Analysis Overview
SHA256
8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d
Threat Level: Known bad
The file 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d was found to be: Known bad.
Malicious Activity Summary
DcRat
Detected Djvu ransomware
SmokeLoader
Lumma Stealer
Vidar
Detect Vidar Stealer
Djvu Ransomware
Downloads MZ/PE file
Executes dropped EXE
Deletes itself
Modifies file permissions
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Creates scheduled task(s)
Suspicious use of UnmapMainImage
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-13 00:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-13 00:22
Reported
2024-03-13 00:25
Platform
win7-20240221-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d9d345e5-742b-4e2a-b72c-7f3ecb9eb526\\144D.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\144D.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Vidar
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\144D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\144D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\144D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\144D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\144D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\144D.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\144D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\144D.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | N/A | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d9d345e5-742b-4e2a-b72c-7f3ecb9eb526\\144D.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\144D.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2232 set thread context of 1596 | N/A | C:\Users\Admin\AppData\Local\Temp\144D.exe | C:\Users\Admin\AppData\Local\Temp\144D.exe |
| PID 1796 set thread context of 2768 | N/A | C:\Users\Admin\AppData\Local\Temp\144D.exe | C:\Users\Admin\AppData\Local\Temp\144D.exe |
| PID 360 set thread context of 1864 | N/A | C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe | C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe |
| PID 2516 set thread context of 2008 | N/A | C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build3.exe | C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build3.exe |
| PID 2716 set thread context of 3060 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe |
| PID 1236 set thread context of 360 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\512.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe
"C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\A3AF.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\144D.exe
C:\Users\Admin\AppData\Local\Temp\144D.exe
C:\Users\Admin\AppData\Local\Temp\144D.exe
C:\Users\Admin\AppData\Local\Temp\144D.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\d9d345e5-742b-4e2a-b72c-7f3ecb9eb526" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\144D.exe
"C:\Users\Admin\AppData\Local\Temp\144D.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\144D.exe
"C:\Users\Admin\AppData\Local\Temp\144D.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe
"C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe"
C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe
"C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 1420
C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build3.exe
"C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build3.exe"
C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build3.exe
"C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {E7A2A9B4-5FD5-4B12-9B20-BF3E392B84C9} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\512.exe
C:\Users\Admin\AppData\Local\Temp\512.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 124
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2040.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\42CE.exe
C:\Users\Admin\AppData\Local\Temp\42CE.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| KR | 123.213.233.131:80 | sdfjhuz.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| KR | 123.213.233.131:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | sajdfue.com | udp |
| AR | 190.220.21.28:80 | sajdfue.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| AR | 190.220.21.28:80 | sajdfue.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| DE | 5.75.221.28:80 | 5.75.221.28 | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 172.67.192.62:443 | valowaves.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | hadogarden.com | udp |
| VN | 103.216.113.30:443 | hadogarden.com | tcp |
| VN | 103.216.113.30:443 | hadogarden.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | udp |
| US | 209.141.39.59:443 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
Files
memory/1704-3-0x0000000000400000-0x0000000000474000-memory.dmp
memory/1704-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/1704-1-0x0000000000630000-0x0000000000730000-memory.dmp
memory/1248-4-0x0000000002DA0000-0x0000000002DB6000-memory.dmp
memory/1704-5-0x0000000000400000-0x0000000000474000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A3AF.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\144D.exe
| MD5 | 109125669dc1ccce29f0c630d2d985eb |
| SHA1 | 2d1b211ff69b6d3ff178ee9716263631e8f39027 |
| SHA256 | 1718fb956c30c4a56490ecfc903ef34ed514ec13c1101d44ff4cf87095e5b064 |
| SHA512 | 92bbf2eb15f7083bf5b3d376e15289c5d5e027b38100ec7cf5db6f811fde1a8e21ef32c87b9dd5120c096fdfcb7307fe4987e5c92d81fbd2c2807bb076074ea9 |
memory/2232-26-0x0000000000220000-0x00000000002B1000-memory.dmp
memory/2232-30-0x0000000001AB0000-0x0000000001BCB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\144D.exe
| MD5 | 7bccb641f42dec236be4c60ef68881a9 |
| SHA1 | ce5fcf17eb701acc7d96197e07d4bd302fae3a26 |
| SHA256 | 39850189a6997c495f5509d4849d05cd91b459d7f6c877f9be93a005e8b9cb21 |
| SHA512 | 7d39efd12815633a992ac64afbff79125e645970d6c7aa1f9f94f0bea777a89409916c52d84d453a39a82787b44d4543be73faf4b78842134f5eebdd95eaca39 |
memory/1596-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2232-27-0x0000000000220000-0x00000000002B1000-memory.dmp
memory/1596-33-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2232-36-0x0000000000220000-0x00000000002B1000-memory.dmp
memory/1596-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1596-38-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\Temp\144D.exe
| MD5 | 760f31189cbe24163385801f66b94be7 |
| SHA1 | c60804817aca0cd94d1f0a2426c6c972fb8e405b |
| SHA256 | 66c2ea73ef157f0f7cd558d13c604c5656e6af5a8fb9c2f436019cd08a7ce56d |
| SHA512 | 52d2e9196b848a7d5f51c50d844a862bea159638df330bd6b81498e99cdd17f1ce6024ba411146f3a07a485dafb9e9872bfaee714595eb5f69e7519a64fa65b9 |
\Users\Admin\AppData\Local\Temp\144D.exe
| MD5 | d204d78acc5a68472862c384018dd1a3 |
| SHA1 | 5c91a06e04474e91f0a21d9d609d365f83990b03 |
| SHA256 | 531d078ecb17cb4e48ce6927034f46848dcc9ed807df82b6a44941662fd4ec63 |
| SHA512 | 4187092e3127b5523ad66e56f25df9247839c1006fa9da063ee04a6bc11a0cb9a8edc764096fb47135cabe64259752a5abc9eba75eed1acf8ef95b8b1d452b6e |
C:\Users\Admin\AppData\Local\Temp\144D.exe
| MD5 | 22761e10064393568fe7040fe4cf30a0 |
| SHA1 | 55bc964c2dfce23f105251366b6717333bf3502a |
| SHA256 | 2a144d6efb11881d8d1b560cd4a611cd46c1207dbc07c431e94eecc6f5cb345e |
| SHA512 | 92f3d0b258cadc9d9d9a28a5ab4ddd10b7958d980c27414c9f2e794d8b9757bd41825d1c13adbee635a307c0667fe15443e5b886daa567711013300dfb206e56 |
memory/1596-61-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1796-63-0x0000000000350000-0x00000000003E1000-memory.dmp
memory/1796-64-0x0000000000350000-0x00000000003E1000-memory.dmp
memory/2768-71-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2768-72-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | f50551b45d9d598517bfdabd1ac6f4a7 |
| SHA1 | 5d13575398c30631c7a2df81721253ea967905a2 |
| SHA256 | 4bbfd12ee83102d09887a94122ea1f33fb9730a95dbc2617ba5116539d172134 |
| SHA512 | 9e803763076a28c6de34baf1d4c4d1dc9c78bd9a724ab5e2eb72f4e61171aa838e70b3a16b600e8c5a9afdd608af839efd8e6a2a23024b5358ddc9c2f4f52349 |
C:\Users\Admin\AppData\Local\Temp\Cab20D9.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 924b3a794d280b281518067400a90bf4 |
| SHA1 | e363cfe3cfdcb4ac46fc9c6505b9ac7cb006a356 |
| SHA256 | 312c1a09e0e51152b4b35fbe491ce448b1f712b1fbdfa688e00bc956c97af172 |
| SHA512 | 414e7e3f1c0471c19243919660c462fb558b096db1f82ba3590349329cb05109ee93a04677c37392acb09b49740cd34cff12a88f610ba4766f0ee0a453dbfc33 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | a76a4d2836ddebbb5640efb5ffaa566b |
| SHA1 | 0e0a9a04a0b2fa6680a29bfeccdc029fe81bdbe7 |
| SHA256 | 315d52f0713aa99da7c66fa92ef2599d542c068367661a42718c6b90df7a02ac |
| SHA512 | 4033d1a248c418e45dd2708582f32eda17d99724c4c956b6533eda52365453f64102ca3140d1d2e11d87e22e2d10e46c3385cddbec3a20d0c4547fc143139314 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 80ea19369e68296f697809d129fc6aab |
| SHA1 | 83ed21c4c290249519e69d94575218b7768b49f8 |
| SHA256 | 508a813b6655edba28f072a5074a65c576ad11ee3e3573f1c78060598fa989b6 |
| SHA512 | 1848a66176dd46d5873587105b6248355ef718fd6a7439e225816d142b2dfe5375f373ec7ba34f89435327deda3b46bab90080b84104d6706aedae821b1fc1fa |
memory/2768-88-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2768-87-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2768-92-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2768-95-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2768-94-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2768-96-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build2.exe
| MD5 | 88c5ca503e8fecbca8ee889a892b165c |
| SHA1 | 2ec61a72dc88584abda48f19fb8e4d2847264aed |
| SHA256 | 41f6207540f5197717e1c601b43c9c89a5109ff3aab98fe80f6645f0ebd2a153 |
| SHA512 | 366035a481a439854094d13f8a0b9bf26e706dd43100421d92724baa1f9b1ceac74669e42e9331867a3c364f8e2f0c05d3387e5dea9d8669d29832614fa7b4b9 |
memory/1864-111-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/360-109-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1864-117-0x0000000000400000-0x0000000000644000-memory.dmp
memory/1864-118-0x0000000000400000-0x0000000000644000-memory.dmp
memory/1864-114-0x0000000000400000-0x0000000000644000-memory.dmp
memory/360-113-0x00000000001C0000-0x00000000001F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar4635.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar484D.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\Local\bf2668cb-a340-45e2-ae98-6dd876fbb84b\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2768-186-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1864-189-0x0000000000400000-0x0000000000644000-memory.dmp
memory/2516-192-0x00000000009B0000-0x0000000000AB0000-memory.dmp
memory/2516-193-0x0000000000220000-0x0000000000224000-memory.dmp
memory/2008-191-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2008-200-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2008-198-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2008-195-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2716-211-0x0000000000980000-0x0000000000A80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\512.exe
| MD5 | 6c83f9fc17558984ab87be3f05b9ef62 |
| SHA1 | 2c749a818af63849d0938d4bd4c27d471fa3fa49 |
| SHA256 | cf1ea19b06e59407c08a3af74606373e3a7dc100ba07d38b779eb79778c7f95d |
| SHA512 | c0402f05a67e61f98bcb4a4c5b8167cea78657eef2ff5928f43ada39d00c976d6c6d72d13d4da1cab7d824cedf3d6a0dfe5bcddb7ab2ef22ec58e62387001821 |
memory/2296-228-0x0000000000220000-0x0000000000F05000-memory.dmp
memory/2296-233-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2296-235-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2296-237-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2296-248-0x0000000000220000-0x0000000000F05000-memory.dmp
\Users\Admin\AppData\Local\Temp\512.exe
| MD5 | 36ef38dd8880a7db85af5845523a772f |
| SHA1 | 90c671006c30908b7be19ed4f55142e2ea99ed78 |
| SHA256 | 2cb72689d9174422da75e24d4aa2d7fb7407b6172d9a316fe38e97c13685cf56 |
| SHA512 | 3d582c991f2cf17e377efe092e8da24bad383357fb95d801659dfdc7f3c3cbf1a5cad9eb9fc7e6f52f68902b4b6dc57602826452476213a4769b73e7e99ba817 |
\Users\Admin\AppData\Local\Temp\512.exe
| MD5 | 42ece680975299ddbda787b4ae695996 |
| SHA1 | 82a6bac93db2bd144e81ce678275644fe9c10a17 |
| SHA256 | cc6dd3c146ce1a9919a34570e1c3bb19e85d6d95d1131835c647c17ebc974eab |
| SHA512 | dfafaa0dfa1d47c1fe3eb2283fb5a27c6df2a27871259830e8b8748d126a0c64f706e647e5b0ebe091d843e9278625a04a07f270f2ede0cccc40f5db1de91f7b |
\Users\Admin\AppData\Local\Temp\512.exe
| MD5 | 18814a4748efd9b1ab3ebd24f6bc44c1 |
| SHA1 | a3424d33503dd6089f13f1ebdb656929cb80fbe1 |
| SHA256 | 1faca15afff96249d8048df8ead75f804f09da24d38821ec84a94ac346fe5b02 |
| SHA512 | 238343f4d4dfceeaafaa6d9a89485cead0d13108fc4a77cdd3710436d77518e0970b0f1f974817c750e9a602b83705575620399bc6e5ca1cd8bc206d63664a1b |
memory/2296-265-0x0000000000190000-0x0000000000191000-memory.dmp
\Users\Admin\AppData\Local\Temp\42CE.exe
| MD5 | cc027a9db129924f2940cce65a3a71e0 |
| SHA1 | b0e64d66c9aec2e0de0f7726f6179c8bd2602896 |
| SHA256 | 3413c39a8123480dc468ee36bfb924b832138c54b4731f90a9c214f6ecde28e1 |
| SHA512 | f9a06d43f091b740e8c970ebd8f3a57ad35baba6f4e0f6d683072e0ecdbd80751be076fbe3c2af41169658bf15504435ba40ed5e798dbb9a3e7471478692a39a |
C:\Users\Admin\AppData\Local\Temp\42CE.exe
| MD5 | 86c6d381bc0a62b581b01775c8c3f060 |
| SHA1 | 202986670f03d0c0df5b7306c6d93271d3639951 |
| SHA256 | 4c00b8de0a3475cd7475e40f7cfed94a0e475226483a4277835a67363e401cb2 |
| SHA512 | dc61a428d388b7392c2b242cd50623096d3b7d04f7b65c0c88c25b5d48e3ddb85fe94ff5eb566654bcbed8e6b4b111c1e3341436383268fbd6df31fdd19e6a16 |
memory/2296-294-0x0000000000220000-0x0000000000F05000-memory.dmp
memory/1236-300-0x0000000000960000-0x0000000000A60000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-13 00:22
Reported
2024-03-13 00:25
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Lumma Stealer
SmokeLoader
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DEC8.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DEC8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DEC8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DEC8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DEC8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FAB9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2073.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5c6d438c-3342-45f2-a815-c18343a64107\\DEC8.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\DEC8.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2956 set thread context of 5052 | N/A | C:\Users\Admin\AppData\Local\Temp\DEC8.exe | C:\Users\Admin\AppData\Local\Temp\DEC8.exe |
| PID 872 set thread context of 5080 | N/A | C:\Users\Admin\AppData\Local\Temp\DEC8.exe | C:\Users\Admin\AppData\Local\Temp\DEC8.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\DEC8.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe
"C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A7D9.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\DEC8.exe
C:\Users\Admin\AppData\Local\Temp\DEC8.exe
C:\Users\Admin\AppData\Local\Temp\DEC8.exe
C:\Users\Admin\AppData\Local\Temp\DEC8.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\5c6d438c-3342-45f2-a815-c18343a64107" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\DEC8.exe
"C:\Users\Admin\AppData\Local\Temp\DEC8.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\DEC8.exe
"C:\Users\Admin\AppData\Local\Temp\DEC8.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5080 -ip 5080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 568
C:\Users\Admin\AppData\Local\Temp\FAB9.exe
C:\Users\Admin\AppData\Local\Temp\FAB9.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3D2.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2073.exe
C:\Users\Admin\AppData\Local\Temp\2073.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.44.41.31.in-addr.arpa | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| KR | 220.125.3.190:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.3.125.220.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 8.8.8.8:53 | 80.232.23.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 172.67.217.100:443 | resergvearyinitiani.shop | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 100.217.67.172.in-addr.arpa | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| US | 172.67.192.62:443 | valowaves.com | tcp |
| US | 8.8.8.8:53 | 18.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.192.67.172.in-addr.arpa | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | hadogarden.com | udp |
| VN | 103.216.113.30:443 | hadogarden.com | tcp |
| US | 8.8.8.8:53 | 30.113.216.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
Files
memory/4848-1-0x0000000000790000-0x0000000000890000-memory.dmp
memory/4848-2-0x00000000001F0000-0x00000000001FB000-memory.dmp
memory/4848-3-0x0000000000400000-0x0000000000474000-memory.dmp
memory/4848-5-0x0000000000400000-0x0000000000474000-memory.dmp
memory/3368-4-0x0000000002EA0000-0x0000000002EB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A7D9.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\DEC8.exe
| MD5 | 109125669dc1ccce29f0c630d2d985eb |
| SHA1 | 2d1b211ff69b6d3ff178ee9716263631e8f39027 |
| SHA256 | 1718fb956c30c4a56490ecfc903ef34ed514ec13c1101d44ff4cf87095e5b064 |
| SHA512 | 92bbf2eb15f7083bf5b3d376e15289c5d5e027b38100ec7cf5db6f811fde1a8e21ef32c87b9dd5120c096fdfcb7307fe4987e5c92d81fbd2c2807bb076074ea9 |
memory/2956-20-0x00000000036C0000-0x000000000375C000-memory.dmp
memory/2956-21-0x0000000003760000-0x000000000387B000-memory.dmp
memory/5052-24-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5052-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5052-25-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5052-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5052-38-0x0000000000400000-0x0000000000537000-memory.dmp
memory/872-41-0x0000000003610000-0x00000000036A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DEC8.exe
| MD5 | 244dbd048a2fb166e746205c9bfbac77 |
| SHA1 | 92e01503612aa133c283bf15a3c2fdc453cebd92 |
| SHA256 | b8e197eadabfd234dd34e8dae65bebad5a1e3ccef5f753efe2541b1da6da0dc5 |
| SHA512 | 4c4b25bfc733428e8ee1d4bb0b482017f36c0e887b4d0c2106175aa3f5289f13c820cc3f5752d9a5cac275ae5d7b72b54e231bb7ac6542edd812d37902983fd2 |
memory/5080-44-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5080-47-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5080-45-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FAB9.exe
| MD5 | 9e52aa572f0afc888c098db4c0f687ff |
| SHA1 | ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b |
| SHA256 | 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443 |
| SHA512 | d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62 |
memory/2688-54-0x00000000003C0000-0x00000000010A5000-memory.dmp
memory/2688-59-0x0000000001510000-0x0000000001511000-memory.dmp
memory/2688-61-0x0000000001560000-0x0000000001561000-memory.dmp
memory/2688-60-0x0000000001530000-0x0000000001531000-memory.dmp
memory/2688-62-0x0000000003010000-0x0000000003011000-memory.dmp
memory/2688-63-0x0000000003020000-0x0000000003021000-memory.dmp
memory/2688-65-0x0000000003030000-0x0000000003031000-memory.dmp
memory/2688-64-0x00000000003C0000-0x00000000010A5000-memory.dmp
memory/2688-67-0x0000000003040000-0x0000000003072000-memory.dmp
memory/2688-68-0x0000000003040000-0x0000000003072000-memory.dmp
memory/2688-69-0x0000000003040000-0x0000000003072000-memory.dmp
memory/2688-70-0x0000000003040000-0x0000000003072000-memory.dmp
memory/2688-71-0x0000000003040000-0x0000000003072000-memory.dmp
memory/2688-76-0x00000000003C0000-0x00000000010A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2073.exe
| MD5 | b7d9070ad945885744bfab73d3205b04 |
| SHA1 | 68029faf9bbf516933c498b776ecccbbded63965 |
| SHA256 | 74df54029654c0b953c8654b6810368a7556d9a6b78ae049f6471849fb9a00f9 |
| SHA512 | aaa1b27eea29f2fb7decb1d2eb37b98c7731a233726d0d77c8e1bb7c20ce2c3f1954c1d32a062f8c1864c5153650c522123d05bf260769988a0fb20d73f5a49a |
C:\Users\Admin\AppData\Local\Temp\2073.exe
| MD5 | 450039a02217c53bd983eaf1fd34505a |
| SHA1 | 930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda |
| SHA256 | d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0 |
| SHA512 | cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080 |
memory/1848-81-0x00007FF7EBB60000-0x00007FF7EC7C2000-memory.dmp
memory/1848-82-0x00007FF7EBB60000-0x00007FF7EC7C2000-memory.dmp