djvu | 15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f

Analysis

max time kernel
300s
max time network
156s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
04/04/2024, 22:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe
Size

718KB
MD5

2c5d1db545700c74bb9eee8d95b7d7d9
SHA1

6724674c8185c53e7b7472fdef9588c165255ca0
SHA256

15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f
SHA512

06693fc38fe5ea9c9c5acea547b2e6d6cc49634f7885087e98a83b0cbb811f0fabca03c77b929d6029d8fb59c186d3c2bc6d469f55d7b463e1f3c11006ee7342
SSDEEP

12288:MVGPDTqIyNOvQvNzUcnftApmqO+jh0sxlqM4USPiJ95lDKuu1aCPHsn6LUY4na:QGINOovbt41jy59Pq5YzaCPwuUZna

Score

10^/10

djvu vidar discovery persistence ransomware stealer

Malware Config

Extracted

Family

djvu

http://sajdfue.com/test1/get.php

Attributes

extension
.uajs
offline_id
Jx0i3k2ogR5cKxX1evmz0Ex7TUxOUlnbh2dvnIt1
payload_url
http://sdfjhuz.com/dl/build2.exe

http://sajdfue.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/df01994dd8d37c2c33469922f8e7155a20240402134014/fd95b0 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0859PsawqS

rsa_pubkey.plain

Extracted

Family

vidar

https://steamcommunity.com/profiles/76561199662282318

https://t.me/t8jmhl

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 OPR/108.0.0.0

Signatures

Detect Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral1/memory/2192-76-0x0000000000870000-0x00000000008A5000-memory.dmp	family_vidar_v7
behavioral1/memory/2420-77-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral1/memory/2420-72-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral1/memory/2420-78-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral1/memory/2420-257-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 14 IoCs

resource	yara_rule
behavioral1/memory/2884-2-0x0000000004540000-0x000000000465B000-memory.dmp	family_djvu
behavioral1/memory/2956-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2956-7-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2956-8-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2956-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2804-34-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2804-35-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2804-48-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2804-49-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2804-53-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2804-55-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2804-56-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2804-126-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2804-217-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
2192	build2.exe
2420	build2.exe
1500	build3.exe
2112	build3.exe
2712	mstsca.exe
2808	mstsca.exe
1272	mstsca.exe
2812	mstsca.exe
3052	mstsca.exe
832	mstsca.exe
1620	mstsca.exe
1668	mstsca.exe
2748	mstsca.exe
2252	mstsca.exe

Loads dropped DLL 8 IoCs

pid	Process
2804	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe
2804	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe
2804	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe
2804	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2648	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\56a5b068-621f-43ae-8b2c-df1da8bb316f\\15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe\" --AutoStart"	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.2ip.ua
4	api.2ip.ua
9	api.2ip.ua

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 2884 set thread context of 2956	2884	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	28
PID 2836 set thread context of 2804	2836	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	32
PID 2192 set thread context of 2420	2192	build2.exe	34
PID 1500 set thread context of 2112	1500	build3.exe	38
PID 2712 set thread context of 2808	2712	mstsca.exe	45
PID 1272 set thread context of 2812	1272	mstsca.exe	49
PID 3052 set thread context of 832	3052	mstsca.exe	51
PID 1620 set thread context of 1668	1620	mstsca.exe	53
PID 2748 set thread context of 2252	2748	mstsca.exe	55

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2072	2420	WerFault.exe	34

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2188	schtasks.exe
2452	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2956	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe
2804	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe
2804	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2956	2884	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	28
PID 2884 wrote to memory of 2956	2884	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	28
PID 2884 wrote to memory of 2956	2884	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	28
PID 2884 wrote to memory of 2956	2884	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	28
PID 2884 wrote to memory of 2956	2884	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	28
PID 2884 wrote to memory of 2956	2884	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	28
PID 2884 wrote to memory of 2956	2884	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	28
PID 2884 wrote to memory of 2956	2884	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	28
PID 2884 wrote to memory of 2956	2884	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	28
PID 2884 wrote to memory of 2956	2884	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	28
PID 2884 wrote to memory of 2956	2884	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	28
PID 2956 wrote to memory of 2648	2956	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	29
PID 2956 wrote to memory of 2648	2956	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	29
PID 2956 wrote to memory of 2648	2956	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	29
PID 2956 wrote to memory of 2648	2956	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	29
PID 2956 wrote to memory of 2836	2956	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	30
PID 2956 wrote to memory of 2836	2956	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	30
PID 2956 wrote to memory of 2836	2956	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	30
PID 2956 wrote to memory of 2836	2956	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	30
PID 2836 wrote to memory of 2804	2836	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	32
PID 2836 wrote to memory of 2804	2836	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	32
PID 2836 wrote to memory of 2804	2836	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	32
PID 2836 wrote to memory of 2804	2836	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	32
PID 2836 wrote to memory of 2804	2836	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	32
PID 2836 wrote to memory of 2804	2836	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	32
PID 2836 wrote to memory of 2804	2836	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	32
PID 2836 wrote to memory of 2804	2836	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	32
PID 2836 wrote to memory of 2804	2836	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	32
PID 2836 wrote to memory of 2804	2836	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	32
PID 2836 wrote to memory of 2804	2836	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	32
PID 2804 wrote to memory of 2192	2804	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	33
PID 2804 wrote to memory of 2192	2804	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	33
PID 2804 wrote to memory of 2192	2804	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	33
PID 2804 wrote to memory of 2192	2804	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	33
PID 2192 wrote to memory of 2420	2192	build2.exe	34
PID 2192 wrote to memory of 2420	2192	build2.exe	34
PID 2192 wrote to memory of 2420	2192	build2.exe	34
PID 2192 wrote to memory of 2420	2192	build2.exe	34
PID 2192 wrote to memory of 2420	2192	build2.exe	34
PID 2192 wrote to memory of 2420	2192	build2.exe	34
PID 2192 wrote to memory of 2420	2192	build2.exe	34
PID 2192 wrote to memory of 2420	2192	build2.exe	34
PID 2192 wrote to memory of 2420	2192	build2.exe	34
PID 2192 wrote to memory of 2420	2192	build2.exe	34
PID 2192 wrote to memory of 2420	2192	build2.exe	34
PID 2804 wrote to memory of 1500	2804	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	35
PID 2804 wrote to memory of 1500	2804	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	35
PID 2804 wrote to memory of 1500	2804	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	35
PID 2804 wrote to memory of 1500	2804	15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe	35
PID 2420 wrote to memory of 2072	2420	build2.exe	37
PID 2420 wrote to memory of 2072	2420	build2.exe	37
PID 2420 wrote to memory of 2072	2420	build2.exe	37
PID 2420 wrote to memory of 2072	2420	build2.exe	37
PID 1500 wrote to memory of 2112	1500	build3.exe	38
PID 1500 wrote to memory of 2112	1500	build3.exe	38
PID 1500 wrote to memory of 2112	1500	build3.exe	38
PID 1500 wrote to memory of 2112	1500	build3.exe	38
PID 1500 wrote to memory of 2112	1500	build3.exe	38
PID 1500 wrote to memory of 2112	1500	build3.exe	38
PID 1500 wrote to memory of 2112	1500	build3.exe	38
PID 1500 wrote to memory of 2112	1500	build3.exe	38
PID 1500 wrote to memory of 2112	1500	build3.exe	38
PID 1500 wrote to memory of 2112	1500	build3.exe	38
PID 2112 wrote to memory of 2188	2112	build3.exe	39

C:\Users\Admin\AppData\Local\Temp\15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe
"C:\Users\Admin\AppData\Local\Temp\15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe
  "C:\Users\Admin\AppData\Local\Temp\15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\56a5b068-621f-43ae-8b2c-df1da8bb316f" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2648
- - C:\Users\Admin\AppData\Local\Temp\15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe
    "C:\Users\Admin\AppData\Local\Temp\15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe
      "C:\Users\Admin\AppData\Local\Temp\15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Users\Admin\AppData\Local\ac90d2f6-01fe-4d95-a095-a545e69f9437\build2.exe
        
        "C:\Users\Admin\AppData\Local\ac90d2f6-01fe-4d95-a095-a545e69f9437\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2192
      - C:\Users\Admin\AppData\Local\ac90d2f6-01fe-4d95-a095-a545e69f9437\build2.exe
        
        "C:\Users\Admin\AppData\Local\ac90d2f6-01fe-4d95-a095-a545e69f9437\build2.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 1456
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2072
    - - C:\Users\Admin\AppData\Local\ac90d2f6-01fe-4d95-a095-a545e69f9437\build3.exe
        
        "C:\Users\Admin\AppData\Local\ac90d2f6-01fe-4d95-a095-a545e69f9437\build3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1500
      - C:\Users\Admin\AppData\Local\ac90d2f6-01fe-4d95-a095-a545e69f9437\build3.exe
        
        "C:\Users\Admin\AppData\Local\ac90d2f6-01fe-4d95-a095-a545e69f9437\build3.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:2188

C:\Windows\system32\taskeng.exe
taskeng.exe {B34E4711-B0B9-4B8C-95C7-D498288C2F91} S-1-5-21-2610426812-2871295383-373749122-1000:UEITMFAB\Admin:Interactive:[1]
1⤵
PID:2692
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2712
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:2808
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
      4⤵
      Creates scheduled task(s)
      PID:2452
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1272
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:2812
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3052
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:832
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1620
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:1668
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2748
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
3ec812af46b0f111e99b54b129eb94f9

SHA1
103c4720315078aadb6d63111eec900a8652fc9c

SHA256
64d459714f98144b7a04079efbd965519d8b0bd3ed0021832e3683e79bcd41c6

SHA512
1fc8bac653f8f2daaa92014daa05a31cc02abac666c485318b76b379c53f47ddb79ee3495697716a1838b85766b5d71138bc6438844c661792064c22a68b2abc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
b7d77de1215555884b649458ee187990

SHA1
62ad9007dede0af26aba70616747941bc2d1dd7f

SHA256
f08319e92fb1c0ecf67036e751abd0f774f36d3e1c7fb7a879ffa6ed138f6e2c

SHA512
4fd7c284f8f9949d847cb81e663f43e6da547946a7638b3fb7afbfabeb31ff8caffef3d775dc9778d966fa81e6fd520c1fb3afc2fcee73bb395ef678f5030337

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4782c1961beceb9b4dd1cbfc1ade4c53

SHA1
55eedf84656581a5865f00766e7cf05612bc7787

SHA256
eb87a7e1783ae5d8bb14ec4059fa01c75fb72c39163e7a5516acaff09296e3c0

SHA512
6614558b0caed8626c1c17ea5508f9b8dff430896ae4e8d980e40a17ac7bf62605b9be5b2acd961d24df5eab2e42939c4e9cb4520c7ed7351442cb951e1dc72d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cbc73bb730a61d75cd129dcad9d6b25c

SHA1
a1deadbdd67f3ee686ac48084a018b8b91c7aca7

SHA256
16d98eb167c536a0c9f56d8fcea13f13d4cce2f7596b3bd9fefed308071bc41d

SHA512
737de425374d0804bb1759ddda6c2efe88791cc6f335d6b86a659f99f6c80e65eadb62ad64305bfacf143b782b477605c5beace95d445c16347286ac0b5fa02b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
926b3669e8ff3cf9e2a64a2a975198cd

SHA1
bda643a79df654e903acc8c33183a6bd9f2c59b5

SHA256
e3b3445e5541001445ecf3bfdbd1b8506161b587ff6ead723043138f06cdf081

SHA512
6722d4aa33e3b1ce9133d20b7a92e811afc7a0994b334f5bc2893871c63b7f511d9ddd69fbef253e4925f16acabd0d41089471b68317965bb43125a72324da02

Download Submit
C:\Users\Admin\AppData\Local\56a5b068-621f-43ae-8b2c-df1da8bb316f\15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f.exe

Filesize
718KB

MD5
2c5d1db545700c74bb9eee8d95b7d7d9

SHA1
6724674c8185c53e7b7472fdef9588c165255ca0

SHA256
15f335fdcf6c1192f71c548697f5332d484a09c0b76f825acd6b5b894965ab0f

SHA512
06693fc38fe5ea9c9c5acea547b2e6d6cc49634f7885087e98a83b0cbb811f0fabca03c77b929d6029d8fb59c186d3c2bc6d469f55d7b463e1f3c11006ee7342

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3EE4.tmp

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4C9B.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4E27.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\ac90d2f6-01fe-4d95-a095-a545e69f9437\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
\Users\Admin\AppData\Local\ac90d2f6-01fe-4d95-a095-a545e69f9437\build2.exe

Filesize
318KB

MD5
4fbdcb0ee049b71cb8b9a68bf69f9e0e

SHA1
7e36a91700e0a7a8b3a3319cc4b93a1656447096

SHA256
31084adb877ef9bcf2143fa2d60ce8860d15af325424b709ad115febe8b96e81

SHA512
19aeff14cc2d1c60e99228b089f8c76ed5d7c7ed95ef3adb639b899c258c4cb17982d6de4294506c53dedbbf771f9f26e99094d22d1d05542d3cf86a6b24d283

Download Submit
memory/1272-302-0x00000000008D0000-0x00000000009D0000-memory.dmp

Filesize
1024KB

Download
memory/1500-248-0x0000000000870000-0x0000000000970000-memory.dmp

Filesize
1024KB

Download
memory/1500-249-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/1620-353-0x0000000000900000-0x0000000000A00000-memory.dmp

Filesize
1024KB

Download
memory/2112-255-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2112-246-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2112-253-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2112-250-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2192-259-0x0000000000870000-0x00000000008A5000-memory.dmp

Filesize
212KB

Download
memory/2192-76-0x0000000000870000-0x00000000008A5000-memory.dmp

Filesize
212KB

Download
memory/2192-73-0x0000000000260000-0x0000000000360000-memory.dmp

Filesize
1024KB

Download
memory/2420-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2420-257-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2420-77-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2420-72-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2420-78-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2712-272-0x0000000000880000-0x0000000000980000-memory.dmp

Filesize
1024KB

Download
memory/2748-382-0x0000000000930000-0x0000000000A30000-memory.dmp

Filesize
1024KB

Download
memory/2804-34-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2804-53-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2804-48-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2804-126-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2804-35-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2804-217-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2804-56-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2804-55-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2804-49-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2836-28-0x0000000000310000-0x00000000003A1000-memory.dmp

Filesize
580KB

Download
memory/2836-29-0x0000000000310000-0x00000000003A1000-memory.dmp

Filesize
580KB

Download
memory/2884-2-0x0000000004540000-0x000000000465B000-memory.dmp

Filesize
1.1MB

Download
memory/2884-1-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/2884-0-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/2956-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2956-8-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2956-7-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2956-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2956-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3052-326-0x00000000009A0000-0x0000000000AA0000-memory.dmp

Filesize
1024KB

Download