Overview

overview

10

Static

static

buildp.exe

windows7_x64

10

buildp.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    72s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-04-2022 23:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    buildp.exe

  • Size

    841KB

  • MD5

    efed57771cb41fdde63781d1e195912c

  • SHA1

    a71b0545951c99eb6ad4a50c22d02c958003d920

  • SHA256

    72cd1426f13a698c7d63a288f4920147812303e8f10a4e66e414cc7c2206381d

  • SHA512

    6fd84f80ba5f3c53f48a6a0135cedc7b489cca419742e043116468bcda0898398dd7ddff4ac7d0d8b283312d4c411790b8ff74276f14016021597498b306a080

Score
10/10
djvuvidar517discoverypersistenceransomwarestealersuricata

Malware Config

Extracted

Family

djvu

C2

http://fuyt.org/lancer/get.php

Attributes
  • extension

    .gtys

  • offline_id

    qwVQoIsE2xLety0oNWloOilSDuIBXJGK86LM3ot1

  • payload_url

    http://zerit.top/dl/build2.exe

    http://fuyt.org/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-fnn5kv33Vv Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0439JIjdm

rsa_pubkey.plain

Extracted

Family

vidar

Version

51.8

Botnet

517

C2

https://t.me/mm20220428

https://koyu.space/@ronxik123
Attributes
  • profile_id

    517

Signatures

  • Detected Djvu ransomware 8 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    suricata
  • Vidar Stealer 5 IoCs
    stealer
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\buildp.exe
    "C:\Users\Admin\AppData\Local\Temp\buildp.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\AppData\Local\Temp\buildp.exe
      "C:\Users\Admin\AppData\Local\Temp\buildp.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1376
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\ad5435c4-1fdb-4d53-9a99-0c3fc3f9ad51" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:2016
      • C:\Users\Admin\AppData\Local\Temp\buildp.exe
        "C:\Users\Admin\AppData\Local\Temp\buildp.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1792
        • C:\Users\Admin\AppData\Local\Temp\buildp.exe
          "C:\Users\Admin\AppData\Local\Temp\buildp.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Loads dropped DLL
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1612
          • C:\Users\Admin\AppData\Local\fb32642e-7147-4c2a-9881-61033de1dddc\build2.exe
            "C:\Users\Admin\AppData\Local\fb32642e-7147-4c2a-9881-61033de1dddc\build2.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1064
            • C:\Users\Admin\AppData\Local\fb32642e-7147-4c2a-9881-61033de1dddc\build2.exe
              "C:\Users\Admin\AppData\Local\fb32642e-7147-4c2a-9881-61033de1dddc\build2.exe"
              6⤵
              • Executes dropped EXE
              PID:880

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\ad5435c4-1fdb-4d53-9a99-0c3fc3f9ad51\buildp.exe
    Filesize

    841KB

    MD5

    efed57771cb41fdde63781d1e195912c

    SHA1

    a71b0545951c99eb6ad4a50c22d02c958003d920

    SHA256

    72cd1426f13a698c7d63a288f4920147812303e8f10a4e66e414cc7c2206381d

    SHA512

    6fd84f80ba5f3c53f48a6a0135cedc7b489cca419742e043116468bcda0898398dd7ddff4ac7d0d8b283312d4c411790b8ff74276f14016021597498b306a080

    Download Submit

  • C:\Users\Admin\AppData\Local\fb32642e-7147-4c2a-9881-61033de1dddc\build2.exe
    Filesize

    368KB

    MD5

    ad1b502b6714c0a374b055332018974b

    SHA1

    672f4e44475177ddcb1bfa73db3c5dee0f031bc2

    SHA256

    f2cfbc265125aca3cbf385120f7489e8044f444976ba43ee3a19e706257c9e95

    SHA512

    0197d74e6eb9fa11d48e6939dbd091c6896908870a59fef1d40830e43caf2539fd03ac933d47eae4c3b0ec74e2bfb0ece7f44c4a525b075fe4235ca6086c355e

    Download Submit

  • C:\Users\Admin\AppData\Local\fb32642e-7147-4c2a-9881-61033de1dddc\build2.exe
    Filesize

    368KB

    MD5

    ad1b502b6714c0a374b055332018974b

    SHA1

    672f4e44475177ddcb1bfa73db3c5dee0f031bc2

    SHA256

    f2cfbc265125aca3cbf385120f7489e8044f444976ba43ee3a19e706257c9e95

    SHA512

    0197d74e6eb9fa11d48e6939dbd091c6896908870a59fef1d40830e43caf2539fd03ac933d47eae4c3b0ec74e2bfb0ece7f44c4a525b075fe4235ca6086c355e

    Download Submit

  • C:\Users\Admin\AppData\Local\fb32642e-7147-4c2a-9881-61033de1dddc\build2.exe
    Filesize

    368KB

    MD5

    ad1b502b6714c0a374b055332018974b

    SHA1

    672f4e44475177ddcb1bfa73db3c5dee0f031bc2

    SHA256

    f2cfbc265125aca3cbf385120f7489e8044f444976ba43ee3a19e706257c9e95

    SHA512

    0197d74e6eb9fa11d48e6939dbd091c6896908870a59fef1d40830e43caf2539fd03ac933d47eae4c3b0ec74e2bfb0ece7f44c4a525b075fe4235ca6086c355e

    Download Submit

  • \Users\Admin\AppData\Local\fb32642e-7147-4c2a-9881-61033de1dddc\build2.exe
    Filesize

    368KB

    MD5

    ad1b502b6714c0a374b055332018974b

    SHA1

    672f4e44475177ddcb1bfa73db3c5dee0f031bc2

    SHA256

    f2cfbc265125aca3cbf385120f7489e8044f444976ba43ee3a19e706257c9e95

    SHA512

    0197d74e6eb9fa11d48e6939dbd091c6896908870a59fef1d40830e43caf2539fd03ac933d47eae4c3b0ec74e2bfb0ece7f44c4a525b075fe4235ca6086c355e

    Download Submit

  • \Users\Admin\AppData\Local\fb32642e-7147-4c2a-9881-61033de1dddc\build2.exe
    Filesize

    368KB

    MD5

    ad1b502b6714c0a374b055332018974b

    SHA1

    672f4e44475177ddcb1bfa73db3c5dee0f031bc2

    SHA256

    f2cfbc265125aca3cbf385120f7489e8044f444976ba43ee3a19e706257c9e95

    SHA512

    0197d74e6eb9fa11d48e6939dbd091c6896908870a59fef1d40830e43caf2539fd03ac933d47eae4c3b0ec74e2bfb0ece7f44c4a525b075fe4235ca6086c355e

    Download Submit

  • memory/880-80-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/880-87-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/880-88-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1064-83-0x000000000091B000-0x0000000000946000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1064-85-0x0000000000220000-0x0000000000269000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1064-78-0x000000000091B000-0x0000000000946000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1376-62-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1376-61-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1376-55-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1376-60-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1612-73-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1612-72-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1672-54-0x0000000001D20000-0x0000000001DB1000-memory.dmp

    Filesize

    580KB

    Download

  • memory/1672-59-0x0000000001DC0000-0x0000000001EDB000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1672-58-0x0000000001D20000-0x0000000001DB1000-memory.dmp

    Filesize

    580KB

    Download

  • memory/1792-66-0x0000000001CE0000-0x0000000001D71000-memory.dmp

    Filesize

    580KB

    Download

  • memory/1792-70-0x0000000001CE0000-0x0000000001D71000-memory.dmp

    Filesize

    580KB

    Download