Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
05-02-2024 05:08
Static task
static1
Behavioral task
behavioral1
Sample
97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe
Resource
win10v2004-20231215-en
General
-
Target
97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe
-
Size
774KB
-
MD5
faf9bf89fd060a85d2fcc98e9d511a8b
-
SHA1
08d256665c3aa89eafa123cfb965c8c1b4b5f5d0
-
SHA256
97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98
-
SHA512
318bb22a79f511421f209f0ee1a8367addfa4c7355f4000bce80b2d18beab450d927c2910eb3f4f2e6f7b5924c623f531eb9c46c80e11123298af721054c4ba1
-
SSDEEP
12288:liIAA+MX6Cy84Yw54I1/MASK0k1sLYslK0ijkbHi/58P8agY56MJUG2:lpBU8nwN1/MASK0xLYHjAtP8aouUG
Malware Config
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.cdcc
-
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw
Extracted
vidar
7.6
1b9d7ec5a25ab9d78c31777a0016a097
https://t.me/tvrugrats
https://steamcommunity.com/profiles/76561199627279110
-
profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097
Signatures
-
Detect Vidar Stealer 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4092-55-0x0000000000710000-0x0000000000740000-memory.dmp family_vidar_v7 behavioral2/memory/3140-52-0x0000000000400000-0x0000000000643000-memory.dmp family_vidar_v7 behavioral2/memory/3140-57-0x0000000000400000-0x0000000000643000-memory.dmp family_vidar_v7 behavioral2/memory/3140-58-0x0000000000400000-0x0000000000643000-memory.dmp family_vidar_v7 behavioral2/memory/3140-85-0x0000000000400000-0x0000000000643000-memory.dmp family_vidar_v7 -
Detected Djvu ransomware 17 IoCs
Processes:
resource yara_rule behavioral2/memory/2124-2-0x00000000023C0000-0x00000000024DB000-memory.dmp family_djvu behavioral2/memory/5056-3-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5056-4-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5056-5-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5056-6-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5056-17-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1880-22-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1880-23-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1880-24-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1880-29-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1880-30-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1880-34-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1880-36-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1880-37-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1880-82-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1880-87-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2288-123-0x00000000009B0000-0x0000000000AB0000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Detect binaries embedding considerable number of MFA browser extension IDs. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3140-85-0x0000000000400000-0x0000000000643000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs -
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3140-85-0x0000000000400000-0x0000000000643000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3140-85-0x0000000000400000-0x0000000000643000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3140-52-0x0000000000400000-0x0000000000643000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral2/memory/3140-57-0x0000000000400000-0x0000000000643000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral2/memory/3140-58-0x0000000000400000-0x0000000000643000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral2/memory/3140-85-0x0000000000400000-0x0000000000643000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe -
Executes dropped EXE 8 IoCs
Processes:
build2.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exepid process 4092 build2.exe 3140 build2.exe 3136 build3.exe 2284 build3.exe 216 mstsca.exe 5060 mstsca.exe 2288 mstsca.exe 1648 mstsca.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ccfd3540-cc36-423a-ad91-2732a9d02f17\\97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe\" --AutoStart" 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.2ip.ua 5 api.2ip.ua 14 api.2ip.ua -
Suspicious use of SetThreadContext 6 IoCs
Processes:
97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exebuild2.exebuild3.exemstsca.exemstsca.exedescription pid process target process PID 2124 set thread context of 5056 2124 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 1096 set thread context of 1880 1096 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 4092 set thread context of 3140 4092 build2.exe build2.exe PID 3136 set thread context of 2284 3136 build3.exe build3.exe PID 216 set thread context of 5060 216 mstsca.exe mstsca.exe PID 2288 set thread context of 1648 2288 mstsca.exe mstsca.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3696 3140 WerFault.exe build2.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1444 schtasks.exe 1744 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exepid process 5056 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 5056 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 1880 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 1880 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exedescription pid process target process PID 2124 wrote to memory of 5056 2124 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 2124 wrote to memory of 5056 2124 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 2124 wrote to memory of 5056 2124 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 2124 wrote to memory of 5056 2124 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 2124 wrote to memory of 5056 2124 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 2124 wrote to memory of 5056 2124 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 2124 wrote to memory of 5056 2124 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 2124 wrote to memory of 5056 2124 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 2124 wrote to memory of 5056 2124 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 2124 wrote to memory of 5056 2124 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 5056 wrote to memory of 4368 5056 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe icacls.exe PID 5056 wrote to memory of 4368 5056 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe icacls.exe PID 5056 wrote to memory of 4368 5056 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe icacls.exe PID 5056 wrote to memory of 1096 5056 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 5056 wrote to memory of 1096 5056 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 5056 wrote to memory of 1096 5056 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 1096 wrote to memory of 1880 1096 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 1096 wrote to memory of 1880 1096 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 1096 wrote to memory of 1880 1096 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 1096 wrote to memory of 1880 1096 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 1096 wrote to memory of 1880 1096 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 1096 wrote to memory of 1880 1096 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 1096 wrote to memory of 1880 1096 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 1096 wrote to memory of 1880 1096 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 1096 wrote to memory of 1880 1096 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 1096 wrote to memory of 1880 1096 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe PID 1880 wrote to memory of 4092 1880 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe build2.exe PID 1880 wrote to memory of 4092 1880 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe build2.exe PID 1880 wrote to memory of 4092 1880 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe build2.exe PID 4092 wrote to memory of 3140 4092 build2.exe build2.exe PID 4092 wrote to memory of 3140 4092 build2.exe build2.exe PID 4092 wrote to memory of 3140 4092 build2.exe build2.exe PID 4092 wrote to memory of 3140 4092 build2.exe build2.exe PID 4092 wrote to memory of 3140 4092 build2.exe build2.exe PID 4092 wrote to memory of 3140 4092 build2.exe build2.exe PID 4092 wrote to memory of 3140 4092 build2.exe build2.exe PID 4092 wrote to memory of 3140 4092 build2.exe build2.exe PID 4092 wrote to memory of 3140 4092 build2.exe build2.exe PID 4092 wrote to memory of 3140 4092 build2.exe build2.exe PID 1880 wrote to memory of 3136 1880 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe build3.exe PID 1880 wrote to memory of 3136 1880 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe build3.exe PID 1880 wrote to memory of 3136 1880 97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe build3.exe PID 3136 wrote to memory of 2284 3136 build3.exe build3.exe PID 3136 wrote to memory of 2284 3136 build3.exe build3.exe PID 3136 wrote to memory of 2284 3136 build3.exe build3.exe PID 3136 wrote to memory of 2284 3136 build3.exe build3.exe PID 3136 wrote to memory of 2284 3136 build3.exe build3.exe PID 3136 wrote to memory of 2284 3136 build3.exe build3.exe PID 3136 wrote to memory of 2284 3136 build3.exe build3.exe PID 3136 wrote to memory of 2284 3136 build3.exe build3.exe PID 3136 wrote to memory of 2284 3136 build3.exe build3.exe PID 2284 wrote to memory of 1444 2284 build3.exe schtasks.exe PID 2284 wrote to memory of 1444 2284 build3.exe schtasks.exe PID 2284 wrote to memory of 1444 2284 build3.exe schtasks.exe PID 216 wrote to memory of 5060 216 mstsca.exe mstsca.exe PID 216 wrote to memory of 5060 216 mstsca.exe mstsca.exe PID 216 wrote to memory of 5060 216 mstsca.exe mstsca.exe PID 216 wrote to memory of 5060 216 mstsca.exe mstsca.exe PID 216 wrote to memory of 5060 216 mstsca.exe mstsca.exe PID 216 wrote to memory of 5060 216 mstsca.exe mstsca.exe PID 216 wrote to memory of 5060 216 mstsca.exe mstsca.exe PID 216 wrote to memory of 5060 216 mstsca.exe mstsca.exe PID 216 wrote to memory of 5060 216 mstsca.exe mstsca.exe PID 5060 wrote to memory of 1744 5060 mstsca.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe"C:\Users\Admin\AppData\Local\Temp\97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe"C:\Users\Admin\AppData\Local\Temp\97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\ccfd3540-cc36-423a-ad91-2732a9d02f17" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe"C:\Users\Admin\AppData\Local\Temp\97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe"C:\Users\Admin\AppData\Local\Temp\97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\9820d5fb-0d1b-4ae7-9905-6cdfe0cf6cdf\build2.exe"C:\Users\Admin\AppData\Local\9820d5fb-0d1b-4ae7-9905-6cdfe0cf6cdf\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\9820d5fb-0d1b-4ae7-9905-6cdfe0cf6cdf\build2.exe"C:\Users\Admin\AppData\Local\9820d5fb-0d1b-4ae7-9905-6cdfe0cf6cdf\build2.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 21967⤵
- Program crash
-
C:\Users\Admin\AppData\Local\9820d5fb-0d1b-4ae7-9905-6cdfe0cf6cdf\build3.exe"C:\Users\Admin\AppData\Local\9820d5fb-0d1b-4ae7-9905-6cdfe0cf6cdf\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\9820d5fb-0d1b-4ae7-9905-6cdfe0cf6cdf\build3.exe"C:\Users\Admin\AppData\Local\9820d5fb-0d1b-4ae7-9905-6cdfe0cf6cdf\build3.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3140 -ip 31401⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD5c59708a86e78530488f2356251e775a2
SHA117e33e077261cdd9e54d4e58dfb168f15ee93efb
SHA25671719971666e64a4f767e8f9d0b52e822189c4bfb1fe449a0e7c8066c82813c2
SHA51242afd4d2c791ea8cb239130cf4f4d43da0ec39c63049c56796e082282e2ba2f0cd0fd8934b7de3b359ca433b0609ad159fda6f92168168f2d4517f13fbbb3fbf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD5ab0b57d37fda4192f2e7ecee4355cc13
SHA14adb60853fad8ae50e06e2964b24213543964310
SHA2567e34f629a19165ff0d47928c541d4cc19f7e51fb617fac092083bac5b6b2cb95
SHA512cdd5caf57be2e6150d8a73d77df1440bf2cd78fc803a82ecc437d5ab7da300cefec76a9d69d310a49e45713c9ce223fe63ad4f230ef81b814cdeee60b01a67a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
392B
MD505fd35ed1a8a5824d65e2694273fbef0
SHA122b59d5cf9758dbd7d5ec2e240af76affbac2aa0
SHA256eeaf0d47590f468919a9702ee217d92ad298d89e6eaef79f6b25615a42595b8f
SHA512c622d78711c8ff8d038214abe178c4004a9d9d0617fb1a0d2ae9e75fc7ee68eb7c4686c0444168c828f96ad4c6ec01dc603a4262ee47f7ff23c81fb644838faf
-
C:\Users\Admin\AppData\Local\9820d5fb-0d1b-4ae7-9905-6cdfe0cf6cdf\build2.exeFilesize
385KB
MD563e4a9cd7a8b37335b5f18cefc5dd9d2
SHA1c781a30935afc452b108cc78724b60f389b78874
SHA256c1e75efde3fd1da605135e5c3ffab0073299c80632d136f8eeba9d4a7c98c70f
SHA5123818b5966938704c5830acb5426db7791f6ae476853248d8984b1aff35a6722a0684bea54a53ef6ded1f301f6de9ed044d45f007457a9c0f3a7ea3afc7bf0ecc
-
C:\Users\Admin\AppData\Local\9820d5fb-0d1b-4ae7-9905-6cdfe0cf6cdf\build3.exeFilesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
C:\Users\Admin\AppData\Local\ccfd3540-cc36-423a-ad91-2732a9d02f17\97cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98.exeFilesize
774KB
MD5faf9bf89fd060a85d2fcc98e9d511a8b
SHA108d256665c3aa89eafa123cfb965c8c1b4b5f5d0
SHA25697cb23085479e9562332ae56eed070d3c9a001518066132ec5d24041336bcf98
SHA512318bb22a79f511421f209f0ee1a8367addfa4c7355f4000bce80b2d18beab450d927c2910eb3f4f2e6f7b5924c623f531eb9c46c80e11123298af721054c4ba1
-
memory/216-104-0x0000000000B30000-0x0000000000C30000-memory.dmpFilesize
1024KB
-
memory/1096-20-0x0000000002130000-0x00000000021CC000-memory.dmpFilesize
624KB
-
memory/1648-128-0x0000000000410000-0x00000000004D9000-memory.dmpFilesize
804KB
-
memory/1880-22-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1880-37-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1880-23-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1880-87-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1880-24-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1880-82-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1880-29-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1880-30-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1880-34-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1880-36-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2124-2-0x00000000023C0000-0x00000000024DB000-memory.dmpFilesize
1.1MB
-
memory/2124-1-0x0000000000770000-0x0000000000805000-memory.dmpFilesize
596KB
-
memory/2284-96-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2284-94-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2284-89-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2288-123-0x00000000009B0000-0x0000000000AB0000-memory.dmpFilesize
1024KB
-
memory/3136-91-0x0000000000940000-0x0000000000944000-memory.dmpFilesize
16KB
-
memory/3136-90-0x0000000000BA0000-0x0000000000CA0000-memory.dmpFilesize
1024KB
-
memory/3140-58-0x0000000000400000-0x0000000000643000-memory.dmpFilesize
2.3MB
-
memory/3140-85-0x0000000000400000-0x0000000000643000-memory.dmpFilesize
2.3MB
-
memory/3140-57-0x0000000000400000-0x0000000000643000-memory.dmpFilesize
2.3MB
-
memory/3140-52-0x0000000000400000-0x0000000000643000-memory.dmpFilesize
2.3MB
-
memory/4092-55-0x0000000000710000-0x0000000000740000-memory.dmpFilesize
192KB
-
memory/4092-53-0x00000000007B0000-0x00000000008B0000-memory.dmpFilesize
1024KB
-
memory/5056-4-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/5056-5-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/5056-3-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/5056-6-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/5056-17-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB