Analysis
-
max time kernel
40s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
14/01/2023, 15:58
General
-
Target
d373a6246bccff072df5fbdc5f53fe93acd3a2776fa02e377910bc4ea6b02fb2.exe
-
Size
779KB
-
MD5
ff660cfc3188548169fb503f22ec7333
-
SHA1
a9f496bc96e2375a713a1664162b3556f62bd966
-
SHA256
d373a6246bccff072df5fbdc5f53fe93acd3a2776fa02e377910bc4ea6b02fb2
-
SHA512
e0a093cf807b1d0683a78376636a3a1f5efd16f88d720bb9038894d851b097f9c5b20dfbdfc2ebc2cb61b851114e6b428894e6ea6624e1fc982fc98ad62c4470
-
SSDEEP
24576:WKGiLkFAQ6LNAQfcLovuwCzSb8bcSaV1:W22hwNAZcvuwvJR
Malware Config
Extracted
djvu
http://spaceris.com/test1/get.php
-
extension
.poqw
-
offline_id
ZMk7348t4yGVy3t2uxofhOwYXOGjluI9PiRO8dt1
-
payload_url
http://uaery.top/dl/build2.exe
http://spaceris.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-GTrvfBi8hs Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0632JOsie
Extracted
vidar
2
19
https://t.me/tgdatapacks
https://steamcommunity.com/profiles/76561199469677637
-
profile_id
19
Signatures
-
Detected Djvu ransomware 10 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 4 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d373a6246bccff072df5fbdc5f53fe93acd3a2776fa02e377910bc4ea6b02fb2.exe"C:\Users\Admin\AppData\Local\Temp\d373a6246bccff072df5fbdc5f53fe93acd3a2776fa02e377910bc4ea6b02fb2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d373a6246bccff072df5fbdc5f53fe93acd3a2776fa02e377910bc4ea6b02fb2.exe"C:\Users\Admin\AppData\Local\Temp\d373a6246bccff072df5fbdc5f53fe93acd3a2776fa02e377910bc4ea6b02fb2.exe"2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\42dba92c-22fe-4550-b042-3fca288bc225" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\d373a6246bccff072df5fbdc5f53fe93acd3a2776fa02e377910bc4ea6b02fb2.exe"C:\Users\Admin\AppData\Local\Temp\d373a6246bccff072df5fbdc5f53fe93acd3a2776fa02e377910bc4ea6b02fb2.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d373a6246bccff072df5fbdc5f53fe93acd3a2776fa02e377910bc4ea6b02fb2.exe"C:\Users\Admin\AppData\Local\Temp\d373a6246bccff072df5fbdc5f53fe93acd3a2776fa02e377910bc4ea6b02fb2.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\6545d483-55d3-4688-ac24-99271b098204\build2.exe"C:\Users\Admin\AppData\Local\6545d483-55d3-4688-ac24-99271b098204\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\6545d483-55d3-4688-ac24-99271b098204\build2.exe"C:\Users\Admin\AppData\Local\6545d483-55d3-4688-ac24-99271b098204\build2.exe"6⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\6545d483-55d3-4688-ac24-99271b098204\build3.exe"C:\Users\Admin\AppData\Local\6545d483-55d3-4688-ac24-99271b098204\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"6⤵
- Creates scheduled task(s)
-
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {E16B9F3D-0542-47C6-858C-105B417CF702} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"3⤵
- Creates scheduled task(s)
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5601b920be0ad16def87b9ec3e1a91938
SHA1aba2e6c5da479ff7380f714a8536bd9a9cdec729
SHA2562ba194594a0d55b2bc4efc4b8eb5432b2788e1eb7192b83326fcdca28e9ce2b8
SHA5121b91d61b37d9276967f0940e81fd844a9295bac488a9923dfcfd586175597e4573d8817dbf711808a5dad7d32e21b953c872501f23b39051b1332ee174f7e387
-
Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
Filesize
1KB
MD55ab2ae90a7737ff9868f2cd67b2a4480
SHA1c1bb6d9a6785587ec61f8c72302ddfc3dd36cdc3
SHA256a5d983b7cbbc88ca9947355648a78593a6f1fe31f8bee558641213b00e8d5d84
SHA512c82df76e226c5c395cacdd26ee1924f7b80c90c35397cd37aa32dc8d2bf36cb262fd76771db30cfee533d3eb79e9c77a8bc076c82b716c0bcc5f739495716822
-
Filesize
488B
MD5e0c66c51d39f5224266319627e98f603
SHA19368da73fcc3ff3becc3f19544ff7b964fbaf753
SHA256c9216bb5b5662dbd2d57831ff15976384ca65af69a95c1ffd381c97d53cfe11f
SHA51227f8b0aadb3787d355e768e2df5e9df95e301ff97efcf438f200688129306fe836d37cd5cb3c351d24cbde85e8d37d4dea494d7beb903cab090b267189fd87a8
-
Filesize
342B
MD5efd3e4d544ae32021d113598d3c93b34
SHA16e06b6e0e5a224d14d96c4e48d434cfb2b0a31e5
SHA256adde83a0fa71c3119ea858fdf1a740b73cfe76016741307f404984926a465b67
SHA51287592da2ea139c16e663e8902849f788c10941456f79fd40193947759b1e674f7c60f0ecb43f9802aada8b35b46c5f9366b4fe0afce532e9debc8f7e26ac19cb
-
Filesize
482B
MD51c97d28fb59789bb9f918099807940b1
SHA15fe8435c96f1124c8e31c908ef05f7904ac7e779
SHA25658c5aeeee3c1bde9bd76e597b55bb2d635d083ec861e66ae799d78dad1a6bb24
SHA512587dd3b4ffcbc9322c506cbba6018a680ed8f053137dfcc0cd04439e5885cd6c2661535272ef110ad5ec5b14e0ec4c07c39ca987039eed272cc937d954957af2
-
Filesize
779KB
MD5ff660cfc3188548169fb503f22ec7333
SHA1a9f496bc96e2375a713a1664162b3556f62bd966
SHA256d373a6246bccff072df5fbdc5f53fe93acd3a2776fa02e377910bc4ea6b02fb2
SHA512e0a093cf807b1d0683a78376636a3a1f5efd16f88d720bb9038894d851b097f9c5b20dfbdfc2ebc2cb61b851114e6b428894e6ea6624e1fc982fc98ad62c4470
-
Filesize
422KB
MD5866933fee5234be619d89a6d6a60bd88
SHA1fd279d026264dbb75ea46be965ea163d94d67f0c
SHA256ab6396ad69a961a9f879e58725ed66fa01f7add478b61cbaf4db1f26a9e47185
SHA512fab7b9cfa5c38cff35068334b8525fcc1c6a5ca694f379db3322fc1bd8df9bbfa3446504297fec4c42c55e805fee2be9f96a3eff8eed7db72816a080aff7933d
-
Filesize
422KB
MD5866933fee5234be619d89a6d6a60bd88
SHA1fd279d026264dbb75ea46be965ea163d94d67f0c
SHA256ab6396ad69a961a9f879e58725ed66fa01f7add478b61cbaf4db1f26a9e47185
SHA512fab7b9cfa5c38cff35068334b8525fcc1c6a5ca694f379db3322fc1bd8df9bbfa3446504297fec4c42c55e805fee2be9f96a3eff8eed7db72816a080aff7933d
-
Filesize
422KB
MD5866933fee5234be619d89a6d6a60bd88
SHA1fd279d026264dbb75ea46be965ea163d94d67f0c
SHA256ab6396ad69a961a9f879e58725ed66fa01f7add478b61cbaf4db1f26a9e47185
SHA512fab7b9cfa5c38cff35068334b8525fcc1c6a5ca694f379db3322fc1bd8df9bbfa3446504297fec4c42c55e805fee2be9f96a3eff8eed7db72816a080aff7933d
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
422KB
MD5866933fee5234be619d89a6d6a60bd88
SHA1fd279d026264dbb75ea46be965ea163d94d67f0c
SHA256ab6396ad69a961a9f879e58725ed66fa01f7add478b61cbaf4db1f26a9e47185
SHA512fab7b9cfa5c38cff35068334b8525fcc1c6a5ca694f379db3322fc1bd8df9bbfa3446504297fec4c42c55e805fee2be9f96a3eff8eed7db72816a080aff7933d
-
Filesize
422KB
MD5866933fee5234be619d89a6d6a60bd88
SHA1fd279d026264dbb75ea46be965ea163d94d67f0c
SHA256ab6396ad69a961a9f879e58725ed66fa01f7add478b61cbaf4db1f26a9e47185
SHA512fab7b9cfa5c38cff35068334b8525fcc1c6a5ca694f379db3322fc1bd8df9bbfa3446504297fec4c42c55e805fee2be9f96a3eff8eed7db72816a080aff7933d
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
580KB
-
Filesize
580KB
-
Filesize
180KB
-
Filesize
304KB
-
Filesize
1.1MB
-
Filesize
580KB
-
Filesize
580KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
8KB
-
Filesize
1.2MB
-
Filesize
1.2MB