Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
69s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
11/02/2023, 05:41
General
-
Target
deb7ebd62a390924b91dd3ba906c3e039a37d0d37fbfa8a8b90b95dc3fbb5869.exe
-
Size
880KB
-
MD5
583709743307f1a56efb4530359e5638
-
SHA1
3286537d896e4276e076cfc28b7a35aad04ec4c2
-
SHA256
deb7ebd62a390924b91dd3ba906c3e039a37d0d37fbfa8a8b90b95dc3fbb5869
-
SHA512
76b484411644f93860c1724434cb2bc838c15f507d76c3543be9b3714a2e276ed6bf734f96a9b9e8a6b7008fbaf72a691cb9cc5bcaacbc06473e36caf1e5e874
-
SSDEEP
12288:sbs0DD6kx+5n8trICS6tYK/Zgv070oQYRrcQBMdk:stDpxmn8NI6R8o1AQBMdk
Malware Config
Extracted
djvu
http://bihsy.com/test1/get.php
-
extension
.vvmm
-
offline_id
9c20OtJsXdFeF07b1IeFK5ERGv1zIb659YG380t1
-
payload_url
http://uaery.top/dl/build2.exe
http://bihsy.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-IiDRZpWuwI Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0643JOsie
Extracted
vidar
2.4
19
-
profile_id
19
Signatures
-
Detected Djvu ransomware 10 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\deb7ebd62a390924b91dd3ba906c3e039a37d0d37fbfa8a8b90b95dc3fbb5869.exe"C:\Users\Admin\AppData\Local\Temp\deb7ebd62a390924b91dd3ba906c3e039a37d0d37fbfa8a8b90b95dc3fbb5869.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\deb7ebd62a390924b91dd3ba906c3e039a37d0d37fbfa8a8b90b95dc3fbb5869.exe"C:\Users\Admin\AppData\Local\Temp\deb7ebd62a390924b91dd3ba906c3e039a37d0d37fbfa8a8b90b95dc3fbb5869.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\8f2e8fe0-c658-4312-bd3b-8077c29feb61" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\deb7ebd62a390924b91dd3ba906c3e039a37d0d37fbfa8a8b90b95dc3fbb5869.exe"C:\Users\Admin\AppData\Local\Temp\deb7ebd62a390924b91dd3ba906c3e039a37d0d37fbfa8a8b90b95dc3fbb5869.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\deb7ebd62a390924b91dd3ba906c3e039a37d0d37fbfa8a8b90b95dc3fbb5869.exe"C:\Users\Admin\AppData\Local\Temp\deb7ebd62a390924b91dd3ba906c3e039a37d0d37fbfa8a8b90b95dc3fbb5869.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\40fbdd4d-780b-46cb-9031-32aca8dd2cbd\build2.exe"C:\Users\Admin\AppData\Local\40fbdd4d-780b-46cb-9031-32aca8dd2cbd\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\40fbdd4d-780b-46cb-9031-32aca8dd2cbd\build2.exe"C:\Users\Admin\AppData\Local\40fbdd4d-780b-46cb-9031-32aca8dd2cbd\build2.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 19927⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\40fbdd4d-780b-46cb-9031-32aca8dd2cbd\build3.exe"C:\Users\Admin\AppData\Local\40fbdd4d-780b-46cb-9031-32aca8dd2cbd\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"6⤵
- Creates scheduled task(s)
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3180 -ip 31801⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"2⤵
- Creates scheduled task(s)
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
2KB
MD588c1baba352577878a6c51f9ef6523de
SHA15a2e09c7386f4e2aa1a1fa42708566fff97fa59c
SHA256582345ce77a9dca1a30e0f55591fb2bb1bff51ea3f169eb76afb6914fabd5029
SHA512fff3ad502996c43af8c4518fc94364c2a7ec74f27af01bd6e0438cb09550679d7c02b15735231c4414935dbb4398dc6238101de4898351fdbf06f7d381fddf62
-
Filesize
1KB
MD51b11a6392d2c43073e05c7ea57724b91
SHA1684593b291c26ba749c7bd07a76d1b6f1ff616e1
SHA2561166ec0c19ebb36567b96b919573eacb2279bdff4367ebd5abf6182c918976dc
SHA51287d9c26d11a95df4b6d08453f3183c9d7d77dbd420f9f52b73aed18122cac573f698a1a094effdcd8118f7f5bc519b9f7de1ebd64d5fc86e886f9546bff3052e
-
Filesize
488B
MD57acbc6f626c8c87026f36f0725f89cdc
SHA13783bfbfa3314a1c222e0d91ea41f0604cf47db2
SHA25697b2149fe45fbdb2f09cf0f06b827f444f00856a033ce0b879d26ff561f053de
SHA512ad5ad33f62b32e49a9accbadd69341aac7a1a3ab8a0ccb7f4b257da1eacbe7381201d370fd4e9066cbc9d1c54f3cd977e7330ab29e34998c964c0fbbfada7953
-
Filesize
482B
MD5b3541c37525bc8e4eff7bee04e3a0953
SHA1d2563b170c4e544d6d7f42160853dcaccc259ca8
SHA25608080e90c3a46a3b7bce7aa7d7e3fce9c20568960697758cf9bfef8b84fac93d
SHA512ac8b30c4c22b5c96ca72094fc4812a6599119152225161b4cfcb8f65705a03d6ca45a39e8c953a987d4b24745fd7cb9d6fce41f8afbc6486629c172d14bb376b
-
Filesize
422KB
MD50b622eb410bfb32c5fa7b45eb3c116d2
SHA1606d111174079e4d784e95f285805f14116e6d63
SHA2569b7b45434353b99f97d33f44e225e71b9c164cd21ae56335c078cca20ae29c1d
SHA512ffc1c0caf526c598624845c4d15df2fd68309f8027373c971ed7405f1bda52e89db6b936ce11937d038c3c1a2dba4fcbc70ba8f28d8d1aa4bf4325f08a6a61c4
-
Filesize
422KB
MD50b622eb410bfb32c5fa7b45eb3c116d2
SHA1606d111174079e4d784e95f285805f14116e6d63
SHA2569b7b45434353b99f97d33f44e225e71b9c164cd21ae56335c078cca20ae29c1d
SHA512ffc1c0caf526c598624845c4d15df2fd68309f8027373c971ed7405f1bda52e89db6b936ce11937d038c3c1a2dba4fcbc70ba8f28d8d1aa4bf4325f08a6a61c4
-
Filesize
422KB
MD50b622eb410bfb32c5fa7b45eb3c116d2
SHA1606d111174079e4d784e95f285805f14116e6d63
SHA2569b7b45434353b99f97d33f44e225e71b9c164cd21ae56335c078cca20ae29c1d
SHA512ffc1c0caf526c598624845c4d15df2fd68309f8027373c971ed7405f1bda52e89db6b936ce11937d038c3c1a2dba4fcbc70ba8f28d8d1aa4bf4325f08a6a61c4
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
880KB
MD5583709743307f1a56efb4530359e5638
SHA13286537d896e4276e076cfc28b7a35aad04ec4c2
SHA256deb7ebd62a390924b91dd3ba906c3e039a37d0d37fbfa8a8b90b95dc3fbb5869
SHA51276b484411644f93860c1724434cb2bc838c15f507d76c3543be9b3714a2e276ed6bf734f96a9b9e8a6b7008fbaf72a691cb9cc5bcaacbc06473e36caf1e5e874
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.1MB
-
Filesize
580KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
972KB
-
Filesize
580KB
-
Filesize
376KB
-
Filesize
208KB