The submitted file c4d33fc79173be38c3a76223263f6b37486903188e3c081586ecd62fcc651497 is a RANSOMWARE

SHA256c4d33fc79173be38c3a76223263f6b37486903188e3c081586ecd62fcc651497
File Namec4d33fc79173be38c3a76223263f6b37486903188e3c081586ecd62fcc651497
File TypeWin32 EXE
EnvironmentWindows10
Analysis Start Time2023-06-12 17:20:48 (UTC)
Analysis End Time2023-06-12 17:23:22 (UTC)
Tags
  • Trojan
  • STOP
  • .ahtw
  • Ransomware
  • Vidar
  • Exe-Downloaded
  • Spyware

Static Analysis  

RANSOMWARE

Trulli

Network Analysis

MALICIOUS

Trulli

Dynamic Analysis

MALICIOUS

Trulli

   File Analysis  

NO THREATS

Trulli

  • Malicious
    • Changes The Autorun Value In The Registry
      • 7056 - C4D33F~1.EXE
        • Persistence - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
        • Privilege Escalation - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
    • Task Scheduler Executable Triggered
      • 2568 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5452 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
    • Task Scheduler Task Creation
      • 2568 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5452 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
  • Suspicious
    • Sysmon Process Hollowing Detection
    • Use Icacls to Hide File to Everyone
      • 5864 - icacls "C:\Users\Administrator\AppData\Local\1e051844-9524-4044-8b26-5e080120fa0c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        • Defense Evasion - Hide Artifacts: Hidden Files and Directories
    • Suspicious Schtasks From Env Var Folder
      • 2568 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5452 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
    • Suspicious Add Scheduled Task Parent
      • 2568 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5452 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
    • Executes Scripts
      • 4012 - wscript "C:\Users\ADMINI~1\AppData\Local\Packages\MICROS~1.SEA\AC\AppCache\627XUPPY\17\YD8MNP~1.JS"
        • Execution - Command and Scripting Interpreter: JavaScript
        • Execution - Command and Scripting Interpreter: Visual Basic
      • 5956 - wscript "C:\Users\ADMINI~1\AppData\Local\Packages\MICROS~1.SEA\AC\AppCache\627XUPPY\17\YLKD7F~1.JS"
        • Execution - Command and Scripting Interpreter: JavaScript
        • Execution - Command and Scripting Interpreter: Visual Basic
      • 264 - wscript "C:\Users\ADMINI~1\AppData\Local\Packages\MICROS~1.SEA\AC\AppCache\627XUPPY\17\UDG2GC~1.JS"
        • Execution - Command and Scripting Interpreter: JavaScript
        • Execution - Command and Scripting Interpreter: Visual Basic
    • WScript or CScript Dropper
      • 4012 - wscript "C:\Users\ADMINI~1\AppData\Local\Packages\MICROS~1.SEA\AC\AppCache\627XUPPY\17\YD8MNP~1.JS"
        • Execution - Command and Scripting Interpreter: Visual Basic
        • Execution - Command and Scripting Interpreter: JavaScript
      • 5956 - wscript "C:\Users\ADMINI~1\AppData\Local\Packages\MICROS~1.SEA\AC\AppCache\627XUPPY\17\YLKD7F~1.JS"
        • Execution - Command and Scripting Interpreter: Visual Basic
        • Execution - Command and Scripting Interpreter: JavaScript
      • 264 - wscript "C:\Users\ADMINI~1\AppData\Local\Packages\MICROS~1.SEA\AC\AppCache\627XUPPY\17\UDG2GC~1.JS"
        • Execution - Command and Scripting Interpreter: Visual Basic
        • Execution - Command and Scripting Interpreter: JavaScript
    • WSF/JSE/JS/VBA/VBE File Execution
      • 4012 - wscript "C:\Users\ADMINI~1\AppData\Local\Packages\MICROS~1.SEA\AC\AppCache\627XUPPY\17\YD8MNP~1.JS"
        • Execution - Command and Scripting Interpreter: Visual Basic
        • Execution - Command and Scripting Interpreter: JavaScript
      • 5956 - wscript "C:\Users\ADMINI~1\AppData\Local\Packages\MICROS~1.SEA\AC\AppCache\627XUPPY\17\YLKD7F~1.JS"
        • Execution - Command and Scripting Interpreter: Visual Basic
        • Execution - Command and Scripting Interpreter: JavaScript
      • 264 - wscript "C:\Users\ADMINI~1\AppData\Local\Packages\MICROS~1.SEA\AC\AppCache\627XUPPY\17\UDG2GC~1.JS"
        • Execution - Command and Scripting Interpreter: Visual Basic
        • Execution - Command and Scripting Interpreter: JavaScript
  • Info
    • Creation of an Executable by an Executable
      • 7056 - C4D33F~1.EXE
        • Resource Development - Develop Capabilities: Malware
      • 3660 - C4D33F~1.EXE
        • Resource Development - Develop Capabilities: Malware
      • 6400 - build3.exe
        • Resource Development - Develop Capabilities: Malware
    • Creates Files In The User Directory
      • 7056 - C4D33F~1.EXE
        • Collection - Data Staged: Local Data Staging
      • 3660 - C4D33F~1.EXE
        • Collection - Data Staged: Local Data Staging
      • 6400 - build3.exe
        • Collection - Data Staged: Local Data Staging
      • 6036 - WINWORD.EXE
        • Collection - Data Staged: Local Data Staging
    • Scheduled Task Creation
      • 2568 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5452 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
  • c4d33fc79173be38c3a76223263f6b37486903188e3c081586ecd62fcc651497
    • 4024 - [-7.02s] SearchFilterHost.exe 0 796 800 808 8192 804 780
    • 5720 - [0.0s] c4d33fc79173be38c3a76223263f6b37486903188e3c081586ecd62fcc651497.exe
      • 7056 - [0.95s] c4d33fc79173be38c3a76223263f6b37486903188e3c081586ecd62fcc651497.exe
        • 5864 - [2.65s] icacls "C:\Users\Administrator\AppData\Local\1e051844-9524-4044-8b26-5e080120fa0c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
          • 6868 - [2.88s] c4d33fc79173be38c3a76223263f6b37486903188e3c081586ecd62fcc651497.exe --Admin IsNotAutoStart IsNotTask
            • 3660 - [3.27s] c4d33fc79173be38c3a76223263f6b37486903188e3c081586ecd62fcc651497.exe --Admin IsNotAutoStart IsNotTask
              • 1776 - [9.18s] build2.exe
                • 7260 - [12.18s] build2.exe
                • 6400 - [10.19s] build3.exe
                  • 2568 - [10.56s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                    • 3312 - [10.60s] conhost.exe 0xffffffff -ForceV1
          • 1892 - [2.94s] svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
          • 6740 - [4.91s] NOTEPAD.EXE C:\_readme.txt
          • 6036 - [5.60s] WINWORD.exe /n "C:\Windows\System32\Tasks\Time Trigger Task"
          • 4400 - [5.73s] SearchProtocolHost.exe Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2530950276-3298662170-1402498598-5002_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2530950276-3298662170-1402498598-5002 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
          • 1456 - [5.79s] C4D33F~1.EXE
            • 5368 - [6.18s] C4D33F~1.EXE
            • 4012 - [6.35s] wscript "C:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\627XUPPY\17\yD8mNPwagJmEd4zTeEH-jzydwzM.br[1].js"
            • 5956 - [6.35s] wscript "C:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\627XUPPY\17\ylkD7fTw1lcLZr9-GH9r2lQJisI.br[1].js"
            • 264 - [6.35s] wscript "C:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\627XUPPY\17\uDG2gcZvfxPQf2ViIjeZuGGTEzs.br[1].js"
            • 7876 - [16.53s] build2.exe
              • 8056 - [20.15s] build2.exe
              • 8124 - [21.20s] WINWORD.EXE /Automation -Embedding
              • 4160 - [22.90s] mstsca.exe
                • 5452 - [23.26s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                  • 2568 - [23.28s] conhost.exe 0xffffffff -ForceV1
                • 3864 - [23.47s] build3.exe
                • 4772 - [24.03s] LogonUI.exe /flags:0x4 /state0:0xa3f87055 /state1:0x41c64e6d
               SearchFilterHost.exe 0 796 800 808 8192 804 780
               c4d33fc79173be38c3a76223263f6b37486903188e3c081586ecd62fcc651497.exe
               icacls "C:\Users\Administrator\AppData\Local\1e051844-9524-4044-8b26-5e080120fa0c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
               c4d33fc79173be38c3a76223263f6b37486903188e3c081586ecd62fcc651497.exe --Admin IsNotAutoStart IsNotTask
               build2.exe
               build3.exe
               C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
               conhost.exe 0xffffffff -ForceV1
               svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
               NOTEPAD.EXE C:\_readme.txt
               WINWORD.exe /n "C:\Windows\System32\Tasks\Time Trigger Task"
               SearchProtocolHost.exe Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2530950276-3298662170-1402498598-5002_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2530950276-3298662170-1402498598-5002 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
               C4D33F~1.EXE
               wscript "C:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\627XUPPY\17\yD8mNPwagJmEd4zTeEH-jzydwzM.br[1].js"
               wscript "C:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\627XUPPY\17\ylkD7fTw1lcLZr9-GH9r2lQJisI.br[1].js"
               wscript "C:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\627XUPPY\17\uDG2gcZvfxPQf2ViIjeZuGGTEzs.br[1].js"
               WINWORD.EXE /Automation -Embedding
               mstsca.exe
               LogonUI.exe /flags:0x4 /state0:0xa3f87055 /state1:0x41c64e6d
               C:\Users\Administrator\AppData\Local\1e051844-9524-4044-8b26-5e080120fa0c\C4D33F~1.EXE
               C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\752WOBP4\build2[1].exe
               C:\Users\Administrator\AppData\Local\ee7d20c3-c937-4ba5-9b4c-ab15f62482db\build2.exe
               C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\752WOBP4\build3[1].exe
               C:\Users\Administrator\AppData\Local\ee7d20c3-c937-4ba5-9b4c-ab15f62482db\build3.exe
               C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe
               C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
               HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
              RegistryValue
              HKU\S-1-5-21-2530950276-3298662170-1402498598-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper"C:\Users\Administrator\AppData\Local\1e051844-9524-4044-8b26-5e080120fa0c\C4D33F~1.EXE" --AutoStart
              TypeIndicatorReputation
              IP Address5[.]21[.]67[.]193Malicious
              IP Address177[.]254[.]85[.]20Malicious
              IP Address95[.]107[.]163[.]44Malicious
              IP Address189[.]194[.]9[.]27Malicious
              IP Address179[.]25[.]14[.]241Malicious
              IP Address175[.]119[.]10[.]231Malicious
              IP Address190[.]171[.]250[.]205Malicious
              IP Address61[.]253[.]71[.]111Malicious
              IP Address211[.]119[.]84[.]111Malicious
              IP Address222[.]236[.]49[.]124Malicious
              IP Address183[.]100[.]39[.]157Malicious
              IP Address211[.]40[.]39[.]251Malicious
              IP Address222[.]236[.]49[.]123Malicious
              IP Address124[.]43[.]18[.]250Malicious
              IP Address201[.]119[.]66[.]140Malicious
              IP Address2[.]180[.]10[.]7Malicious
              IP Address62[.]217[.]232[.]10Malicious
              IP Address195[.]158[.]3[.]162Malicious
              IP Address187[.]233[.]46[.]193Malicious
              IP Address190[.]229[.]19[.]7Malicious
              IP Address167[.]235[.]207[.]108Malicious
              Domainzexeq[.]comMalicious
              Domaincolisumy[.]comMalicious
              URLhxxp://zexeq[.]com/files/1/build3[.]exeMalicious
              URLhxxp://zexeq[.]com/test1/get[.]php?pid=***&first=***Malicious
              URLhxxp://colisumy[.]com/dl/build2[.]exeMalicious
              URLhxxp://167[.]235[.]207[.]108/files[.]zipMalicious
              Sha2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0Anomalous Activity
              Sha256c2c5560cede5fe447363e0d432707fc287312c20e92715b59700888e77eab92dAnomalous Activity
              MethodURLIPHTTP Status
              GEThxxp://colisumy[.]com/dl/build2[.]exe183[.]100[.]39[.]157200
              GEThxxp://167[.]235[.]207[.]108/files[.]zip167[.]235[.]207[.]108200
              GEThxxp://167[.]235[.]207[.]108/a81bcf59d85e6e13257840e65b9d1da8167[.]235[.]207[.]108200
              GEThxxp://zexeq[.]com/files/1/build3[.]exe5[.]21[.]67[.]193200
              POSThxxp://167[.]235[.]207[.]108/167[.]235[.]207[.]108200
              GEThxxp://zexeq[.]com/test1/get[.]php?pid=***&first=***5[.]21[.]67[.]193200
              DomainIP
              dual-s-ring[.]msedge[.]net52[.]123[.]128[.]254
              52[.]123[.]129[.]254
              fp-vs[.]azureedge[.]net117[.]18[.]232[.]200
              wac-ring[.]msedge[.]net52[.]108[.]8[.]254
              52[.]108[.]9[.]254
              zexeq[.]com5[.]21[.]67[.]193
              177[.]254[.]85[.]20
              95[.]107[.]163[.]44
              189[.]194[.]9[.]27
              179[.]25[.]14[.]241
              175[.]119[.]10[.]231
              190[.]171[.]250[.]205
              61[.]253[.]71[.]111
              211[.]119[.]84[.]111
              222[.]236[.]49[.]124
              colisumy[.]com183[.]100[.]39[.]157
              211[.]40[.]39[.]251
              222[.]236[.]49[.]123
              124[.]43[.]18[.]250
              201[.]119[.]66[.]140
              2[.]180[.]10[.]7
              62[.]217[.]232[.]10
              195[.]158[.]3[.]162
              187[.]233[.]46[.]193
              190[.]229[.]19[.]7
              t[.]me149[.]154[.]167[.]99
              r[.]bing[.]com23[.]3[.]70[.]48
              23[.]3[.]70[.]91
              23[.]3[.]70[.]203
              api[.]2ip[.]ua162[.]0[.]217[.]254
              JA3SDomain
              895252f3ce80cebf7a8837be83ec8e16fp-vs[.]azureedge[.]net
              61be9ce3d068c08ff99a857f62352f9dapi[.]2ip[.]ua
              c8d5b17a0fd5b4ee799ca8bd692fee69r[.]bing[.]com
              098e26e2609212ac1bfac552fbe04127t[.]me
              Sha256FileType
              c2c5560cede5fe447363e0d432707fc287312c20e92715b59700888e77eab92dapplication/x-dosexec
              181c1ef3e42b2399d39b6c3ba14d8e55e60929f58a426d4f4814bf27591295b6application/zip
              7320c9dec9fba9f878e9f7fa3f2352951eaf82e5e10b33bb247938eeceefffd9text/plain
              8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0application/x-dosexec
              11a770052f6df5fd0ed9b7197f4c5ea2f5d62bd1f75684959bd3b8f299d1eee6text/plain
              ConnectionsIP
              TCP183[.]100[.]39[.]157
              149[.]154[.]167[.]99
              52[.]123[.]128[.]254
              23[.]3[.]70[.]48
              117[.]18[.]232[.]200
              23[.]192[.]96[.]123
              162[.]0[.]217[.]254
              167[.]235[.]207[.]108
              5[.]21[.]67[.]193
              52[.]108[.]8[.]254