Analysis Overview
SHA256
6e0ee75b4763b69ed1ab073e3df96510a3a1bb6879c05f5fb3c339a3a0571f22
Threat Level: Known bad
The file 6e0ee75b4763b69ed1ab073e3df96510a3a1bb6879c05f5fb3c339a3a0571f22 was found to be: Known bad.
Malicious Activity Summary
Djvu Ransomware
Vidar
Detected Djvu ransomware
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Modifies file permissions
Checks computer location settings
Accesses 2FA software files, possible credential harvesting
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
Checks processor information in registry
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-07 06:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-07 06:47
Reported
2023-01-07 06:49
Platform
win10v2004-20220812-en
Max time kernel
98s
Max time network
124s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\2dba3af5-a99f-4b9a-a93f-1b3a06111789\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\2dba3af5-a99f-4b9a-a93f-1b3a06111789\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\2dba3af5-a99f-4b9a-a93f-1b3a06111789\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6e0ee75b4763b69ed1ab073e3df96510a3a1bb6879c05f5fb3c339a3a0571f22.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6e0ee75b4763b69ed1ab073e3df96510a3a1bb6879c05f5fb3c339a3a0571f22.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\2dba3af5-a99f-4b9a-a93f-1b3a06111789\build2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\2dba3af5-a99f-4b9a-a93f-1b3a06111789\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\2dba3af5-a99f-4b9a-a93f-1b3a06111789\build2.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c07e783c-fcd9-4cec-bfae-90293f6ac297\\6e0ee75b4763b69ed1ab073e3df96510a3a1bb6879c05f5fb3c339a3a0571f22.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\6e0ee75b4763b69ed1ab073e3df96510a3a1bb6879c05f5fb3c339a3a0571f22.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3368 set thread context of 1032 | N/A | C:\Users\Admin\AppData\Local\Temp\6e0ee75b4763b69ed1ab073e3df96510a3a1bb6879c05f5fb3c339a3a0571f22.exe | C:\Users\Admin\AppData\Local\Temp\6e0ee75b4763b69ed1ab073e3df96510a3a1bb6879c05f5fb3c339a3a0571f22.exe |
| PID 5000 set thread context of 1284 | N/A | C:\Users\Admin\AppData\Local\Temp\6e0ee75b4763b69ed1ab073e3df96510a3a1bb6879c05f5fb3c339a3a0571f22.exe | C:\Users\Admin\AppData\Local\Temp\6e0ee75b4763b69ed1ab073e3df96510a3a1bb6879c05f5fb3c339a3a0571f22.exe |
| PID 1328 set thread context of 4120 | N/A | C:\Users\Admin\AppData\Local\2dba3af5-a99f-4b9a-a93f-1b3a06111789\build2.exe | C:\Users\Admin\AppData\Local\2dba3af5-a99f-4b9a-a93f-1b3a06111789\build2.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\2dba3af5-a99f-4b9a-a93f-1b3a06111789\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\2dba3af5-a99f-4b9a-a93f-1b3a06111789\build2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6e0ee75b4763b69ed1ab073e3df96510a3a1bb6879c05f5fb3c339a3a0571f22.exe
"C:\Users\Admin\AppData\Local\Temp\6e0ee75b4763b69ed1ab073e3df96510a3a1bb6879c05f5fb3c339a3a0571f22.exe"
C:\Users\Admin\AppData\Local\Temp\6e0ee75b4763b69ed1ab073e3df96510a3a1bb6879c05f5fb3c339a3a0571f22.exe
"C:\Users\Admin\AppData\Local\Temp\6e0ee75b4763b69ed1ab073e3df96510a3a1bb6879c05f5fb3c339a3a0571f22.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\c07e783c-fcd9-4cec-bfae-90293f6ac297" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\6e0ee75b4763b69ed1ab073e3df96510a3a1bb6879c05f5fb3c339a3a0571f22.exe
"C:\Users\Admin\AppData\Local\Temp\6e0ee75b4763b69ed1ab073e3df96510a3a1bb6879c05f5fb3c339a3a0571f22.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\6e0ee75b4763b69ed1ab073e3df96510a3a1bb6879c05f5fb3c339a3a0571f22.exe
"C:\Users\Admin\AppData\Local\Temp\6e0ee75b4763b69ed1ab073e3df96510a3a1bb6879c05f5fb3c339a3a0571f22.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\2dba3af5-a99f-4b9a-a93f-1b3a06111789\build2.exe
"C:\Users\Admin\AppData\Local\2dba3af5-a99f-4b9a-a93f-1b3a06111789\build2.exe"
C:\Users\Admin\AppData\Local\2dba3af5-a99f-4b9a-a93f-1b3a06111789\build3.exe
"C:\Users\Admin\AppData\Local\2dba3af5-a99f-4b9a-a93f-1b3a06111789\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\2dba3af5-a99f-4b9a-a93f-1b3a06111789\build2.exe
"C:\Users\Admin\AppData\Local\2dba3af5-a99f-4b9a-a93f-1b3a06111789\build2.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\2dba3af5-a99f-4b9a-a93f-1b3a06111789\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.2ip.ua | udp |
| N/A | 162.0.217.254:443 | api.2ip.ua | tcp |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 162.0.217.254:443 | api.2ip.ua | tcp |
| N/A | 8.8.8.8:53 | uaery.top | udp |
| N/A | 8.8.8.8:53 | spaceris.com | udp |
| N/A | 190.147.188.50:80 | uaery.top | tcp |
| N/A | 175.120.254.9:80 | spaceris.com | tcp |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 175.120.254.9:80 | spaceris.com | tcp |
| N/A | 175.120.254.9:80 | spaceris.com | tcp |
| N/A | 52.182.143.210:443 | tcp | |
| N/A | 8.8.8.8:53 | t.me | udp |
| N/A | 149.154.167.99:443 | t.me | tcp |
| N/A | 94.130.190.48:80 | 94.130.190.48 | tcp |
Files
memory/1032-132-0x0000000000000000-mapping.dmp
memory/1032-133-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3368-135-0x0000000004D5F000-0x0000000004DF0000-memory.dmp
memory/1032-134-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3368-136-0x0000000004E00000-0x0000000004F1B000-memory.dmp
memory/1032-137-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1032-138-0x0000000000400000-0x0000000000537000-memory.dmp
memory/616-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\c07e783c-fcd9-4cec-bfae-90293f6ac297\6e0ee75b4763b69ed1ab073e3df96510a3a1bb6879c05f5fb3c339a3a0571f22.exe
| MD5 | e60a5dcfab1866791f2e31c7a25a05f2 |
| SHA1 | 18dbce703793173e7596f7ec9545561bd108257c |
| SHA256 | 6e0ee75b4763b69ed1ab073e3df96510a3a1bb6879c05f5fb3c339a3a0571f22 |
| SHA512 | 77ad4d1080605273c38bea6e5632bd30dedd6fc09184d8e48e08f4d86804ec629d0f032a294cc7b7ea3ef9790256f841b149ca12696e3f7e82a9ab792a489cf5 |
memory/5000-141-0x0000000000000000-mapping.dmp
memory/1032-142-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1284-143-0x0000000000000000-mapping.dmp
memory/5000-146-0x0000000004D30000-0x0000000004DC1000-memory.dmp
memory/1284-145-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1284-147-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 7c56401cb6bd1ae402e06f0fe35f81c4 |
| SHA1 | b82bbb9fa39266796cafcd308ef4300fc92e3399 |
| SHA256 | 0c58c7bc18d38a3096da6f3575f1c6f8d79b69382d8e89bb5fca917d3cdb7f65 |
| SHA512 | 2ea607c2dc04c8ef34ecb4c4bd297e0f0882b179303565863d1745172322133b78186fa04334e82c135e25fd717719ceec917f49682a4eac37034ea87bb2b6f3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 35a71c38a1558c30d850629874439ced |
| SHA1 | 734bea1d3dcf6abb8857a757fba60d4e66b49d27 |
| SHA256 | 79e00a6fe6a67bd579bfb4a471647646c3ae7bd03bfc39039b0dfa046eec4693 |
| SHA512 | f31a4e4882dd6721c6859c8b97e6ec2799760afe81bc46f2f735302a2ad8fb60fa85a5f2d1fb0cd6ff667ebb153320fc9eb646f2e92c6f6165f7614d1069729f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 411cd537dcecbf901759b8e6c1bdb076 |
| SHA1 | 655df9870867a1760ad1a2c967b330c61767437a |
| SHA256 | aa9e441c6cf813efd9ba76fe4ae52d884a5c7d222ed221903c42f09bc14eb7db |
| SHA512 | ea780f875c86f8694f67d236a0af066b952862356edb681375e6c387103a91ce085345359f8fe83dd630d310ee6b7637512e5868951c4c257daa411ab9c03e71 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 62dd0279ce78cb700c021fc59f1bdc80 |
| SHA1 | d87478a5ccd7e22a6c2fceee501c53bac733505e |
| SHA256 | fe03608370f9f9dd4f095d6ec665e3b4b1b61ed576902ee181af9a1db95018b8 |
| SHA512 | 1553dadefd3953a8e830fd57b4e62cb38fa376289fcdeaafffa8d34c2ad975bf9e337f0fcb999c166e091d93fdf89432d223e755d2608166eca7c27de7483a8a |
memory/1284-152-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1284-153-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1328-154-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\2dba3af5-a99f-4b9a-a93f-1b3a06111789\build2.exe
| MD5 | 8c14bb1505244971374a88f37a4ec22a |
| SHA1 | cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0 |
| SHA256 | f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962 |
| SHA512 | 5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e |
C:\Users\Admin\AppData\Local\2dba3af5-a99f-4b9a-a93f-1b3a06111789\build2.exe
| MD5 | 8c14bb1505244971374a88f37a4ec22a |
| SHA1 | cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0 |
| SHA256 | f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962 |
| SHA512 | 5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e |
memory/1824-157-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\2dba3af5-a99f-4b9a-a93f-1b3a06111789\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\2dba3af5-a99f-4b9a-a93f-1b3a06111789\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/3156-160-0x0000000000000000-mapping.dmp
memory/4120-161-0x0000000000000000-mapping.dmp
memory/4120-162-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1328-165-0x00000000006E8000-0x0000000000715000-memory.dmp
C:\Users\Admin\AppData\Local\2dba3af5-a99f-4b9a-a93f-1b3a06111789\build2.exe
| MD5 | 8c14bb1505244971374a88f37a4ec22a |
| SHA1 | cebd478fd7ca3956c983fb3e33e2cbb7c54fa4d0 |
| SHA256 | f333289bf29805ee697908ecb974aeb81206b471252ec2e51f382d53ac35d962 |
| SHA512 | 5e08686f2cbc783716442004d39ee11a4fabec7aaa92f33f758df7861ed0730c211551ecb85dd9dc93c2b83983fc4df08bcfeeb38c9e51bd3dcd138b10cf103e |
memory/4120-164-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4120-166-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1328-167-0x00000000005F0000-0x000000000063C000-memory.dmp
memory/4120-168-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4120-169-0x0000000050AB0000-0x0000000050B42000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
C:\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
memory/4120-190-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4916-191-0x0000000000000000-mapping.dmp
memory/4120-192-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1376-193-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/1768-196-0x0000000000000000-mapping.dmp