djvu | a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1

Analysis

max time kernel
296s
max time network
196s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20-02-2024 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe
Size

730KB
MD5

5ae24b94a6f7359ffdea3b2f1270d821
SHA1

e497f21c534187587516340cae1eba1388836645
SHA256

a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1
SHA512

012d851e336c52b919736f105a5b4b0c59a714e80063495a63417edfceb44a487c9d803e724f9aef03a7cdf4074f13d6375d58eb329e4e9374cbfb2de98fe382
SSDEEP

12288:4HmKwTPJS79c/WkhgD5we14ihDZ5hs9iBakvKAoflP:4HTqRS79+2N1lDZ3PBafAo

Score

10^/10

djvu vidar 7f6c51bbce50f99b5a632c204a5ec558 discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.lkhy
offline_id
OxV6DGl22io8sqMOW1zCCOlzPiv4f1Vqzw7Y8zt1
payload_url
http://brusuax.com/dl/build2.exe

http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-uNdL2KHHdy Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0851ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.9

Botnet

7f6c51bbce50f99b5a632c204a5ec558

https://t.me/hypergog

https://steamcommunity.com/profiles/76561199642171824

Attributes

profile_id_v2
7f6c51bbce50f99b5a632c204a5ec558
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36

Signatures

Detect Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral1/memory/2660-75-0x0000000000230000-0x0000000000266000-memory.dmp	family_vidar_v7
behavioral1/memory/2484-76-0x0000000000400000-0x0000000000649000-memory.dmp	family_vidar_v7
behavioral1/memory/2484-79-0x0000000000400000-0x0000000000649000-memory.dmp	family_vidar_v7
behavioral1/memory/2484-80-0x0000000000400000-0x0000000000649000-memory.dmp	family_vidar_v7
behavioral1/memory/2484-231-0x0000000000400000-0x0000000000649000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 14 IoCs

resource	yara_rule
behavioral1/memory/1684-2-0x0000000001E20000-0x0000000001F3B000-memory.dmp	family_djvu
behavioral1/memory/2880-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2880-8-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2880-9-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2880-27-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2860-35-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2860-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2860-49-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2860-50-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2860-54-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2860-56-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2860-57-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2860-58-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2860-91-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
2660	build2.exe
2484	build2.exe
2188	build3.exe
2552	build3.exe
2752	mstsca.exe
2116	mstsca.exe
1732	mstsca.exe
1932	mstsca.exe
300	mstsca.exe
2948	mstsca.exe
2912	mstsca.exe
2936	mstsca.exe
2768	mstsca.exe
1860	mstsca.exe

Loads dropped DLL 8 IoCs

pid	Process
2860	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe
2860	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe
2860	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe
2860	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe
1800	WerFault.exe
1800	WerFault.exe
1800	WerFault.exe
1800	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2876	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ea00d75c-42d9-4a8f-90db-66b3a39dbd62\\a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe\" --AutoStart"	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.2ip.ua
3	api.2ip.ua
9	api.2ip.ua

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 1684 set thread context of 2880	1684	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	28
PID 2592 set thread context of 2860	2592	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	31
PID 2660 set thread context of 2484	2660	build2.exe	34
PID 2188 set thread context of 2552	2188	build3.exe	36
PID 2752 set thread context of 2116	2752	mstsca.exe	43
PID 1732 set thread context of 1932	1732	mstsca.exe	49
PID 300 set thread context of 2948	300	mstsca.exe	51
PID 2912 set thread context of 2936	2912	mstsca.exe	53
PID 2768 set thread context of 1860	2768	mstsca.exe	55

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1800	2484	WerFault.exe	34

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
888	schtasks.exe
2676	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2880	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe
2860	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe
2860	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2880	1684	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	28
PID 1684 wrote to memory of 2880	1684	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	28
PID 1684 wrote to memory of 2880	1684	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	28
PID 1684 wrote to memory of 2880	1684	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	28
PID 1684 wrote to memory of 2880	1684	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	28
PID 1684 wrote to memory of 2880	1684	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	28
PID 1684 wrote to memory of 2880	1684	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	28
PID 1684 wrote to memory of 2880	1684	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	28
PID 1684 wrote to memory of 2880	1684	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	28
PID 1684 wrote to memory of 2880	1684	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	28
PID 1684 wrote to memory of 2880	1684	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	28
PID 2880 wrote to memory of 2876	2880	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	29
PID 2880 wrote to memory of 2876	2880	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	29
PID 2880 wrote to memory of 2876	2880	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	29
PID 2880 wrote to memory of 2876	2880	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	29
PID 2880 wrote to memory of 2592	2880	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	30
PID 2880 wrote to memory of 2592	2880	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	30
PID 2880 wrote to memory of 2592	2880	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	30
PID 2880 wrote to memory of 2592	2880	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	30
PID 2592 wrote to memory of 2860	2592	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	31
PID 2592 wrote to memory of 2860	2592	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	31
PID 2592 wrote to memory of 2860	2592	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	31
PID 2592 wrote to memory of 2860	2592	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	31
PID 2592 wrote to memory of 2860	2592	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	31
PID 2592 wrote to memory of 2860	2592	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	31
PID 2592 wrote to memory of 2860	2592	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	31
PID 2592 wrote to memory of 2860	2592	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	31
PID 2592 wrote to memory of 2860	2592	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	31
PID 2592 wrote to memory of 2860	2592	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	31
PID 2592 wrote to memory of 2860	2592	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	31
PID 2860 wrote to memory of 2660	2860	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	33
PID 2860 wrote to memory of 2660	2860	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	33
PID 2860 wrote to memory of 2660	2860	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	33
PID 2860 wrote to memory of 2660	2860	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	33
PID 2660 wrote to memory of 2484	2660	build2.exe	34
PID 2660 wrote to memory of 2484	2660	build2.exe	34
PID 2660 wrote to memory of 2484	2660	build2.exe	34
PID 2660 wrote to memory of 2484	2660	build2.exe	34
PID 2660 wrote to memory of 2484	2660	build2.exe	34
PID 2660 wrote to memory of 2484	2660	build2.exe	34
PID 2660 wrote to memory of 2484	2660	build2.exe	34
PID 2660 wrote to memory of 2484	2660	build2.exe	34
PID 2660 wrote to memory of 2484	2660	build2.exe	34
PID 2660 wrote to memory of 2484	2660	build2.exe	34
PID 2660 wrote to memory of 2484	2660	build2.exe	34
PID 2860 wrote to memory of 2188	2860	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	35
PID 2860 wrote to memory of 2188	2860	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	35
PID 2860 wrote to memory of 2188	2860	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	35
PID 2860 wrote to memory of 2188	2860	a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe	35
PID 2188 wrote to memory of 2552	2188	build3.exe	36
PID 2188 wrote to memory of 2552	2188	build3.exe	36
PID 2188 wrote to memory of 2552	2188	build3.exe	36
PID 2188 wrote to memory of 2552	2188	build3.exe	36
PID 2188 wrote to memory of 2552	2188	build3.exe	36
PID 2188 wrote to memory of 2552	2188	build3.exe	36
PID 2188 wrote to memory of 2552	2188	build3.exe	36
PID 2188 wrote to memory of 2552	2188	build3.exe	36
PID 2188 wrote to memory of 2552	2188	build3.exe	36
PID 2188 wrote to memory of 2552	2188	build3.exe	36
PID 2552 wrote to memory of 888	2552	build3.exe	37
PID 2552 wrote to memory of 888	2552	build3.exe	37
PID 2552 wrote to memory of 888	2552	build3.exe	37
PID 2552 wrote to memory of 888	2552	build3.exe	37
PID 2484 wrote to memory of 1800	2484	build2.exe	40

C:\Users\Admin\AppData\Local\Temp\a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe
"C:\Users\Admin\AppData\Local\Temp\a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe
  "C:\Users\Admin\AppData\Local\Temp\a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\ea00d75c-42d9-4a8f-90db-66b3a39dbd62" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2876
- - C:\Users\Admin\AppData\Local\Temp\a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe
    "C:\Users\Admin\AppData\Local\Temp\a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe
      "C:\Users\Admin\AppData\Local\Temp\a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Users\Admin\AppData\Local\5977d77f-8606-491a-b3d0-e4bd0de28629\build2.exe
        
        "C:\Users\Admin\AppData\Local\5977d77f-8606-491a-b3d0-e4bd0de28629\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Users\Admin\AppData\Local\5977d77f-8606-491a-b3d0-e4bd0de28629\build2.exe
        
        "C:\Users\Admin\AppData\Local\5977d77f-8606-491a-b3d0-e4bd0de28629\build2.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 1452
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:1800
    - - C:\Users\Admin\AppData\Local\5977d77f-8606-491a-b3d0-e4bd0de28629\build3.exe
        
        "C:\Users\Admin\AppData\Local\5977d77f-8606-491a-b3d0-e4bd0de28629\build3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\Users\Admin\AppData\Local\5977d77f-8606-491a-b3d0-e4bd0de28629\build3.exe
        
        "C:\Users\Admin\AppData\Local\5977d77f-8606-491a-b3d0-e4bd0de28629\build3.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:888

C:\Windows\system32\taskeng.exe
taskeng.exe {724BCDD5-0AF1-473C-B6BF-ED78675101D9} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
1⤵
PID:1540
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2752
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:2116
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
      4⤵
      Creates scheduled task(s)
      PID:2676
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1732
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:1932
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:300
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:2948
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2912
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:2936
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2768
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
cf7c39c642fe92ca4ec669b9e8ff3fec

SHA1
76413213c3f47df40edf753b6a3d0f6cbe0c6952

SHA256
41b1a0794d5e5a4e347c14679008df772ba82fd081f41c978d3ceec5609ddbf8

SHA512
e65ec70b24de0f284da43aa40f8c6511ea3765f6e3460c764de3dbc7a987d26072b81063d70b7276e3e6c542dbe9570edf3a36419d98e50e859b32ea1896e6cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
f53838acba780500730541c2c00a80c2

SHA1
d40607cfda5a0c459439156d6210880b925dfa01

SHA256
cae74c1a86ca689cd69531e3756576fb6e86e6814a6e3b4be0a47b367ea02ecf

SHA512
63b6809e5c2a867b2454eda1d6da128a7de25cd42f7503875c2b8e95b0f9b33426d045a14594c5fe6f7047e5042a9843c0d126da9c64e1a3cc630d6c696309da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
affbbc8cb41551a3cc2eaa347e7baca7

SHA1
79aa3e1f98cbcfe7f1cce96c781759c1e87e7ead

SHA256
974c70aab28b8e53457205753097e4b58635e6e85afae27a7a83dcc5c02dcaf9

SHA512
38417064d36f1d6e839c76ece499af11a8edffefa8c572b212ed43b0cefa14a539566ed6674dc054c36cf2604b7a480269c39b065e816cdc53295cb37673e8b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
2537ee0c367ca86c20a8f54e384fb6f1

SHA1
0ec4862f4697dd1032e9b8d75f0b273a278deb9a

SHA256
f667d1ceddf77b087b3a40d90ca7b4e5cbdd53ece7b2ddc469188cc8738b3dc9

SHA512
4ae00ebb98d07b412190128e64557210c9745ae157c66e1969ea5c17bf3716c52464ce441d728f95a4a951894c0a791832df602c3440b4f80a1d8fcf9cc2b36b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2166.tmp

Filesize
38KB

MD5
2f3bafd1a6efacc36b681b73e165b346

SHA1
6aee257584976a4596670dbb60747ea437319fe7

SHA256
517be25e4517be0eb4944e51e2db220d88089fc83f64ff628d466a71ef590190

SHA512
35f5b8a7dba8e3d91db8e22c5524c4ffee567d57b01cf48ce8b78604d2051bfe6ba0a353329cc019a878462307b7ac8b053933fbdc1603548eb4e8755af037ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar35C1.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\ea00d75c-42d9-4a8f-90db-66b3a39dbd62\a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1.exe

Filesize
730KB

MD5
5ae24b94a6f7359ffdea3b2f1270d821

SHA1
e497f21c534187587516340cae1eba1388836645

SHA256
a104d7ade86ce00cbfd52ea602423490fa2e0aa66f036ca3c77dc942153b83f1

SHA512
012d851e336c52b919736f105a5b4b0c59a714e80063495a63417edfceb44a487c9d803e724f9aef03a7cdf4074f13d6375d58eb329e4e9374cbfb2de98fe382

Download Submit
\Users\Admin\AppData\Local\5977d77f-8606-491a-b3d0-e4bd0de28629\build2.exe

Filesize
334KB

MD5
c6d3d647baad8a5b93b81d2487f4f072

SHA1
e9c1105dc41f85d4f7e94d4e004f8427787c8802

SHA256
7754125653413cfca3bde887fb2a22f0cd5144ec447bb274c69b005861b70a0a

SHA512
55425dc95161e627e19e17f1bb910f958dade0c2b12da5eaad31159f0e2dc5217ff293c52f39d860d399807d5b4a814f1bb24376c58b40cc171d298282052049

Download Submit
\Users\Admin\AppData\Local\5977d77f-8606-491a-b3d0-e4bd0de28629\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
memory/300-297-0x0000000000960000-0x0000000000A60000-memory.dmp

Filesize
1024KB

Download
memory/1684-0-0x0000000000300000-0x0000000000391000-memory.dmp

Filesize
580KB

Download
memory/1684-7-0x0000000000300000-0x0000000000391000-memory.dmp

Filesize
580KB

Download
memory/1684-1-0x0000000000300000-0x0000000000391000-memory.dmp

Filesize
580KB

Download
memory/1684-2-0x0000000001E20000-0x0000000001F3B000-memory.dmp

Filesize
1.1MB

Download
memory/1732-272-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/2188-145-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/2188-141-0x0000000000970000-0x0000000000A70000-memory.dmp

Filesize
1024KB

Download
memory/2484-231-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/2484-80-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/2484-79-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/2484-76-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/2484-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2552-146-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2552-149-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2552-151-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2592-30-0x00000000002A0000-0x0000000000331000-memory.dmp

Filesize
580KB

Download
memory/2592-28-0x00000000002A0000-0x0000000000331000-memory.dmp

Filesize
580KB

Download
memory/2660-72-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2660-75-0x0000000000230000-0x0000000000266000-memory.dmp

Filesize
216KB

Download
memory/2752-243-0x0000000000312000-0x0000000000322000-memory.dmp

Filesize
64KB

Download
memory/2768-357-0x0000000000890000-0x0000000000990000-memory.dmp

Filesize
1024KB

Download
memory/2860-54-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2860-56-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2860-91-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2860-49-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2860-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2860-35-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2860-58-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2860-50-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2860-57-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2880-8-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2880-9-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2880-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2880-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2880-27-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2912-328-0x0000000000292000-0x00000000002A2000-memory.dmp

Filesize
64KB

Download