Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-03-2024 19:44
Static task
static1
Behavioral task
behavioral1
Sample
1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe
Resource
win10v2004-20240226-en
General
-
Target
1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe
-
Size
132KB
-
MD5
f1936ac59e253c71f5b2b415c69c0495
-
SHA1
e19e764f60167f8afd6ea09ac57b623fd6feeaff
-
SHA256
1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e
-
SHA512
0e5fdfd91ee16bddcbd85111c5815c644123aaab39ad076b04ef32bfded1083a7fd3b6ec417dc617d4e65be26266f61018ce12c6d71ba3822880da8a375e4f1b
-
SSDEEP
1536:LENr7zNlkFPoZgXg0rgA8k3Cs3cVFkm+j/3DuZE5sGGVXgrNpQNq1Wgl2:LENrXNCiitt0p+nuosGGiNpbXl2
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.wisz
-
offline_id
4p0Nzrg1q0ND5of5Gtp2UBjthSXuE8VxnMrd4vt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/a832401adcd58098c699f768ffea4f1720240305114308/7e601a Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0853PsawqS
Extracted
vidar
8.1
e2da5861d01d391b927839bbec00e666
https://steamcommunity.com/profiles/76561199649267298
https://t.me/uprizin
-
profile_id_v2
e2da5861d01d391b927839bbec00e666
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 OPR/96.0.0.0
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 3016 schtasks.exe 1788 schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ec563fd8-b598-4da5-b8f8-3eacad193e6b\\5429.exe\" --AutoStart" 5429.exe -
Detect Vidar Stealer 5 IoCs
resource yara_rule behavioral1/memory/1616-119-0x0000000000240000-0x0000000000272000-memory.dmp family_vidar_v7 behavioral1/memory/2344-123-0x0000000000400000-0x0000000000645000-memory.dmp family_vidar_v7 behavioral1/memory/2344-126-0x0000000000400000-0x0000000000645000-memory.dmp family_vidar_v7 behavioral1/memory/2344-127-0x0000000000400000-0x0000000000645000-memory.dmp family_vidar_v7 behavioral1/memory/2344-285-0x0000000000400000-0x0000000000645000-memory.dmp family_vidar_v7 -
Detected Djvu ransomware 14 IoCs
resource yara_rule behavioral1/memory/2892-30-0x0000000001E30000-0x0000000001F4B000-memory.dmp family_djvu behavioral1/memory/2648-33-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2648-37-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2648-38-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2648-59-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1956-69-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1956-70-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1956-83-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1956-84-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1956-88-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1956-90-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1956-91-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1956-92-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1956-114-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Detects Windows executables referencing non-Windows User-Agents 4 IoCs
resource yara_rule behavioral1/memory/2344-123-0x0000000000400000-0x0000000000645000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2344-126-0x0000000000400000-0x0000000000645000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2344-127-0x0000000000400000-0x0000000000645000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2344-285-0x0000000000400000-0x0000000000645000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 4 IoCs
resource yara_rule behavioral1/memory/2344-123-0x0000000000400000-0x0000000000645000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral1/memory/2344-126-0x0000000000400000-0x0000000000645000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral1/memory/2344-127-0x0000000000400000-0x0000000000645000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral1/memory/2344-285-0x0000000000400000-0x0000000000645000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL -
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 1208 Process not Found -
Executes dropped EXE 11 IoCs
pid Process 2892 5429.exe 2648 5429.exe 2384 5429.exe 1956 5429.exe 1616 build2.exe 1804 build3.exe 2344 build2.exe 1576 build3.exe 1836 mstsca.exe 1424 mstsca.exe 440 DCBA.exe -
Loads dropped DLL 13 IoCs
pid Process 2892 5429.exe 2648 5429.exe 2648 5429.exe 2384 5429.exe 1956 5429.exe 1956 5429.exe 1956 5429.exe 1956 5429.exe 2408 WerFault.exe 2408 WerFault.exe 2408 WerFault.exe 2408 WerFault.exe 1208 Process not Found -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2076 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ec563fd8-b598-4da5-b8f8-3eacad193e6b\\5429.exe\" --AutoStart" 5429.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 38 bitbucket.org 39 bitbucket.org -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 49 api.2ip.ua 35 api.2ip.ua 36 api.2ip.ua -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2892 set thread context of 2648 2892 5429.exe 34 PID 2384 set thread context of 1956 2384 5429.exe 39 PID 1616 set thread context of 2344 1616 build2.exe 43 PID 1804 set thread context of 1576 1804 build3.exe 44 PID 1836 set thread context of 1424 1836 mstsca.exe 52 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2408 2344 WerFault.exe 43 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1788 schtasks.exe 3016 schtasks.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2136 1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe 2136 1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2136 1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 1208 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1208 wrote to memory of 2824 1208 Process not Found 30 PID 1208 wrote to memory of 2824 1208 Process not Found 30 PID 1208 wrote to memory of 2824 1208 Process not Found 30 PID 2824 wrote to memory of 1360 2824 cmd.exe 32 PID 2824 wrote to memory of 1360 2824 cmd.exe 32 PID 2824 wrote to memory of 1360 2824 cmd.exe 32 PID 1208 wrote to memory of 2892 1208 Process not Found 33 PID 1208 wrote to memory of 2892 1208 Process not Found 33 PID 1208 wrote to memory of 2892 1208 Process not Found 33 PID 1208 wrote to memory of 2892 1208 Process not Found 33 PID 2892 wrote to memory of 2648 2892 5429.exe 34 PID 2892 wrote to memory of 2648 2892 5429.exe 34 PID 2892 wrote to memory of 2648 2892 5429.exe 34 PID 2892 wrote to memory of 2648 2892 5429.exe 34 PID 2892 wrote to memory of 2648 2892 5429.exe 34 PID 2892 wrote to memory of 2648 2892 5429.exe 34 PID 2892 wrote to memory of 2648 2892 5429.exe 34 PID 2892 wrote to memory of 2648 2892 5429.exe 34 PID 2892 wrote to memory of 2648 2892 5429.exe 34 PID 2892 wrote to memory of 2648 2892 5429.exe 34 PID 2892 wrote to memory of 2648 2892 5429.exe 34 PID 2648 wrote to memory of 2076 2648 5429.exe 37 PID 2648 wrote to memory of 2076 2648 5429.exe 37 PID 2648 wrote to memory of 2076 2648 5429.exe 37 PID 2648 wrote to memory of 2076 2648 5429.exe 37 PID 2648 wrote to memory of 2384 2648 5429.exe 38 PID 2648 wrote to memory of 2384 2648 5429.exe 38 PID 2648 wrote to memory of 2384 2648 5429.exe 38 PID 2648 wrote to memory of 2384 2648 5429.exe 38 PID 2384 wrote to memory of 1956 2384 5429.exe 39 PID 2384 wrote to memory of 1956 2384 5429.exe 39 PID 2384 wrote to memory of 1956 2384 5429.exe 39 PID 2384 wrote to memory of 1956 2384 5429.exe 39 PID 2384 wrote to memory of 1956 2384 5429.exe 39 PID 2384 wrote to memory of 1956 2384 5429.exe 39 PID 2384 wrote to memory of 1956 2384 5429.exe 39 PID 2384 wrote to memory of 1956 2384 5429.exe 39 PID 2384 wrote to memory of 1956 2384 5429.exe 39 PID 2384 wrote to memory of 1956 2384 5429.exe 39 PID 2384 wrote to memory of 1956 2384 5429.exe 39 PID 1956 wrote to memory of 1616 1956 5429.exe 41 PID 1956 wrote to memory of 1616 1956 5429.exe 41 PID 1956 wrote to memory of 1616 1956 5429.exe 41 PID 1956 wrote to memory of 1616 1956 5429.exe 41 PID 1956 wrote to memory of 1804 1956 5429.exe 42 PID 1956 wrote to memory of 1804 1956 5429.exe 42 PID 1956 wrote to memory of 1804 1956 5429.exe 42 PID 1956 wrote to memory of 1804 1956 5429.exe 42 PID 1616 wrote to memory of 2344 1616 build2.exe 43 PID 1616 wrote to memory of 2344 1616 build2.exe 43 PID 1616 wrote to memory of 2344 1616 build2.exe 43 PID 1616 wrote to memory of 2344 1616 build2.exe 43 PID 1616 wrote to memory of 2344 1616 build2.exe 43 PID 1616 wrote to memory of 2344 1616 build2.exe 43 PID 1616 wrote to memory of 2344 1616 build2.exe 43 PID 1616 wrote to memory of 2344 1616 build2.exe 43 PID 1616 wrote to memory of 2344 1616 build2.exe 43 PID 1616 wrote to memory of 2344 1616 build2.exe 43 PID 1616 wrote to memory of 2344 1616 build2.exe 43 PID 1804 wrote to memory of 1576 1804 build3.exe 44 PID 1804 wrote to memory of 1576 1804 build3.exe 44 PID 1804 wrote to memory of 1576 1804 build3.exe 44 PID 1804 wrote to memory of 1576 1804 build3.exe 44 PID 1804 wrote to memory of 1576 1804 build3.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe"C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2136
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\32D3.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:1360
-
-
C:\Users\Admin\AppData\Local\Temp\5429.exeC:\Users\Admin\AppData\Local\Temp\5429.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\5429.exeC:\Users\Admin\AppData\Local\Temp\5429.exe2⤵
- DcRat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\ec563fd8-b598-4da5-b8f8-3eacad193e6b" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:2076
-
-
C:\Users\Admin\AppData\Local\Temp\5429.exe"C:\Users\Admin\AppData\Local\Temp\5429.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\5429.exe"C:\Users\Admin\AppData\Local\Temp\5429.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe"C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe"C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe"6⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2344 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 14687⤵
- Loads dropped DLL
- Program crash
PID:2408
-
-
-
-
C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe"C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe"C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe"6⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- DcRat
- Creates scheduled task(s)
PID:3016
-
-
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8C5FF458-025A-440D-A792-94536AED20DC} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵PID:1680
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1836 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- DcRat
- Creates scheduled task(s)
PID:1788
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DCBA.exeC:\Users\Admin\AppData\Local\Temp\DCBA.exe1⤵
- Executes dropped EXE
PID:440
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\E1DA.bat" "1⤵PID:1856
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:1992
-
-
C:\Users\Admin\AppData\Local\Temp\1318.exeC:\Users\Admin\AppData\Local\Temp\1318.exe1⤵PID:2276
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD57e8f359f842f63d4f8e11b673e763622
SHA1a7865040b538d6aaa80bc37e89372c61b7427be8
SHA256f04843e27ab3a622e565eea01945462567d713146b1cbca62c89d2495e924450
SHA512f417bf439068b5205190c6ca559d14b0aa4a19af87530fc4e46eda587f80281cb8e567bf6caaa74b02f29f1247afec461eebf2ce1e6a079f675d1f304c9b1fd4
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD589448e497b47ab299d1443b597793cdc
SHA1dce7847680f538bf7998550b8d62c01085d052f9
SHA256a6e60ad9c5a08fe2d84a51f14f2d090d9896ec0f2d351ac6607ed730bab36890
SHA512f70f9d69ff3c5617f12fcfc95825f2088e48bd067ed2416b0eb788fb65f3b96231c6763d82fd6d70ecaef1a3229319d06cecd65678d0fd1f95b2abd9f1423191
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD554fcc88719bd16dd01b6f728162c598e
SHA1b7b18ee4df2c5f059a160396431953166f4b9d5e
SHA2567d98dced4a198056905ff491ff2ead9fc20d382f27bfa34417f6176230e9694f
SHA5129eb3f1c397db85f8873f4194918ea6292be3a5daed218f911a10ac994ef8f4360e60c417e4ba9c230d59a1b24894f752738d40a6fb127335b03cf47d821874bc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD52c0b5c750e841aad9332e8c14bad9d4a
SHA150b504c86dbc47a06ccdcb155d3bafa70e65b091
SHA2568786c222ffffb5a5b216c445c5cc0934d9fbe9d53d088fa66b88ff18fc137ff8
SHA512eec8afe69c1774965d7b789cf74f2fed9c63cbe2b9b23a48e940646f29db40f38d6a90d08f4ed4d6efa5e90519c11a1826a135b8e45acd6aaaaa354a9c4886ec
-
Filesize
219KB
MD5d37b17fc3b9162060a60cd9c9f5f7e2c
SHA15bcd761db5662cebdb06f372d8cb731a9b98d1c5
SHA25636826a94f7aabd1f0d71abc6850e64a499768bd30cab361e8724d546e495e35f
SHA51204b0fcc597afba17b8be46eacee58c7e8d38c7efa9247ab5b3cbf1ae3ed8dc2e6e909b7dab28b2a41f08fb37e950abb6ca97553adf0e20335c6864d942bef6ea
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
696KB
MD534fde9d03541c0ed5419a5f836e484c6
SHA106b08899348a41347284ca56cefd02783a2e4e90
SHA256419b2e437adbe8a00d794e190d387ce91a24243227418c33b5a556adcda46bd1
SHA512880c0a3f1b47aeac1b96f6e775e693921803dfcf5fb99352ec92f7cc9d89e1a05cdb01408e7de6580818c2431df022ba953b555711a7e5e4de85de01113a1488
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
576KB
MD59bae76361c0ac7402418f89e141502a7
SHA1dde58fea1bb0c67f6ac7b79df84215c768862981
SHA2561397728a05b9834b1cd907acb926fa13c82d1b8e51a6dd5438008c39dbe3a511
SHA5120b9e1ce7f898cf236b1dcfa64ad8c028633074647f393316df5723efd42c7122a77143ed8c901132b7bd2fa1c0d61941b6df03f9d7ad247506d8125ce931fce0