The submitted file file.exe is a RANSOMWARE

SHA256d35d748aebd7c8112ee9d4d7cc38f430bca5b397afec832d51f3e086b828e845
File Namefile.exe
File TypeWin32 EXE
EnvironmentWindows10
Analysis Start Time2023-06-10 11:26:19 (UTC)
Analysis End Time2023-06-10 11:31:57 (UTC)
Tags
  • .neon
  • Trojan
  • STOP
  • Ransomware
  • Vidar
  • Exe-Downloaded
  • Spyware

Static Analysis  

MALICIOUS

Trulli

Network Analysis

MALICIOUS

Trulli

Dynamic Analysis

MALICIOUS

Trulli

   File Analysis  

NO THREATS

Trulli

Reconnaissance
    Resource Development
    1. Develop Capabilities:
      Malware
    Initial Access
      Privilege Escalation
      1. Scheduled Task/Job:
        Scheduled Task
      Defense Evasion
        Credential Access
          Discovery
            Lateral Movement
              Command And Control
                Exfiltration
                  Impact
                    • Malicious
                      • Task Scheduler Executable Triggered
                        • 5380 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                          • Execution - Scheduled Task/Job: Scheduled Task
                          • Persistence - Scheduled Task/Job: Scheduled Task
                          • Privilege Escalation - Scheduled Task/Job: Scheduled Task
                        • 424 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                          • Execution - Scheduled Task/Job: Scheduled Task
                          • Persistence - Scheduled Task/Job: Scheduled Task
                          • Privilege Escalation - Scheduled Task/Job: Scheduled Task
                      • Task Scheduler Task Creation
                        • 5380 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                          • Execution - Scheduled Task/Job: Scheduled Task
                          • Persistence - Scheduled Task/Job: Scheduled Task
                          • Privilege Escalation - Scheduled Task/Job: Scheduled Task
                        • 424 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                          • Execution - Scheduled Task/Job: Scheduled Task
                          • Persistence - Scheduled Task/Job: Scheduled Task
                          • Privilege Escalation - Scheduled Task/Job: Scheduled Task
                    • Suspicious
                      • Sysmon Process Hollowing Detection
                      • Suspicious Schtasks From Env Var Folder
                        • 5380 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                          • Execution - Scheduled Task/Job: Scheduled Task
                          • Persistence - Scheduled Task/Job: Scheduled Task
                          • Privilege Escalation - Scheduled Task/Job: Scheduled Task
                        • 424 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                          • Execution - Scheduled Task/Job: Scheduled Task
                          • Persistence - Scheduled Task/Job: Scheduled Task
                          • Privilege Escalation - Scheduled Task/Job: Scheduled Task
                      • Suspicious Add Scheduled Task Parent
                        • 5380 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                          • Execution - Scheduled Task/Job: Scheduled Task
                          • Persistence - Scheduled Task/Job: Scheduled Task
                          • Privilege Escalation - Scheduled Task/Job: Scheduled Task
                        • 424 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                          • Execution - Scheduled Task/Job: Scheduled Task
                          • Persistence - Scheduled Task/Job: Scheduled Task
                          • Privilege Escalation - Scheduled Task/Job: Scheduled Task
                    • Info
                      • Creation of an Executable by an Executable
                        • 6452 - file.exe
                          • Resource Development - Develop Capabilities: Malware
                        • 1440 - build3.exe
                          • Resource Development - Develop Capabilities: Malware
                      • Creates Files In The User Directory
                        • 6452 - file.exe
                          • Collection - Data Staged: Local Data Staging
                        • 1440 - build3.exe
                          • Collection - Data Staged: Local Data Staging
                        • 3312 - WINWORD.EXE
                          • Collection - Data Staged: Local Data Staging
                      • Scheduled Task Creation
                        • 5380 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                          • Execution - Scheduled Task/Job: Scheduled Task
                          • Persistence - Scheduled Task/Job: Scheduled Task
                          • Privilege Escalation - Scheduled Task/Job: Scheduled Task
                        • 424 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                          • Execution - Scheduled Task/Job: Scheduled Task
                          • Persistence - Scheduled Task/Job: Scheduled Task
                          • Privilege Escalation - Scheduled Task/Job: Scheduled Task
                    • file.exe
                      • 5492 - [0.0s] file.exe --Admin IsNotAutoStart IsNotTask
                        • 6452 - [1.21s] file.exe --Admin IsNotAutoStart IsNotTask
                          • 4520 - [7.88s] build2.exe
                            • 4492 - [9.63s] build2.exe
                            • 1440 - [9.89s] build3.exe
                              • 5380 - [9.94s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                                • 7180 - [10.05s] conhost.exe 0xffffffff -ForceV1
                          • 5912 - [0.27s] file.exe
                            • 5252 - [1.23s] file.exe
                            • 6456 - [1.70s] DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                            • 3312 - [3.43s] WINWORD.exe /n "C:\Windows\System32\Tasks\Time Trigger Task"
                            • 6912 - [4.54s] NOTEPAD.EXE C:\_readme.txt
                            • 5648 - [5.40s] SearchProtocolHost.exe Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2530950276-3298662170-1402498598-5002_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2530950276-3298662170-1402498598-5002 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
                            • 1836 - [6.94s] file.exe
                              • 6380 - [9.22s] file.exe
                              • 6876 - [20.09s] ApplicationFrameHost.exe -Embedding
                              • 6460 - [40.09s] SystemSettings.exe -ServerName:microsoft.windows.immersivecontrolpanel
                              • 6324 - [40.90s] mousocoreworker.exe -Embedding
                              • 6680 - [41.22s] svchost.exe -k wusvcs -p -s WaaSMedicSvc
                              • 6916 - [41.47s] UserOOBEBroker.exe -Embedding
                              • 5488 - [41.59s] FileCoAuth.exe -Embedding
                              • 664 - [42.48s] msedge.exe --default-search-provider=? --out-pipe-name=MSEdgeDefaultc680513ah37a2h44achb218hde448ebb3f80
                                • 1352 - [43.01s] msedge.exe --type=crashpad-handler "--user-data-dir=C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=111.0.5563.111 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=111.0.1661.54 --initial-client-data=0x11c,0x120,0x124,0xf8,0x1d0,0x7ff9d0a9b5f8,0x7ff9d0a9b608,0x7ff9d0a9b618
                                • 668 - [42.58s] svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
                                • 1004 - [42.66s] msedge.exe --default-search-provider=? --out-pipe-name=MSEdgeDefault943e6c2ah7a93h44b6hb7ach1b2b21b3dcf8
                                  • 1360 - [43.01s] msedge.exe --type=crashpad-handler "--user-data-dir=C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=111.0.5563.111 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=111.0.1661.54 --initial-client-data=0x120,0x124,0x128,0xfc,0x1d4,0x7ff9d0a9b5f8,0x7ff9d0a9b608,0x7ff9d0a9b618
                                  • 2800 - [49.96s] WINWORD.exe /n "C:\Windows\System32\WDI\LogFiles\StartupInfo\S-1-5-21-2530950276-3298662170-1402498598-500_StartupInfo2.xml"
                                  • 6612 - [59.97s] WINWORD.EXE /Automation -Embedding
                                    • 1764 - [67.52s] splwow64.exe 12288
                                    • 4252 - [60.47s] WINWORD.EXE /Automation -Embedding
                                    • 3492 - [60.71s] WINWORD.EXE /Automation -Embedding
                                    • 5388 - [64.46s] svchost.exe -k netsvcs -p -s BITS
                                    • 3904 - [65.46s] svchost.exe -k NetworkService -p
                                    • 1052 - [65.78s] SgrmBroker.exe
                                    • 3136 - [65.99s] svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                    • 1928 - [66.16s] svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                    • 6536 - [68.02s] svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
                                    • 1228 - [112.01s] mstsca.exe
                                      • 424 - [112.06s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                                        • 5092 - [112.08s] conhost.exe 0xffffffff -ForceV1
                                      • 4156 - [113.84s] mousocoreworker.exe -Embedding
                                      • 2084 - [114.16s] svchost.exe -k wusvcs -p -s WaaSMedicSvc
                                      • 3932 - [128.77s] taskhostw.exe $(Arg0)
                                      • 4200 - [182.55s] wmiadap.exe /F /T
                                     file.exe --Admin IsNotAutoStart IsNotTask
                                     build2.exe
                                     build3.exe
                                     C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                                     conhost.exe 0xffffffff -ForceV1
                                     file.exe
                                     DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                     WINWORD.exe /n "C:\Windows\System32\Tasks\Time Trigger Task"
                                     NOTEPAD.EXE C:\_readme.txt
                                     SearchProtocolHost.exe Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2530950276-3298662170-1402498598-5002_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2530950276-3298662170-1402498598-5002 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
                                     ApplicationFrameHost.exe -Embedding
                                     SystemSettings.exe -ServerName:microsoft.windows.immersivecontrolpanel
                                     mousocoreworker.exe -Embedding
                                     svchost.exe -k wusvcs -p -s WaaSMedicSvc
                                     UserOOBEBroker.exe -Embedding
                                     FileCoAuth.exe -Embedding
                                     msedge.exe --default-search-provider=? --out-pipe-name=MSEdgeDefaultc680513ah37a2h44achb218hde448ebb3f80
                                     msedge.exe --type=crashpad-handler "--user-data-dir=C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=111.0.5563.111 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=111.0.1661.54 --initial-client-data=0x11c,0x120,0x124,0xf8,0x1d0,0x7ff9d0a9b5f8,0x7ff9d0a9b608,0x7ff9d0a9b618
                                     svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
                                     msedge.exe --default-search-provider=? --out-pipe-name=MSEdgeDefault943e6c2ah7a93h44b6hb7ach1b2b21b3dcf8
                                     msedge.exe --type=crashpad-handler "--user-data-dir=C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=111.0.5563.111 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=111.0.1661.54 --initial-client-data=0x120,0x124,0x128,0xfc,0x1d4,0x7ff9d0a9b5f8,0x7ff9d0a9b608,0x7ff9d0a9b618
                                     WINWORD.exe /n "C:\Windows\System32\WDI\LogFiles\StartupInfo\S-1-5-21-2530950276-3298662170-1402498598-500_StartupInfo2.xml"
                                     WINWORD.EXE /Automation -Embedding
                                     splwow64.exe 12288
                                     svchost.exe -k netsvcs -p -s BITS
                                     svchost.exe -k NetworkService -p
                                     SgrmBroker.exe
                                     svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                     svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                     svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
                                     mstsca.exe
                                     taskhostw.exe $(Arg0)
                                     wmiadap.exe /F /T
                                     C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\752WOBP4\build2[1].exe
                                     C:\Users\Administrator\AppData\Local\b0557041-daf1-4543-8c31-e68e93085dea\build2.exe
                                     C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\752WOBP4\build3[1].exe
                                     C:\Users\Administrator\AppData\Local\b0557041-daf1-4543-8c31-e68e93085dea\build3.exe
                                     C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe
                                     C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                     C:\Windows\Logs\waasmedic\waasmedic.20230610_022650_798.etl
                                     C:\Windows\debug\WIA\wiatrace.log
                                     C:\Windows\Logs\waasmedic\waasmedic.20230610_022803_751.etl
                                     HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
                                     HKLM\System\CurrentControlSet\Control\WMI\Security
                                     HKLM\System\CurrentControlSet\Services\SharedAccess\Epoch
                                     HKLM\System\CurrentControlSet\Services\VSS\Diag\BITS Writer
                                    RegistryValue
                                    HKLM\System\CurrentControlSet\Control\WMI\Security\c688cf83-9945-5ff6-0e1e-1ff1f8a2ec9aBinary Data
                                    HKU\S-1-5-21-2530950276-3298662170-1402498598-500\SOFTWARE\Microsoft\Office\14.0\Word\Security\Trusted Documents\LastPurgeTimeDWORD (0x01acdd54)
                                    TypeIndicatorReputation
                                    IP Address183[.]100[.]39[.]157Malicious
                                    IP Address91[.]140[.]248[.]44Malicious
                                    IP Address2[.]88[.]138[.]112Malicious
                                    IP Address210[.]182[.]29[.]70Malicious
                                    IP Address181[.]4[.]66[.]66Malicious
                                    IP Address37[.]34[.]248[.]24Malicious
                                    IP Address77[.]28[.]13[.]168Malicious
                                    IP Address123[.]140[.]161[.]243Malicious
                                    IP Address188[.]36[.]122[.]174Malicious
                                    IP Address187[.]224[.]116[.]41Malicious
                                    IP Address190[.]231[.]153[.]132Malicious
                                    IP Address195[.]158[.]3[.]162Malicious
                                    IP Address185[.]12[.]79[.]25Malicious
                                    IP Address2[.]180[.]10[.]7Malicious
                                    IP Address189[.]194[.]9[.]27Malicious
                                    IP Address220[.]82[.]134[.]215Malicious
                                    IP Address175[.]120[.]254[.]9Malicious
                                    IP Address211[.]40[.]39[.]251Malicious
                                    IP Address116[.]202[.]4[.]61Malicious
                                    Domaincolisumy[.]comMalicious
                                    Domainzexeq[.]comMalicious
                                    URLhxxp://colisumy[.]com/dl/build2[.]exeMalicious
                                    URLhxxp://zexeq[.]com/files/1/build3[.]exeMalicious
                                    URLhxxp://zexeq[.]com/raud/get[.]php?pid=***&first=***Malicious
                                    URLhxxp://116[.]202[.]4[.]61/files[.]zipMalicious
                                    Sha256c2c5560cede5fe447363e0d432707fc287312c20e92715b59700888e77eab92dAnomalous Activity
                                    Sha2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0Anomalous Activity
                                    MethodURLIPHTTP Status
                                    GEThxxp://zexeq[.]com/files/1/build3[.]exe190[.]231[.]153[.]132200
                                    GEThxxp://116[.]202[.]4[.]61/files[.]zip116[.]202[.]4[.]61200
                                    GEThxxp://116[.]202[.]4[.]61/a81bcf59d85e6e13257840e65b9d1da8116[.]202[.]4[.]61200
                                    GEThxxp://colisumy[.]com/dl/build2[.]exe183[.]100[.]39[.]157200
                                    GEThxxp://zexeq[.]com/raud/get[.]php?pid=***&first=***190[.]231[.]153[.]132200
                                    DomainIP
                                    r[.]bing[.]com23[.]44[.]10[.]48
                                    23[.]44[.]10[.]67
                                    23[.]44[.]10[.]56
                                    23[.]44[.]10[.]43
                                    23[.]44[.]10[.]32
                                    23[.]44[.]10[.]75
                                    23[.]44[.]10[.]41
                                    23[.]44[.]10[.]50
                                    23[.]44[.]10[.]73
                                    fp-vs[.]azureedge[.]net117[.]18[.]232[.]200
                                    api[.]2ip[.]ua162[.]0[.]217[.]254
                                    t[.]me149[.]154[.]167[.]99
                                    colisumy[.]com183[.]100[.]39[.]157
                                    91[.]140[.]248[.]44
                                    2[.]88[.]138[.]112
                                    210[.]182[.]29[.]70
                                    181[.]4[.]66[.]66
                                    37[.]34[.]248[.]24
                                    77[.]28[.]13[.]168
                                    123[.]140[.]161[.]243
                                    188[.]36[.]122[.]174
                                    187[.]224[.]116[.]41
                                    zexeq[.]com190[.]231[.]153[.]132
                                    195[.]158[.]3[.]162
                                    185[.]12[.]79[.]25
                                    77[.]28[.]13[.]168
                                    2[.]180[.]10[.]7
                                    189[.]194[.]9[.]27
                                    220[.]82[.]134[.]215
                                    91[.]140[.]248[.]44
                                    175[.]120[.]254[.]9
                                    211[.]40[.]39[.]251
                                    dual-s-ring[.]msedge[.]net52[.]123[.]128[.]254
                                    52[.]123[.]129[.]254
                                    wac-ring[.]msedge[.]net52[.]108[.]8[.]254
                                    52[.]108[.]9[.]254
                                    JA3SDomain
                                    61be9ce3d068c08ff99a857f62352f9dapi[.]2ip[.]ua
                                    895252f3ce80cebf7a8837be83ec8e16fp-vs[.]azureedge[.]net
                                    098e26e2609212ac1bfac552fbe04127t[.]me
                                    Sha256FileType
                                    8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0application/x-dosexec
                                    6814499e9494897055704c2446eb47d1cfe75a17950633acb505738c2e7e31c0application/zip
                                    818986ca66ce45e9326d8d3fd096c39b65d440dbe62ac1fd082bdc1909906517text/plain
                                    c2c5560cede5fe447363e0d432707fc287312c20e92715b59700888e77eab92dapplication/x-dosexec
                                    68cde71acc2bc5fa897c1b61299b0592d777aab4cc45eea7ea7ba7fe8cd52918text/plain
                                    ConnectionsIP
                                    TCP183[.]100[.]39[.]157
                                    116[.]202[.]4[.]61
                                    52[.]123[.]128[.]254
                                    162[.]0[.]217[.]254
                                    52[.]108[.]8[.]254
                                    190[.]231[.]153[.]132
                                    149[.]154[.]167[.]99
                                    117[.]18[.]232[.]200