Overview

overview

10

Static

static

6b7829cb6f...03.exe

windows7_x64

10

6b7829cb6f...03.exe

windows10_x64

10

Analysis

  • max time kernel
    66s
  • max time network
    129s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    10-06-2021 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b7829cb6f27c9382e48822f36ce2b03.exe

  • Size

    859KB

  • MD5

    6b7829cb6f27c9382e48822f36ce2b03

  • SHA1

    190cd052a6de77dfa081172a7917dde892632d97

  • SHA256

    3e4676b65c821a9509ba52b43e12248a75cc8f68b212d9852786cc6424003d60

  • SHA512

    3a1f2edd75ed62939cfe4a3becef1cf844fbd9e04786e007f13688812dd8f292561b2092153f1ab19d46fa1a20163805184ddbdea9dda8dbc23963525362909b

Score
10/10
djvuvidar517discoveryevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Family

vidar

Version

39.3

Botnet

517

C2

https://bandakere.tumblr.com/

Attributes
  • profile_id

    517

Signatures

  • Deletes Windows Defender Definitions 2 TTPs 1 IoCs

    Uses mpcmdrun utility to delete all AV definitions.

    evasion
  • Detected Djvu ransomeware 6 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar Stealer 4 IoCs
    stealer
  • Disables Task Manager via registry modification
    evasion
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe
    "C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4056
    • C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe
      "C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe"
      2⤵
      • Adds Run key to start application
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3692
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\aeca3fbb-7ce2-4980-ad83-eb269b28c93a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:2068
      • C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe
        "C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe
          "C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1868
          • C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin1.exe
            "C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin1.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3568
            • C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin1.exe
              "C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin1.exe" --Admin
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2444
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
                7⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1292
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
                7⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2340
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
                  8⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1556
              • C:\Program Files\Windows Defender\mpcmdrun.exe
                "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
                7⤵
                • Deletes Windows Defender Definitions
                PID:2084
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
                7⤵
                  PID:1964
            • C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin2.exe
              "C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\updatewin2.exe"
              5⤵
              • Drops file in Drivers directory
              • Executes dropped EXE
              PID:2392
            • C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\5.exe
              "C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\5.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:4092
              • C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\5.exe
                "C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\5.exe"
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Checks processor information in registry
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:3808
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\dfd1f9f7-f4bc-433f-95e7-4a5c87d0ab5f\5.exe" & del C:\ProgramData\*.dll & exit
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3896
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /im 5.exe /f
                    8⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:364
                  • C:\Windows\SysWOW64\timeout.exe
                    timeout /t 6
                    8⤵
                    • Delays execution with timeout.exe
                    PID:2236

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1292-145-0x0000000006780000-0x0000000006781000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1292-160-0x0000000007920000-0x0000000007921000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1292-219-0x0000000006946000-0x0000000006948000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1292-218-0x0000000006943000-0x0000000006944000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1292-150-0x0000000006B90000-0x0000000006B91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1292-185-0x0000000008EB0000-0x0000000008EB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1292-153-0x0000000006940000-0x0000000006941000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1292-154-0x0000000006C30000-0x0000000006C31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1292-155-0x0000000006942000-0x0000000006943000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1292-184-0x000000007F2A0000-0x000000007F2A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1292-183-0x0000000008D20000-0x0000000008D21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1292-151-0x0000000006D10000-0x0000000006D11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1292-158-0x00000000075B0000-0x00000000075B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1292-159-0x0000000007900000-0x0000000007901000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1292-146-0x0000000006F80000-0x0000000006F81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1292-161-0x0000000007C90000-0x0000000007C91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1292-178-0x0000000008970000-0x0000000008971000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1292-171-0x0000000008990000-0x00000000089C3000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1556-232-0x0000000006803000-0x0000000006804000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1556-231-0x000000007E100000-0x000000007E101000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1556-228-0x0000000006800000-0x0000000006801000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1556-229-0x0000000006802000-0x0000000006803000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1868-128-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2340-220-0x0000000001070000-0x0000000001071000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2340-221-0x0000000001072000-0x0000000001073000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2340-227-0x0000000001073000-0x0000000001074000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2392-141-0x0000000000400000-0x000000000044D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/2444-152-0x0000000000400000-0x000000000044D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/3568-137-0x0000000000400000-0x000000000044D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/3692-114-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3692-117-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3808-147-0x0000000000400000-0x000000000049B000-memory.dmp

      Filesize

      620KB

      Download

    • memory/3808-157-0x0000000000400000-0x000000000049B000-memory.dmp

      Filesize

      620KB

      Download

    • memory/4056-116-0x0000000002250000-0x000000000236B000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4092-156-0x0000000002170000-0x0000000002208000-memory.dmp

      Filesize

      608KB

      Download