djvu | c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2

Analysis

max time kernel
300s
max time network
211s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 05:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe
Size

697KB
MD5

18fd5678b1fb5891874c9608c1640c95
SHA1

6d2ff7934cb4ee5c749ad752571855f1a1eca56c
SHA256

c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2
SHA512

5216acd276dfcebcd5bcfd3fb31be732d6aa5b46459390025342e9746d548d099362032e9521c30520a6b137329ece0f3f61f06a768cbe9f37c2b6122b958c1f
SSDEEP

12288:aMANKdVb0cBY2zaqKrgyWvfLsVwVuDMyOdbUF1oXppYN4KBr40utQ8N:XAt2zaqugy4cMyOdbUnw7VKBP8

Score

10^/10

djvu vidar e2da5861d01d391b927839bbec00e666 discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://sajdfue.com/test1/get.php

Attributes

extension
.wisz
offline_id
4p0Nzrg1q0ND5of5Gtp2UBjthSXuE8VxnMrd4vt1
payload_url
http://sdfjhuz.com/dl/build2.exe

http://sajdfue.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/a832401adcd58098c699f768ffea4f1720240305114308/7e601a Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0853PsawqS

rsa_pubkey.plain

Extracted

Family

vidar

Version

8.1

Botnet

e2da5861d01d391b927839bbec00e666

https://steamcommunity.com/profiles/76561199649267298

https://t.me/uprizin

Attributes

profile_id_v2
e2da5861d01d391b927839bbec00e666
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 OPR/96.0.0.0

Signatures

Detect Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral1/memory/2244-87-0x0000000000230000-0x0000000000262000-memory.dmp	family_vidar_v7
behavioral1/memory/2724-89-0x0000000000400000-0x0000000000645000-memory.dmp	family_vidar_v7
behavioral1/memory/2724-92-0x0000000000400000-0x0000000000645000-memory.dmp	family_vidar_v7
behavioral1/memory/2724-93-0x0000000000400000-0x0000000000645000-memory.dmp	family_vidar_v7
behavioral1/memory/2724-244-0x0000000000400000-0x0000000000645000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 14 IoCs

resource	yara_rule
behavioral1/memory/1468-2-0x0000000003850000-0x000000000396B000-memory.dmp	family_djvu
behavioral1/memory/2168-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2168-7-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2168-8-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2168-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-35-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-50-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-49-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-54-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-57-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-56-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-69-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2844-80-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
2244	build2.exe
528	build3.exe
2724	build2.exe
2072	build3.exe
1912	mstsca.exe
1096	mstsca.exe
1664	mstsca.exe
2392	mstsca.exe
1936	mstsca.exe
436	mstsca.exe
328	mstsca.exe
1724	mstsca.exe
1560	mstsca.exe
2388	mstsca.exe

Loads dropped DLL 8 IoCs

pid	Process
2844	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe
2844	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe
2844	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe
2844	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2620	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4ef7a82d-acb8-45a2-ace7-8e26fd5b1095\\c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe\" --AutoStart"	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.2ip.ua
4	api.2ip.ua
9	api.2ip.ua

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 1468 set thread context of 2168	1468	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	28
PID 2644 set thread context of 2844	2644	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	31
PID 2244 set thread context of 2724	2244	build2.exe	35
PID 528 set thread context of 2072	528	build3.exe	36
PID 1912 set thread context of 1096	1912	mstsca.exe	46
PID 1664 set thread context of 2392	1664	mstsca.exe	48
PID 1936 set thread context of 436	1936	mstsca.exe	52
PID 328 set thread context of 1724	328	mstsca.exe	54
PID 1560 set thread context of 2388	1560	mstsca.exe	56

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1000	2724	WerFault.exe	35

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1788	schtasks.exe
1984	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2168	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe
2844	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 2168	1468	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	28
PID 1468 wrote to memory of 2168	1468	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	28
PID 1468 wrote to memory of 2168	1468	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	28
PID 1468 wrote to memory of 2168	1468	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	28
PID 1468 wrote to memory of 2168	1468	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	28
PID 1468 wrote to memory of 2168	1468	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	28
PID 1468 wrote to memory of 2168	1468	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	28
PID 1468 wrote to memory of 2168	1468	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	28
PID 1468 wrote to memory of 2168	1468	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	28
PID 1468 wrote to memory of 2168	1468	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	28
PID 1468 wrote to memory of 2168	1468	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	28
PID 2168 wrote to memory of 2620	2168	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	29
PID 2168 wrote to memory of 2620	2168	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	29
PID 2168 wrote to memory of 2620	2168	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	29
PID 2168 wrote to memory of 2620	2168	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	29
PID 2168 wrote to memory of 2644	2168	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	30
PID 2168 wrote to memory of 2644	2168	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	30
PID 2168 wrote to memory of 2644	2168	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	30
PID 2168 wrote to memory of 2644	2168	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	30
PID 2644 wrote to memory of 2844	2644	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	31
PID 2644 wrote to memory of 2844	2644	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	31
PID 2644 wrote to memory of 2844	2644	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	31
PID 2644 wrote to memory of 2844	2644	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	31
PID 2644 wrote to memory of 2844	2644	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	31
PID 2644 wrote to memory of 2844	2644	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	31
PID 2644 wrote to memory of 2844	2644	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	31
PID 2644 wrote to memory of 2844	2644	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	31
PID 2644 wrote to memory of 2844	2644	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	31
PID 2644 wrote to memory of 2844	2644	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	31
PID 2644 wrote to memory of 2844	2644	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	31
PID 2844 wrote to memory of 2244	2844	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	33
PID 2844 wrote to memory of 2244	2844	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	33
PID 2844 wrote to memory of 2244	2844	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	33
PID 2844 wrote to memory of 2244	2844	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	33
PID 2844 wrote to memory of 528	2844	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	34
PID 2844 wrote to memory of 528	2844	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	34
PID 2844 wrote to memory of 528	2844	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	34
PID 2844 wrote to memory of 528	2844	c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe	34
PID 2244 wrote to memory of 2724	2244	build2.exe	35
PID 2244 wrote to memory of 2724	2244	build2.exe	35
PID 2244 wrote to memory of 2724	2244	build2.exe	35
PID 2244 wrote to memory of 2724	2244	build2.exe	35
PID 2244 wrote to memory of 2724	2244	build2.exe	35
PID 2244 wrote to memory of 2724	2244	build2.exe	35
PID 2244 wrote to memory of 2724	2244	build2.exe	35
PID 2244 wrote to memory of 2724	2244	build2.exe	35
PID 2244 wrote to memory of 2724	2244	build2.exe	35
PID 2244 wrote to memory of 2724	2244	build2.exe	35
PID 2244 wrote to memory of 2724	2244	build2.exe	35
PID 528 wrote to memory of 2072	528	build3.exe	36
PID 528 wrote to memory of 2072	528	build3.exe	36
PID 528 wrote to memory of 2072	528	build3.exe	36
PID 528 wrote to memory of 2072	528	build3.exe	36
PID 528 wrote to memory of 2072	528	build3.exe	36
PID 528 wrote to memory of 2072	528	build3.exe	36
PID 528 wrote to memory of 2072	528	build3.exe	36
PID 528 wrote to memory of 2072	528	build3.exe	36
PID 528 wrote to memory of 2072	528	build3.exe	36
PID 528 wrote to memory of 2072	528	build3.exe	36
PID 2072 wrote to memory of 1788	2072	build3.exe	37
PID 2072 wrote to memory of 1788	2072	build3.exe	37
PID 2072 wrote to memory of 1788	2072	build3.exe	37
PID 2072 wrote to memory of 1788	2072	build3.exe	37
PID 2724 wrote to memory of 1000	2724	build2.exe	41

C:\Users\Admin\AppData\Local\Temp\c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe
"C:\Users\Admin\AppData\Local\Temp\c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe
  "C:\Users\Admin\AppData\Local\Temp\c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\4ef7a82d-acb8-45a2-ace7-8e26fd5b1095" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2620
- - C:\Users\Admin\AppData\Local\Temp\c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe
    "C:\Users\Admin\AppData\Local\Temp\c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Users\Admin\AppData\Local\Temp\c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe
      "C:\Users\Admin\AppData\Local\Temp\c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Users\Admin\AppData\Local\52e82ca7-e9af-425a-94b9-a23232e42911\build2.exe
        
        "C:\Users\Admin\AppData\Local\52e82ca7-e9af-425a-94b9-a23232e42911\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2244
      - C:\Users\Admin\AppData\Local\52e82ca7-e9af-425a-94b9-a23232e42911\build2.exe
        
        "C:\Users\Admin\AppData\Local\52e82ca7-e9af-425a-94b9-a23232e42911\build2.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 1472
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:1000
    - - C:\Users\Admin\AppData\Local\52e82ca7-e9af-425a-94b9-a23232e42911\build3.exe
        
        "C:\Users\Admin\AppData\Local\52e82ca7-e9af-425a-94b9-a23232e42911\build3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:528
      - C:\Users\Admin\AppData\Local\52e82ca7-e9af-425a-94b9-a23232e42911\build3.exe
        
        "C:\Users\Admin\AppData\Local\52e82ca7-e9af-425a-94b9-a23232e42911\build3.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:1788

C:\Windows\system32\taskeng.exe
taskeng.exe {6ABC0B85-C50E-4788-A2B6-C47DED1F7EA8} S-1-5-21-2461186416-2307104501-1787948496-1000:MGILJUBR\Admin:Interactive:[1]
1⤵
PID:2612
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1912
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:1096
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1664
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:2392
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
      4⤵
      Creates scheduled task(s)
      PID:1984
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1936
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:436
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:328
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:1724
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1560
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
285f2d7ac11b816c0b93dddd72f3f074

SHA1
70bfc113e962459afabde81294847754bf7ae540

SHA256
fa170ab755d01dd13745aa6c2bbc19a90b57ff0abf67574147a2389e97899939

SHA512
5c0148dd35a8a626d003269910b7ca283bd3619d658f968d04b268674f188e6f00ba5f26dc1f59847e02929770d70075546027fc5e1e2cff85ffb93c71b7797e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
70da431c369d82f45d61bb749a5bef1b

SHA1
2b39cd0c433bb563b470c41a8ff5be1c367cf350

SHA256
bba6cb41757f4a3772b00fd54c2edd3bff8045a096d637ad757d293ab459d620

SHA512
627ceb57ed97d2a3d5f5c8a5c36df159ba12a4f184cd68e58bc76967b7b63e8541d453a5183caeef0177b01e217209f1cf1c20eb209927ef1cd68bab4e90e1e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5236e0dc88d23c5b6f0f4e6f75cfc5a6

SHA1
9b2e52525ac46e548dd9d0b020790d685780b36b

SHA256
d0e435007bb6903a79ab9c00b2b0772fb2446ad499491e2e0d3a2e86869bf9b4

SHA512
a1376ce82ddb713e3ea1fc8738fef482902168eb6c3663a58653f9038e6c2a957aa85abe14c7d32c5499ac96629a14e139ead0809ecd7c35fbd620d51f58b4c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
403b7ae0bb4af42890961263a76037ec

SHA1
ffa8b02f6e200a5f63f52b7165a21f8f5767af53

SHA256
b1ce66bf6df848a3b1e7de16570445bfee4d9ea9730eb1581d663cdfd23243a7

SHA512
4e8c9aafe2d0119aae48be6be15c401f53c924643feb91c33289201d87a32c9401e7d661a4353e4eaa6d34bcc557fb9f97be7773e82f9115b67ed0687d9e7fc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
27c1276f333ff6c86eea41a8c625ac02

SHA1
544bfd052ce55ccc905d9e7c64e2da74315a2e24

SHA256
8ea43131bb3a2b3bf47be911f90f40e1a7be6c8ccdbe58fda7a7aeb6720d0216

SHA512
b4d772effe9e6f4f3f39e0e1938928bedc5d9f45b83ea1b8b5da86c80fd0e225b7c43c767bfe6fff1431bda247637b3b98fea47beb078a025aa09cd0094278af

Download Submit
C:\Users\Admin\AppData\Local\4ef7a82d-acb8-45a2-ace7-8e26fd5b1095\c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2.exe

Filesize
697KB

MD5
18fd5678b1fb5891874c9608c1640c95

SHA1
6d2ff7934cb4ee5c749ad752571855f1a1eca56c

SHA256
c20c9317800a54d6d790f80fe684b3b6cf5ec8832b16ecf71db998a2b86ecef2

SHA512
5216acd276dfcebcd5bcfd3fb31be732d6aa5b46459390025342e9746d548d099362032e9521c30520a6b137329ece0f3f61f06a768cbe9f37c2b6122b958c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab978E.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCBE8.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCD64.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
\Users\Admin\AppData\Local\52e82ca7-e9af-425a-94b9-a23232e42911\build2.exe

Filesize
219KB

MD5
d37b17fc3b9162060a60cd9c9f5f7e2c

SHA1
5bcd761db5662cebdb06f372d8cb731a9b98d1c5

SHA256
36826a94f7aabd1f0d71abc6850e64a499768bd30cab361e8724d546e495e35f

SHA512
04b0fcc597afba17b8be46eacee58c7e8d38c7efa9247ab5b3cbf1ae3ed8dc2e6e909b7dab28b2a41f08fb37e950abb6ca97553adf0e20335c6864d942bef6ea

Download Submit
\Users\Admin\AppData\Local\52e82ca7-e9af-425a-94b9-a23232e42911\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
memory/328-348-0x0000000000990000-0x0000000000A90000-memory.dmp

Filesize
1024KB

Download
memory/528-181-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/528-179-0x00000000008C0000-0x00000000009C0000-memory.dmp

Filesize
1024KB

Download
memory/1468-1-0x00000000002D0000-0x0000000000361000-memory.dmp

Filesize
580KB

Download
memory/1468-2-0x0000000003850000-0x000000000396B000-memory.dmp

Filesize
1.1MB

Download
memory/1468-0-0x00000000002D0000-0x0000000000361000-memory.dmp

Filesize
580KB

Download
memory/1560-383-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/1664-280-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/1912-256-0x00000000009C0000-0x0000000000AC0000-memory.dmp

Filesize
1024KB

Download
memory/1936-313-0x0000000000960000-0x0000000000A60000-memory.dmp

Filesize
1024KB

Download
memory/2072-178-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2072-182-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2072-187-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2072-185-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2168-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2168-8-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2168-7-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2168-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2168-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2244-85-0x00000000020B0000-0x00000000021B0000-memory.dmp

Filesize
1024KB

Download
memory/2244-87-0x0000000000230000-0x0000000000262000-memory.dmp

Filesize
200KB

Download
memory/2644-29-0x0000000003780000-0x0000000003811000-memory.dmp

Filesize
580KB

Download
memory/2644-34-0x0000000003780000-0x0000000003811000-memory.dmp

Filesize
580KB

Download
memory/2644-27-0x0000000003780000-0x0000000003811000-memory.dmp

Filesize
580KB

Download
memory/2724-93-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/2724-92-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/2724-89-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/2724-86-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2724-244-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/2844-35-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2844-80-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2844-69-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2844-56-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2844-57-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2844-54-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2844-49-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2844-50-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2844-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download