Malware Analysis Report

2025-01-02 11:06

Sample ID 240315-cp7kfagb77
Target 6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d.exe
SHA256 6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d
Tags
dcrat djvu smokeloader vidar 82df9629d6ef6fc7fe54d6eb2bc6137b pub1 backdoor discovery infostealer persistence ransomware rat stealer trojan lumma
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d

Threat Level: Known bad

The file 6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d.exe was found to be: Known bad.

Malicious Activity Summary

dcrat djvu smokeloader vidar 82df9629d6ef6fc7fe54d6eb2bc6137b pub1 backdoor discovery infostealer persistence ransomware rat stealer trojan lumma

Lumma Stealer

SmokeLoader

Detect Vidar Stealer

DcRat

Detected Djvu ransomware

Djvu Ransomware

Vidar

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Downloads MZ/PE file

Checks computer location settings

Deletes itself

Modifies file permissions

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Modifies system certificate store

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-15 02:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-15 02:16

Reported

2024-03-15 02:18

Platform

win7-20240221-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5a5b38f7-954c-4d9e-8920-5516a63c98de\\F5E4.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\F5E4.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5a5b38f7-954c-4d9e-8920-5516a63c98de\\F5E4.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\F5E4.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 2816 N/A N/A C:\Windows\system32\cmd.exe
PID 1368 wrote to memory of 2816 N/A N/A C:\Windows\system32\cmd.exe
PID 1368 wrote to memory of 2816 N/A N/A C:\Windows\system32\cmd.exe
PID 2816 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2816 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2816 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1368 wrote to memory of 2420 N/A N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 1368 wrote to memory of 2420 N/A N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 1368 wrote to memory of 2420 N/A N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 1368 wrote to memory of 2420 N/A N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 2420 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 2420 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 2420 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 2420 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 2420 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 2420 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 2420 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 2420 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 2420 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 2420 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 2420 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 656 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Windows\SysWOW64\icacls.exe
PID 656 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Windows\SysWOW64\icacls.exe
PID 656 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Windows\SysWOW64\icacls.exe
PID 656 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Windows\SysWOW64\icacls.exe
PID 656 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 656 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 656 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 656 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 2696 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 2696 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 2696 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 2696 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 2696 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 2696 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 2696 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 2696 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 2696 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 2696 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 2696 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\Temp\F5E4.exe
PID 1824 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe
PID 1824 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe
PID 1824 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe
PID 1824 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe
PID 1824 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build3.exe
PID 1824 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build3.exe
PID 1824 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build3.exe
PID 1824 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\F5E4.exe C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build3.exe
PID 1832 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe
PID 1832 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe
PID 1832 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe
PID 1832 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe
PID 1832 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe
PID 1832 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe
PID 1832 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe
PID 1832 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe
PID 1832 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe
PID 1832 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe
PID 1832 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe
PID 920 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build3.exe C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build3.exe
PID 920 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build3.exe C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build3.exe
PID 920 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build3.exe C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build3.exe
PID 920 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build3.exe C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build3.exe
PID 920 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build3.exe C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build3.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d.exe

"C:\Users\Admin\AppData\Local\Temp\6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\B819.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\F5E4.exe

C:\Users\Admin\AppData\Local\Temp\F5E4.exe

C:\Users\Admin\AppData\Local\Temp\F5E4.exe

C:\Users\Admin\AppData\Local\Temp\F5E4.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\5a5b38f7-954c-4d9e-8920-5516a63c98de" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\F5E4.exe

"C:\Users\Admin\AppData\Local\Temp\F5E4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\F5E4.exe

"C:\Users\Admin\AppData\Local\Temp\F5E4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe

"C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe"

C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build3.exe

"C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build3.exe"

C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe

"C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe"

C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build3.exe

"C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 1404

C:\Windows\system32\taskeng.exe

taskeng.exe {AFE209C2-12AC-4EA0-B7A5-C106DB9539E5} S-1-5-21-1650401615-1019878084-3673944445-1000:UADPPTXT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
ET 196.188.169.138:80 sdfjhuz.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 sportessentia.home.pl udp
PL 79.96.138.166:443 sportessentia.home.pl tcp
PL 79.96.138.166:443 sportessentia.home.pl tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
ET 196.188.169.138:80 sdfjhuz.com tcp
US 8.8.8.8:53 sajdfue.com udp
EG 41.32.42.19:80 sajdfue.com tcp
EG 41.32.42.19:80 sajdfue.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
DE 5.75.208.156:80 5.75.208.156 tcp

Files

memory/2584-1-0x00000000008F0000-0x00000000009F0000-memory.dmp

memory/2584-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2584-3-0x0000000000400000-0x000000000071E000-memory.dmp

memory/2584-5-0x0000000000400000-0x000000000071E000-memory.dmp

memory/1368-4-0x0000000002690000-0x00000000026A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B819.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\F5E4.exe

MD5 ae597691370226cc4354b9897415b115
SHA1 3e89b4b1d81cdae205ac96f151bf3dc0fe3337ae
SHA256 10f5ba78f4d86b82127e167fee1ea0e6b26dd087ecfe933bda24e5d2685ad675
SHA512 f2db423695272ea3519d6329965baf4f0eee6dda62820406ecafcc13385380cb6279c097a8a610163835a181f845ccac7982c7f867b90abc5b553968b3ac7f24

memory/2420-26-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/2420-27-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/2420-28-0x0000000000500000-0x000000000061B000-memory.dmp

memory/656-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/656-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2420-36-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/656-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/656-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2696-60-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/656-59-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2696-75-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/1824-77-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1824-88-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3f6ece852c186da38d203df65b16d8d6
SHA1 560158c33ec4031195cd214a05861c3886f5293d
SHA256 9e2ae1b4d9a98804eecaad8491019c233cbe380704c96fa4de1e207bbd2e6ebd
SHA512 1ff9bd79f4ba8882cec21eb286500d5621beb55be3922ebec34ad1d445f35b52b140217ad17a1f1dd7dc0c2050f2e74156a74fee29799831eb47781c74bb8875

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 d67fa48cf6cf5f1818b732ea24db1d6e
SHA1 44858909775b98c384307149a53b231f084427f6
SHA256 1dd5acc0e95a7e0a6eea0ce7e4ab2665c928db84a241f4006a06791343b84d27
SHA512 c89132c4ac4a3e34e37ba33d98347af7c6a0394eceafb043cfd99e5d41d68575287cc537831a3f42924c975f7716aa0c531c6f619fac2df1c17daca658b926a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 1b2cc69b58ffb48503fae0694b72341b
SHA1 3cafcc4e352d5bf5e3df6fb0ae30a142d89d451f
SHA256 be5d879e32070eb45951477c7987cda229b255697127f42136c9798db15c47b9
SHA512 0bb2401007687ba59df4bdc9ebc31093c77a7af29bfa10b4f694fb5be9c37b61ecf5be4f2d589a14878039f10c59aae9a27faf53afca06aa97d6885efd637b1f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e798c78e4b22a8e89705f177f38bfd00
SHA1 443d2c875bbf0943b62c5676174c0827ca323f08
SHA256 7d04623ffda903b6119c690739d14ec9da226ba7fe579b6d63e7987dbd89d8f4
SHA512 adaa412d3f99944f7719bc085e1963a8eefd2d1ea8c5b4fee4bffffb2e61e78282514844d917f5955631e87bc303588635f6c30bb21d9b7ff5382d7fb436d81b

C:\Users\Admin\AppData\Local\Temp\Cab3CB2.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/1824-101-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1824-102-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1824-103-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1824-104-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1824-108-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1824-111-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1824-110-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe

MD5 47704f454af8641dac1af2e2768d7881
SHA1 e3341bfdec84f69684aecde18cab2864519c7728
SHA256 a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64
SHA512 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25

memory/1832-125-0x0000000000810000-0x0000000000910000-memory.dmp

memory/1824-124-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1832-138-0x0000000000230000-0x0000000000261000-memory.dmp

C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build3.exe

MD5 164bc11a628ff1722c833c8e2642aca5
SHA1 56d2d17695a85b876b736933a7f1cd5cf2acfdb1
SHA256 e76e2fa66070991fff3747fd12185ec795651b8506f290a3f1214b0eab40d330
SHA512 099d1715e47a2c4ea346b432f186ffb6fcd94f9ec6b28ffcf5047a57b686a0135e765db75150ac14420cb9285fb02c8d390751b239a2a9446219da587a89ce9b

memory/1824-137-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\86b3df89-5fbe-4770-8f81-474bbe253ab6\build2.exe

MD5 655cd807183392b107f831754616a54c
SHA1 0505ab7dca7e41dacefdc67ac1af24008051f442
SHA256 35bf48466aa4a9e7b3a3027463921ab4afafecab1b579778f3c0f3a9e25fab27
SHA512 59e87d65d07ceea6f6b13a8a9e6866a46f1510b5dccf86db8a98946add20e62e9525fb41038834733f1eede6d7ab83cbd436e6b36cb49cef00c73ed5b280563a

memory/820-141-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/820-143-0x0000000000400000-0x0000000000644000-memory.dmp

memory/820-146-0x0000000000400000-0x0000000000644000-memory.dmp

memory/820-147-0x0000000000400000-0x0000000000644000-memory.dmp

memory/920-151-0x00000000008E0000-0x00000000009E0000-memory.dmp

memory/920-153-0x0000000000220000-0x0000000000224000-memory.dmp

memory/2080-154-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2080-150-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2080-157-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2080-159-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarC40B.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\TarC604.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

memory/820-217-0x0000000000400000-0x0000000000644000-memory.dmp

memory/1204-226-0x0000000000C50000-0x0000000000D50000-memory.dmp

memory/2628-230-0x0000000000400000-0x0000000000406000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-15 02:16

Reported

2024-03-15 02:19

Platform

win10v2004-20240226-en

Max time kernel

159s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\342B.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6603f3b2-eac9-4e8b-982a-7b086e8439f3\\342B.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\342B.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2672 set thread context of 3620 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 2976 set thread context of 4016 N/A C:\Users\Admin\AppData\Local\Temp\4FF2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3324 set thread context of 4968 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3552 wrote to memory of 1400 N/A N/A C:\Windows\system32\cmd.exe
PID 3552 wrote to memory of 1400 N/A N/A C:\Windows\system32\cmd.exe
PID 1400 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1400 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3552 wrote to memory of 2672 N/A N/A C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 3552 wrote to memory of 2672 N/A N/A C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 3552 wrote to memory of 2672 N/A N/A C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 2672 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 2672 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 2672 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 2672 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 2672 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 2672 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 2672 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 2672 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 2672 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 2672 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 3552 wrote to memory of 2976 N/A N/A C:\Users\Admin\AppData\Local\Temp\4FF2.exe
PID 3552 wrote to memory of 2976 N/A N/A C:\Users\Admin\AppData\Local\Temp\4FF2.exe
PID 3552 wrote to memory of 2976 N/A N/A C:\Users\Admin\AppData\Local\Temp\4FF2.exe
PID 2976 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\4FF2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2976 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\4FF2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2976 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\4FF2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2976 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\4FF2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2976 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\4FF2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2976 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\4FF2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2976 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\4FF2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2976 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\4FF2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2976 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\4FF2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2976 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\4FF2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2976 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\4FF2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2976 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\4FF2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3620 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Windows\SysWOW64\icacls.exe
PID 3620 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Windows\SysWOW64\icacls.exe
PID 3620 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Windows\SysWOW64\icacls.exe
PID 3620 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 3620 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 3620 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 3324 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 3324 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 3324 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 3324 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 3324 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 3324 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 3324 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 3324 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 3324 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe
PID 3324 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\342B.exe C:\Users\Admin\AppData\Local\Temp\342B.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d.exe

"C:\Users\Admin\AppData\Local\Temp\6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\11ED.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\342B.exe

C:\Users\Admin\AppData\Local\Temp\342B.exe

C:\Users\Admin\AppData\Local\Temp\342B.exe

C:\Users\Admin\AppData\Local\Temp\342B.exe

C:\Users\Admin\AppData\Local\Temp\4FF2.exe

C:\Users\Admin\AppData\Local\Temp\4FF2.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\6603f3b2-eac9-4e8b-982a-7b086e8439f3" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\342B.exe

"C:\Users\Admin\AppData\Local\Temp\342B.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\342B.exe

"C:\Users\Admin\AppData\Local\Temp\342B.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4968 -ip 4968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4016 -ip 4016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 1256

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 197.159.94.81.in-addr.arpa udp
US 8.8.8.8:53 sdfjhuz.com udp
ET 196.188.169.138:80 sdfjhuz.com tcp
US 8.8.8.8:53 138.169.188.196.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 sportessentia.home.pl udp
PL 79.96.138.166:443 sportessentia.home.pl tcp
US 8.8.8.8:53 166.138.96.79.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
US 8.8.8.8:53 theonlyreasonwhywe.pro udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 172.67.218.191:443 theonlyreasonwhywe.pro tcp
US 8.8.8.8:53 wisemassiveharmonious.shop udp
US 8.8.8.8:53 191.218.67.172.in-addr.arpa udp
US 8.8.8.8:53 colorfulequalugliess.shop udp
US 104.21.19.68:443 colorfulequalugliess.shop tcp
US 8.8.8.8:53 68.19.21.104.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

memory/4208-1-0x0000000000860000-0x0000000000960000-memory.dmp

memory/4208-2-0x0000000000840000-0x000000000084B000-memory.dmp

memory/4208-3-0x0000000000400000-0x000000000071E000-memory.dmp

memory/3552-4-0x0000000000E40000-0x0000000000E56000-memory.dmp

memory/4208-5-0x0000000000400000-0x000000000071E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11ED.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\342B.exe

MD5 ae597691370226cc4354b9897415b115
SHA1 3e89b4b1d81cdae205ac96f151bf3dc0fe3337ae
SHA256 10f5ba78f4d86b82127e167fee1ea0e6b26dd087ecfe933bda24e5d2685ad675
SHA512 f2db423695272ea3519d6329965baf4f0eee6dda62820406ecafcc13385380cb6279c097a8a610163835a181f845ccac7982c7f867b90abc5b553968b3ac7f24

memory/2672-20-0x00000000006B0000-0x000000000074F000-memory.dmp

memory/2672-21-0x0000000002260000-0x000000000237B000-memory.dmp

memory/3620-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\342B.exe

MD5 a3905a170446bb66018d50412a6ca297
SHA1 7a7f8dc080b75e94ace9113c8374d300181308e2
SHA256 6094290519ea5a846d05e64a1983e692a3a1394c9ccd5beeeafa9f9c1af180b0
SHA512 cb12be879f61d5e3452ef77be18598c5927d9898fb0f6231a57613a3c57345bae0f96b43bc588ef1ecd1e5d4972fcfc4389bae22af1dfee44bf261a2b5928b70

memory/3620-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3620-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3620-26-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4FF2.exe

MD5 e79d42e6b51653c6a459adc6e6cd0e7d
SHA1 19590e4efcea7b916825669075fb59de0aae0600
SHA256 3e1451fbd94c852f561fdb5332a5a8576d940d95b1a8cff4dfc0285bc9fc0b14
SHA512 17f70d269b7be8fe4d8fa2b5bca88188c318991ac168d54f37237bbacaf9804e8aa7e6b81a2320bcd61d2a109728461d8082cd69e6b0ed8f1f90600b1ecaed9f

memory/2976-32-0x0000000000A30000-0x0000000000A86000-memory.dmp

memory/2976-33-0x0000000073E00000-0x00000000745B0000-memory.dmp

memory/4016-36-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4016-39-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2976-41-0x0000000073E00000-0x00000000745B0000-memory.dmp

memory/2976-48-0x0000000002F20000-0x0000000004F20000-memory.dmp

memory/4016-50-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4016-49-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

memory/3620-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3324-57-0x0000000002180000-0x0000000002221000-memory.dmp

memory/4968-60-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4968-61-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4968-63-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4016-66-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2976-67-0x0000000002F20000-0x0000000004F20000-memory.dmp