djvu | 0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0

Analysis

max time kernel
297s
max time network
210s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-03-2024 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe
Size

690KB
MD5

3b53518031ee8e3f43124bad90b4f12d
SHA1

d3a74b228acc4088f53c26cf366ebabdc4f5e988
SHA256

0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0
SHA512

5fbb985def338a4920d29677d89a1d9d480be4744d1047486b27901b218faccb9dcd8ed0da171f24feefbc0819bf3ea8dba4f11710f759f9a4e3e03ffc5545cc
SSDEEP

12288:5UmRMbhz+Cu/zQ6DXLuzEMhGtAyPgz1fPYm0nXg84LjY05oE9hWMIp3ka:bRM96Cz90tAL1Ym0nXgdb5oAUnr

Score

10^/10

djvu vidar e2da5861d01d391b927839bbec00e666 discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://sajdfue.com/test1/get.php

Attributes

extension
.wisz
offline_id
4p0Nzrg1q0ND5of5Gtp2UBjthSXuE8VxnMrd4vt1
payload_url
http://sdfjhuz.com/dl/build2.exe

http://sajdfue.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/a832401adcd58098c699f768ffea4f1720240305114308/7e601a Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0853PsawqS

rsa_pubkey.plain

Extracted

Family

vidar

Version

8.1

Botnet

e2da5861d01d391b927839bbec00e666

https://steamcommunity.com/profiles/76561199649267298

https://t.me/uprizin

Attributes

profile_id_v2
e2da5861d01d391b927839bbec00e666
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 OPR/96.0.0.0

Signatures

Detect Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral1/memory/768-77-0x0000000000400000-0x0000000000645000-memory.dmp	family_vidar_v7
behavioral1/memory/1028-76-0x0000000000230000-0x0000000000262000-memory.dmp	family_vidar_v7
behavioral1/memory/768-80-0x0000000000400000-0x0000000000645000-memory.dmp	family_vidar_v7
behavioral1/memory/768-81-0x0000000000400000-0x0000000000645000-memory.dmp	family_vidar_v7
behavioral1/memory/768-244-0x0000000000400000-0x0000000000645000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 13 IoCs

resource	yara_rule
behavioral1/memory/2972-3-0x0000000003950000-0x0000000003A6B000-memory.dmp	family_djvu
behavioral1/memory/2008-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2008-8-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2008-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2440-35-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2440-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2440-50-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2440-49-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2440-54-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2440-57-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2440-56-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2440-69-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2440-225-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1028	build2.exe
768	build2.exe
1424	build3.exe
2096	build3.exe

Loads dropped DLL 8 IoCs

pid	Process
2440	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe
2440	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe
2440	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe
2440	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2676	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b994bb2e-4252-47da-a77a-f3b4da3509b4\\0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe\" --AutoStart"	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.2ip.ua
4	api.2ip.ua
9	api.2ip.ua

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 2972 set thread context of 2008	2972	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	28
PID 2448 set thread context of 2440	2448	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	32
PID 1028 set thread context of 768	1028	build2.exe	35
PID 1424 set thread context of 2096	1424	build3.exe	40
PID 1508 set thread context of 2516	1508	mstsca.exe	47
PID 1688 set thread context of 2136	1688	mstsca.exe	51
PID 1092 set thread context of 1872	1092	mstsca.exe	53
PID 2032 set thread context of 2628	2032	mstsca.exe	55

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2764	768	WerFault.exe	35

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2200	schtasks.exe
2960	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2008	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe
2440	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe
2440	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2008	2972	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	28
PID 2972 wrote to memory of 2008	2972	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	28
PID 2972 wrote to memory of 2008	2972	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	28
PID 2972 wrote to memory of 2008	2972	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	28
PID 2972 wrote to memory of 2008	2972	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	28
PID 2972 wrote to memory of 2008	2972	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	28
PID 2972 wrote to memory of 2008	2972	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	28
PID 2972 wrote to memory of 2008	2972	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	28
PID 2972 wrote to memory of 2008	2972	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	28
PID 2972 wrote to memory of 2008	2972	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	28
PID 2972 wrote to memory of 2008	2972	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	28
PID 2008 wrote to memory of 2676	2008	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	30
PID 2008 wrote to memory of 2676	2008	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	30
PID 2008 wrote to memory of 2676	2008	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	30
PID 2008 wrote to memory of 2676	2008	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	30
PID 2008 wrote to memory of 2448	2008	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	31
PID 2008 wrote to memory of 2448	2008	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	31
PID 2008 wrote to memory of 2448	2008	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	31
PID 2008 wrote to memory of 2448	2008	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	31
PID 2448 wrote to memory of 2440	2448	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	32
PID 2448 wrote to memory of 2440	2448	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	32
PID 2448 wrote to memory of 2440	2448	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	32
PID 2448 wrote to memory of 2440	2448	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	32
PID 2448 wrote to memory of 2440	2448	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	32
PID 2448 wrote to memory of 2440	2448	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	32
PID 2448 wrote to memory of 2440	2448	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	32
PID 2448 wrote to memory of 2440	2448	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	32
PID 2448 wrote to memory of 2440	2448	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	32
PID 2448 wrote to memory of 2440	2448	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	32
PID 2448 wrote to memory of 2440	2448	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	32
PID 2440 wrote to memory of 1028	2440	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	34
PID 2440 wrote to memory of 1028	2440	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	34
PID 2440 wrote to memory of 1028	2440	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	34
PID 2440 wrote to memory of 1028	2440	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	34
PID 1028 wrote to memory of 768	1028	build2.exe	35
PID 1028 wrote to memory of 768	1028	build2.exe	35
PID 1028 wrote to memory of 768	1028	build2.exe	35
PID 1028 wrote to memory of 768	1028	build2.exe	35
PID 1028 wrote to memory of 768	1028	build2.exe	35
PID 1028 wrote to memory of 768	1028	build2.exe	35
PID 1028 wrote to memory of 768	1028	build2.exe	35
PID 1028 wrote to memory of 768	1028	build2.exe	35
PID 1028 wrote to memory of 768	1028	build2.exe	35
PID 1028 wrote to memory of 768	1028	build2.exe	35
PID 1028 wrote to memory of 768	1028	build2.exe	35
PID 2440 wrote to memory of 1424	2440	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	37
PID 2440 wrote to memory of 1424	2440	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	37
PID 2440 wrote to memory of 1424	2440	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	37
PID 2440 wrote to memory of 1424	2440	0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe	37
PID 768 wrote to memory of 2764	768	build2.exe	39
PID 768 wrote to memory of 2764	768	build2.exe	39
PID 768 wrote to memory of 2764	768	build2.exe	39
PID 768 wrote to memory of 2764	768	build2.exe	39
PID 1424 wrote to memory of 2096	1424	build3.exe	40
PID 1424 wrote to memory of 2096	1424	build3.exe	40
PID 1424 wrote to memory of 2096	1424	build3.exe	40
PID 1424 wrote to memory of 2096	1424	build3.exe	40
PID 1424 wrote to memory of 2096	1424	build3.exe	40
PID 1424 wrote to memory of 2096	1424	build3.exe	40
PID 1424 wrote to memory of 2096	1424	build3.exe	40
PID 1424 wrote to memory of 2096	1424	build3.exe	40
PID 1424 wrote to memory of 2096	1424	build3.exe	40
PID 1424 wrote to memory of 2096	1424	build3.exe	40
PID 1220 wrote to memory of 1508	1220	taskeng.exe	46

C:\Users\Admin\AppData\Local\Temp\0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe
"C:\Users\Admin\AppData\Local\Temp\0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe
  "C:\Users\Admin\AppData\Local\Temp\0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\b994bb2e-4252-47da-a77a-f3b4da3509b4" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2676
- - C:\Users\Admin\AppData\Local\Temp\0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe
    "C:\Users\Admin\AppData\Local\Temp\0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe
      "C:\Users\Admin\AppData\Local\Temp\0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2440
    - - C:\Users\Admin\AppData\Local\2338a7fa-ced1-404b-9d46-ab4880025f01\build2.exe
        
        "C:\Users\Admin\AppData\Local\2338a7fa-ced1-404b-9d46-ab4880025f01\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1028
      - C:\Users\Admin\AppData\Local\2338a7fa-ced1-404b-9d46-ab4880025f01\build2.exe
        
        "C:\Users\Admin\AppData\Local\2338a7fa-ced1-404b-9d46-ab4880025f01\build2.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1468
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2764
    - - C:\Users\Admin\AppData\Local\2338a7fa-ced1-404b-9d46-ab4880025f01\build3.exe
        
        "C:\Users\Admin\AppData\Local\2338a7fa-ced1-404b-9d46-ab4880025f01\build3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1424
      - C:\Users\Admin\AppData\Local\2338a7fa-ced1-404b-9d46-ab4880025f01\build3.exe
        
        "C:\Users\Admin\AppData\Local\2338a7fa-ced1-404b-9d46-ab4880025f01\build3.exe"
        6⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:2960

C:\Windows\system32\taskeng.exe
taskeng.exe {7190A76E-36A9-4B06-8399-D3904C96750D} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1508
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:2516
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
      4⤵
      Creates scheduled task(s)
      PID:2200
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1688
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:2136
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1092
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:1872
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2032
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
a757a2a5fb2249733650563a36836fc7

SHA1
0e3f0f05d3fb61398e507bcde88a32ec5a88b4a8

SHA256
5b75679110beb7d514c1f6c7b993cd540dd29856da2e2e995bafb70e77d2bf4b

SHA512
8ed6aa61e91d640f2a8983fa67d937b2abcc5f5c43375a739773b991414094121efc4a049436dd39e45d8e627e57779f1c89352a606dffa406382d875de46b97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
47cdeeda5178df9d97c9143126bf3d2e

SHA1
f7f0030542350447631c5f6649d6577bed06cfe7

SHA256
0e7190bf936b8c9a9dc80a1a7c14051bc1b3f7570baeb680a35bf129b3dea054

SHA512
c8c5c13bc77a7d98a7b09331cd02f486f85f7b20d5dc423654b96d627fa6dab90b149f1442cc16d2f32df91473703975fe56d0024c49549aeeaccbdcc4b201b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
747d5f722685d22d0791568d4f0eb6a6

SHA1
f4972f2c9cf6dbeb3179647120d59fb3ef142711

SHA256
cd743f39fc796136d464f452227c3969cae7b1d280ffe3dbe3d3a0af34a914d5

SHA512
a7690d5c897495185f8d98f5ee8b1d9ccfe017f8be6360454962290458a6faea3c9360266710e74bddc97520943a9cd16df0ea95c4121e7a2e109ab593dd35d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
52567e7303155f4699777015bd3f262d

SHA1
67e2d60033e3dce42da7be83963fd806e022cf61

SHA256
17ff675f23f2fc2bf8b13cfc950b56fce5bb5c4868452d6025c3e974fcd9bb33

SHA512
49340ad93090601c93571efcdcf1f9ffc5cb19879de530dfab7d59a1978680199c4b8ce59f77c90b0761a07313772b92c5d0d4e1eefde1007f1c56be345ec771

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab67B8.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar891E.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8AE8.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\b994bb2e-4252-47da-a77a-f3b4da3509b4\0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0.exe

Filesize
690KB

MD5
3b53518031ee8e3f43124bad90b4f12d

SHA1
d3a74b228acc4088f53c26cf366ebabdc4f5e988

SHA256
0b780f2f177a4e7295595e660c059f01eca9594bcb2edc823244d2769fee62b0

SHA512
5fbb985def338a4920d29677d89a1d9d480be4744d1047486b27901b218faccb9dcd8ed0da171f24feefbc0819bf3ea8dba4f11710f759f9a4e3e03ffc5545cc

Download Submit
\Users\Admin\AppData\Local\2338a7fa-ced1-404b-9d46-ab4880025f01\build2.exe

Filesize
219KB

MD5
d37b17fc3b9162060a60cd9c9f5f7e2c

SHA1
5bcd761db5662cebdb06f372d8cb731a9b98d1c5

SHA256
36826a94f7aabd1f0d71abc6850e64a499768bd30cab361e8724d546e495e35f

SHA512
04b0fcc597afba17b8be46eacee58c7e8d38c7efa9247ab5b3cbf1ae3ed8dc2e6e909b7dab28b2a41f08fb37e950abb6ca97553adf0e20335c6864d942bef6ea

Download Submit
\Users\Admin\AppData\Local\2338a7fa-ced1-404b-9d46-ab4880025f01\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
memory/768-81-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/768-244-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/768-80-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/768-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/768-77-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/1028-74-0x0000000002090000-0x0000000002190000-memory.dmp

Filesize
1024KB

Download
memory/1028-76-0x0000000000230000-0x0000000000262000-memory.dmp

Filesize
200KB

Download
memory/1092-322-0x0000000000980000-0x0000000000A80000-memory.dmp

Filesize
1024KB

Download
memory/1092-311-0x0000000000980000-0x0000000000A80000-memory.dmp

Filesize
1024KB

Download
memory/1424-235-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/1424-233-0x00000000008C0000-0x00000000009C0000-memory.dmp

Filesize
1024KB

Download
memory/1508-261-0x0000000000332000-0x0000000000342000-memory.dmp

Filesize
64KB

Download
memory/1688-286-0x00000000008D0000-0x00000000009D0000-memory.dmp

Filesize
1024KB

Download
memory/2008-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2008-8-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2008-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2008-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2032-339-0x00000000002D2000-0x00000000002E2000-memory.dmp

Filesize
64KB

Download
memory/2096-236-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2096-238-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2096-232-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2440-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2440-35-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2440-56-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2440-57-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2440-225-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2440-54-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2440-49-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2440-50-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2440-69-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2448-34-0x00000000002C0000-0x0000000000352000-memory.dmp

Filesize
584KB

Download
memory/2448-29-0x00000000002C0000-0x0000000000352000-memory.dmp

Filesize
584KB

Download
memory/2448-28-0x00000000002C0000-0x0000000000352000-memory.dmp

Filesize
584KB

Download
memory/2516-262-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2972-0-0x0000000002000000-0x0000000002092000-memory.dmp

Filesize
584KB

Download
memory/2972-7-0x0000000002000000-0x0000000002092000-memory.dmp

Filesize
584KB

Download
memory/2972-3-0x0000000003950000-0x0000000003A6B000-memory.dmp

Filesize
1.1MB

Download
memory/2972-1-0x0000000002000000-0x0000000002092000-memory.dmp

Filesize
584KB

Download