 wrote to memory of 3788	212	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
PID 3788 wrote to memory of 5048	3788	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	build2.exe
PID 3788 wrote to memory of 5048	3788	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	build2.exe
PID 3788 wrote to memory of 5048	3788	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	build2.exe
PID 5048 wrote to memory of 920	5048	build2.exe	build2.exe
PID 5048 wrote to memory of 920	5048	build2.exe	build2.exe
PID 5048 wrote to memory of 920	5048	build2.exe	build2.exe
PID 5048 wrote to memory of 920	5048	build2.exe	build2.exe
PID 5048 wrote to memory of 920	5048	build2.exe	build2.exe
PID 5048 wrote to memory of 920	5048	build2.exe	build2.exe
PID 5048 wrote to memory of 920	5048	build2.exe	build2.exe
PID 5048 wrote to memory of 920	5048	build2.exe	build2.exe
PID 5048 wrote to memory of 920	5048	build2.exe	build2.exe
PID 5048 wrote to memory of 920	5048	build2.exe	build2.exe
PID 3788 wrote to memory of 1216	3788	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	build3.exe
PID 3788 wrote to memory of 1216	3788	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	build3.exe
PID 3788 wrote to memory of 1216	3788	ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe	build3.exe
PID 1216 wrote to memory of 4748	1216	build3.exe	build3.exe
PID 1216 wrote to memory of 4748	1216	build3.exe	build3.exe
PID 1216 wrote to memory of 4748	1216	build3.exe	build3.exe
PID 1216 wrote to memory of 4748	1216	build3.exe	build3.exe
PID 1216 wrote to memory of 4748	1216	build3.exe	build3.exe
PID 1216 wrote to memory of 4748	1216	build3.exe	build3.exe
PID 1216 wrote to memory of 4748	1216	build3.exe	build3.exe
PID 1216 wrote to memory of 4748	1216	build3.exe	build3.exe
PID 1216 wrote to memory of 4748	1216	build3.exe	build3.exe
PID 4748 wrote to memory of 1736	4748	build3.exe	schtasks.exe
PID 4748 wrote to memory of 1736	4748	build3.exe	schtasks.exe
PID 4748 wrote to memory of 1736	4748	build3.exe	schtasks.exe
PID 4276 wrote to memory of 832	4276	mstsca.exe	mstsca.exe
PID 4276 wrote to memory of 832	4276	mstsca.exe	mstsca.exe
PID 4276 wrote to memory of 832	4276	mstsca.exe	mstsca.exe
PID 4276 wrote to memory of 832	4276	mstsca.exe	mstsca.exe
PID 4276 wrote to memory of 832	4276	mstsca.exe	mstsca.exe
PID 4276 wrote to memory of 832	4276	mstsca.exe	mstsca.exe
PID 4276 wrote to memory of 832	4276	mstsca.exe	mstsca.exe
PID 4276 wrote to memory of 832	4276	mstsca.exe	mstsca.exe
PID 4276 wrote to memory of 832	4276	mstsca.exe	mstsca.exe
PID 832 wrote to memory of 1752	832	mstsca.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
"C:\Users\Admin\AppData\Local\Temp\ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3520

C:\Users\Admin\AppData\Local\Temp\ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
"C:\Users\Admin\AppData\Local\Temp\ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\277a2490-bba0-4e83-92b1-18f85a524e35" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:4300

C:\Users\Admin\AppData\Local\Temp\ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
"C:\Users\Admin\AppData\Local\Temp\ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:212

C:\Users\Admin\AppData\Local\Temp\ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
"C:\Users\Admin\AppData\Local\Temp\ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3788

C:\Users\Admin\AppData\Local\ca5c36f2-e95c-4642-b43b-03f012962422\build2.exe
"C:\Users\Admin\AppData\Local\ca5c36f2-e95c-4642-b43b-03f012962422\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5048

C:\Users\Admin\AppData\Local\ca5c36f2-e95c-4642-b43b-03f012962422\build3.exe
"C:\Users\Admin\AppData\Local\ca5c36f2-e95c-4642-b43b-03f012962422\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\ca5c36f2-e95c-4642-b43b-03f012962422\build3.exe
"C:\Users\Admin\AppData\Local\ca5c36f2-e95c-4642-b43b-03f012962422\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:1736

C:\Users\Admin\AppData\Local\ca5c36f2-e95c-4642-b43b-03f012962422\build2.exe
"C:\Users\Admin\AppData\Local\ca5c36f2-e95c-4642-b43b-03f012962422\build2.exe"
1⤵
- Executes dropped EXE
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1908
2⤵
- Program crash
PID:800

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4276

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
3⤵
- Creates scheduled task(s)
PID:1752

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4820

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:1516

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5076

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:4336

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2288

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:1880

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
c59708a86e78530488f2356251e775a2

SHA1
17e33e077261cdd9e54d4e58dfb168f15ee93efb

SHA256
71719971666e64a4f767e8f9d0b52e822189c4bfb1fe449a0e7c8066c82813c2

SHA512
42afd4d2c791ea8cb239130cf4f4d43da0ec39c63049c56796e082282e2ba2f0cd0fd8934b7de3b359ca433b0609ad159fda6f92168168f2d4517f13fbbb3fbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
775939f4acab55690472088ca4ef9f0c

SHA1
02b363153cbbfcc7809dc552088042e031d79e3f

SHA256
418f72f9a29a730b7513f4dea6cf9c57db9eaff242adc6222ca5053274f10eb7

SHA512
99741148a4744b48fb0464098d32b8243682d36a8d49d0a5af47d6237cc446e9b074835ffc0a7ebd532268058b0f34d02950eacbf74163ad2da6eced42636374

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
72a934a2c05b1264b6716dc9ce318c4a

SHA1
d2527dc759f95432885046817175f590c129dc84

SHA256
1d3305b14be97f38aeed96172386bdc85c9876f26d9358016a7311d8da2c78c5

SHA512
d8e36317fd0561f42007659b3284943a5359e1c64b7b389294f54c495fe3ac65080b3e52733891b951f41592f36e542e14e11b566be8d4edada4614034e850ab

Download Submit
C:\Users\Admin\AppData\Local\277a2490-bba0-4e83-92b1-18f85a524e35\ee5bcfc6e9d4decbf39ff9712d339dbff29fb1f6c780c6f61a41166abeee0d1c.exe
Filesize
95KB

MD5
c03f0558dc7b929d1f98b0c9b09029e0

SHA1
beaea959206bfab659cbaf809a83033c9d15d474

SHA256
bcd1a999a9ef4085cae218a7ae1a4fa0f6e21ccc7a1d556b620f81083b3cd258

SHA512
f0d962d80fe4731524e7dff79721d898f2de620eca9e29007c06e7183388915527868dc0b1cff148a7bb28df90b9719c0446c57b81421bae25f0d29f3d1b3a85

Download Submit
C:\Users\Admin\AppData\Local\ca5c36f2-e95c-4642-b43b-03f012962422\build2.exe
Filesize
339KB

MD5
645d9019258de263ebae783b913cf0bf

SHA1
a2ac290c5e35f928b136a54ec8cd784e84f02db9

SHA256
3607baf13638b563126beab9a8b28b5f0ee560a51c0a1aa2e8c8cefebc152dca

SHA512
debe76e914bc8abb3bfb8093fbf338885044767caedbff789c9faf266b4f1aeeb867eac0528c9b0f3b54f9c030b59daed88181556ad89efc334cbd661b628be4

Download Submit
C:\Users\Admin\AppData\Local\ca5c36f2-e95c-4642-b43b-03f012962422\build2.exe
Filesize
27KB

MD5
d48db59a0f0c61ab690915a7205a4bf7

SHA1
1952f6bd4343b24ffae85c9a09016d652cd7b47a

SHA256
fef552dc98ebf21553da1b12a9b4dedebba0ab91889f8220ff028985cb57b185

SHA512
61378e01fbf7335169386e3302953370a886825cf97679e9fbeac16459c8fd22f9c79c5e601c3b76a2c5b36c65ce8a5d1a048d0085719a652ba47108704b5a66

Download Submit
C:\Users\Admin\AppData\Local\ca5c36f2-e95c-4642-b43b-03f012962422\build2.exe
Filesize
270KB

MD5
f68d031a6e0a3bc852f78895e7184026

SHA1
6e451b114d78322a082e1e1f47762b4332c5d751

SHA256
55e15e232b0dd41a93476ee820ee8a1d4d767bec64647eaf9828d9198e1c1dd1

SHA512
ed333ac77908b2f4aaa3b4c84b7bf1bfa1e5e796261f5a1f5fc073e544e653caa7601e37973095db484a9332b9bfe0feaff99cb0c9204d71107ce3b210f2a3fe

Download Submit
C:\Users\Admin\AppData\Local\ca5c36f2-e95c-4642-b43b-03f012962422\build3.exe
Filesize
132KB

MD5
0b649b954b148268466fc9a480f7e946

SHA1
7eeb26a5fc75b51a9a23f7b5c5604a903cebeb43

SHA256
e0f33daa4174694c0e142bee9c4c63514595fcfa7df3f26342f9d60f38c1fcb3

SHA512
f397e5e1e6261198ac3978db74d9aa388105ca187dbcefc5a9e6f76068d49c22bc7b87e7065ae201195d6505c03e284ca699f6f904adf1bf5e5522c2d1365be8

Download Submit
C:\Users\Admin\AppData\Local\ca5c36f2-e95c-4642-b43b-03f012962422\build3.exe
Filesize
24KB

MD5
b1d2d0397659c03ead6cb1b86b070b15

SHA1
85fe0ed4f627018cef6cce86978bcef86a99f011

SHA256
fa8473381e3acfbce98daeac9d36b3012e30ae5f0b909037d829a96bf6380e3f

SHA512
190c86ab20504c38fc37f62ca9acdb94e19e7eb2d7fd68035c0ed4a533c61228c854ea5baf36c200dc1cde5b51c071c50c1390cb55bc3f52cc36834614a61e40

Download Submit
C:\Users\Admin\AppData\Local\ca5c36f2-e95c-4642-b43b-03f012962422\build3.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
249KB

MD5
41efb1b05b335ecb73b264189f71d5a0

SHA1
6c61d67924939f8be6b644fe7fb94b7db89cb674

SHA256
35dc56cfa8eac33e028d72291536432ba4f17a6eea8866275de796438d7b90b9

SHA512
7ab78ec7be7acc30f3895adbe9218629f9c9758a9b6056e5cca0d86bf11c987ad59c8159b60421e6a7ce5c6377e66c9e5c48d32adb8b92e89b11bae0968dfc72

Download Submit
memory/212-21-0x0000000002030000-0x00000000020CA000-memory.dmp

Filesize
616KB

Download
memory/920-53-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/920-51-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/920-46-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/920-66-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1216-75-0x00000000009F0000-0x00000000009F4000-memory.dmp

Filesize
16KB

Download
memory/1216-72-0x0000000000A29000-0x0000000000A3A000-memory.dmp

Filesize
68KB

Download
memory/1516-128-0x0000000000410000-0x00000000004D5000-memory.dmp

Filesize
788KB

Download
memory/2288-178-0x0000000000B1E000-0x0000000000B2E000-memory.dmp

Filesize
64KB

Download
memory/2564-17-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2564-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2564-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2564-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2564-2-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3520-3-0x0000000002190000-0x00000000022AB000-memory.dmp

Filesize
1.1MB

Download
memory/3520-1-0x0000000000560000-0x00000000005F9000-memory.dmp

Filesize
612KB

Download
memory/3788-23-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3788-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3788-52-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3788-60-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3788-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3788-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3788-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3788-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3788-34-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3788-30-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4276-101-0x0000000000900000-0x0000000000A00000-memory.dmp

Filesize
1024KB

Download
memory/4748-77-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4748-78-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/4748-74-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4748-70-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4820-123-0x0000000000990000-0x0000000000A90000-memory.dmp

Filesize
1024KB

Download
memory/5048-47-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/5048-49-0x00000000005F0000-0x0000000000620000-memory.dmp

Filesize
192KB

Download
memory/5076-152-0x0000000000BA0000-0x0000000000CA0000-memory.dmp

Filesize
1024KB

Download