djvu | a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416

Analysis

max time kernel
56s
max time network
126s
platform
windows10_x64
resource
win10-en-20211208
submitted
03-02-2022 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
Size

826KB
MD5

8c76817c2fe3ed4843cac361f6fd8d86
SHA1

f4124c09fa270df48e896072f53409fe59948291
SHA256

a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416
SHA512

8d179df5feebe0d4cb2c971ff25dc7b9b4680cb79f48e7f19eb2df74889a807a0cd7ab40b1bddaac0fa7193d0656a3c48e78706fb62b33c27772c726d557d3ac

Score

10^/10

djvu vidar 517 discovery persistence ransomware spyware stealer

Malware Config

Extracted

Family

djvu

http://fuyt.org/test1/get.php

Attributes

extension
.bbbw
offline_id
jYeuANkMCJOEtaXsN8JcBUuEjwSP20EGT4t2Nct1
payload_url
http://lencu.top/dl/build2.exe

http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-qqj8MrDVtG Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0382UIhfSd

rsa_pubkey.plain

Extracted

Family

vidar

Version

49.8

Botnet

517

https://c.im/@prophef3

https://qoto.org/@prophef41

Attributes

profile_id
517

Signatures

Detected Djvu ransomware 4 IoCs

resource	yara_rule
behavioral1/memory/3616-116-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/660-117-0x0000000002430000-0x000000000254B000-memory.dmp	family_djvu
behavioral1/memory/3616-118-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3844-219-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/1136-223-0x0000000000400000-0x0000000000553000-memory.dmp	family_vidar
behavioral1/memory/1136-224-0x0000000000400000-0x0000000000553000-memory.dmp	family_vidar
behavioral1/memory/1136-227-0x0000000000400000-0x0000000000553000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1136	build2.exe

Loads dropped DLL 2 IoCs

pid	Process
1136	build2.exe
1136	build2.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2448	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\58dea988-fdb1-41d5-a358-0ef419fa6b24\\a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe\" --AutoStart"	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.2ip.ua
2	api.2ip.ua
10	api.2ip.ua

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1136	build2.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 660 set thread context of 3616	660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	69
PID 2660 set thread context of 3844	2660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	73

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
660	1136	WerFault.exe	74

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3616	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
3616	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
3844	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
3844	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
1136	build2.exe
1136	build2.exe
1136	build2.exe
1136	build2.exe
1136	build2.exe
1136	build2.exe
1136	build2.exe
1136	build2.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe
660	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	660	WerFault.exe
Token: SeBackupPrivilege	660	WerFault.exe
Token: SeDebugPrivilege	660	WerFault.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 3616	660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	69
PID 660 wrote to memory of 3616	660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	69
PID 660 wrote to memory of 3616	660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	69
PID 660 wrote to memory of 3616	660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	69
PID 660 wrote to memory of 3616	660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	69
PID 660 wrote to memory of 3616	660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	69
PID 660 wrote to memory of 3616	660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	69
PID 660 wrote to memory of 3616	660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	69
PID 660 wrote to memory of 3616	660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	69
PID 660 wrote to memory of 3616	660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	69
PID 3616 wrote to memory of 2448	3616	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	70
PID 3616 wrote to memory of 2448	3616	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	70
PID 3616 wrote to memory of 2448	3616	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	70
PID 3616 wrote to memory of 2660	3616	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	71
PID 3616 wrote to memory of 2660	3616	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	71
PID 3616 wrote to memory of 2660	3616	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	71
PID 2660 wrote to memory of 3844	2660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	73
PID 2660 wrote to memory of 3844	2660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	73
PID 2660 wrote to memory of 3844	2660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	73
PID 2660 wrote to memory of 3844	2660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	73
PID 2660 wrote to memory of 3844	2660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	73
PID 2660 wrote to memory of 3844	2660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	73
PID 2660 wrote to memory of 3844	2660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	73
PID 2660 wrote to memory of 3844	2660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	73
PID 2660 wrote to memory of 3844	2660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	73
PID 2660 wrote to memory of 3844	2660	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	73
PID 3844 wrote to memory of 1136	3844	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	74
PID 3844 wrote to memory of 1136	3844	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	74
PID 3844 wrote to memory of 1136	3844	a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe	74

C:\Users\Admin\AppData\Local\Temp\a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
"C:\Users\Admin\AppData\Local\Temp\a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:660
- C:\Users\Admin\AppData\Local\Temp\a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
  "C:\Users\Admin\AppData\Local\Temp\a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe"
  2⤵
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\58dea988-fdb1-41d5-a358-0ef419fa6b24" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2448
- - C:\Users\Admin\AppData\Local\Temp\a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
    "C:\Users\Admin\AppData\Local\Temp\a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe
      "C:\Users\Admin\AppData\Local\Temp\a1580ba70a95b1f326c3d3b23df6227e14aeb96178ab013a68b9c256ec68c416.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3844
    - - C:\Users\Admin\AppData\Local\3b1228ae-b7ff-4e4d-9138-7937fbc3f0b5\build2.exe
        
        "C:\Users\Admin\AppData\Local\3b1228ae-b7ff-4e4d-9138-7937fbc3f0b5\build2.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1136
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 1452
        6⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/660-117-0x0000000002430000-0x000000000254B000-memory.dmp

Filesize
1.1MB

Download
memory/1136-229-0x0000000074070000-0x0000000074161000-memory.dmp

Filesize
964KB

Download
memory/1136-223-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1136-222-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1136-224-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1136-225-0x0000000002310000-0x0000000002355000-memory.dmp

Filesize
276KB

Download
memory/1136-226-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1136-227-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1136-228-0x00000000759E0000-0x0000000075BA2000-memory.dmp

Filesize
1.8MB

Download
memory/1136-232-0x00000000725E0000-0x0000000072604000-memory.dmp

Filesize
144KB

Download
memory/1136-233-0x0000000072610000-0x0000000072744000-memory.dmp

Filesize
1.2MB

Download
memory/3616-116-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3616-118-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3844-219-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download