Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    294s
  • max time network
    253s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    06-07-2023 07:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    499118129de280703e1ec684ed3ceb1872335cb30c1c2845570e20e3eedbebdb.exe

  • Size

    734KB

  • MD5

    ed7b6cfcffed6c403a0f829f59e8d86d

  • SHA1

    0806c35ffc28e471464f8665f1fbbec301732126

  • SHA256

    499118129de280703e1ec684ed3ceb1872335cb30c1c2845570e20e3eedbebdb

  • SHA512

    62f7c0ae6b23ac3b549b0da3ed49b508795b524404a2af54dfd3e6b24c9ea1652502cfb977a59746bbeb0e3454a786240756b451ad1502cef088699aa6a68559

  • SSDEEP

    12288:9IdqZUzOt/bRS5TZayZ123EBZ/Bq8XC+TW6hpPNFt4YR5Q9Yiwd0rRLGGlC:GuUzOt/85FbX205qXq9NFSM8YiW0llk

Score
10/10
djvuvidardcad9d884915bbb6106f78e5e2ea6168discoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Family

djvu

C2

http://zexeq.com/test1/get.php

Attributes
  • extension

    .wazp

  • offline_id

    V5TMuF1BBuDZFeJXDU5xmjrzp6rwS1IuZWNpDCt1

  • payload_url

    http://colisumy.com/dl/build2.exe

    http://zexeq.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-6Dm02j1lRa Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0738ISdik

rsa_pubkey.plain

Extracted

Family

vidar

Version

4.6

Botnet

dcad9d884915bbb6106f78e5e2ea6168

C2

https://steamcommunity.com/profiles/76561199523054520

https://t.me/game4serv
Attributes
  • profile_id_v2

    dcad9d884915bbb6106f78e5e2ea6168

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0

Signatures

  • Detected Djvu ransomware 16 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\499118129de280703e1ec684ed3ceb1872335cb30c1c2845570e20e3eedbebdb.exe
    "C:\Users\Admin\AppData\Local\Temp\499118129de280703e1ec684ed3ceb1872335cb30c1c2845570e20e3eedbebdb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Users\Admin\AppData\Local\Temp\499118129de280703e1ec684ed3ceb1872335cb30c1c2845570e20e3eedbebdb.exe
      "C:\Users\Admin\AppData\Local\Temp\499118129de280703e1ec684ed3ceb1872335cb30c1c2845570e20e3eedbebdb.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4732
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\e49e949e-b10d-4891-9cb3-f7a8d4a7a89f" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:3840
      • C:\Users\Admin\AppData\Local\Temp\499118129de280703e1ec684ed3ceb1872335cb30c1c2845570e20e3eedbebdb.exe
        "C:\Users\Admin\AppData\Local\Temp\499118129de280703e1ec684ed3ceb1872335cb30c1c2845570e20e3eedbebdb.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4336
        • C:\Users\Admin\AppData\Local\Temp\499118129de280703e1ec684ed3ceb1872335cb30c1c2845570e20e3eedbebdb.exe
          "C:\Users\Admin\AppData\Local\Temp\499118129de280703e1ec684ed3ceb1872335cb30c1c2845570e20e3eedbebdb.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2632
          • C:\Users\Admin\AppData\Local\6b3180e9-a1d4-4278-93fc-f63b8162f3d1\build2.exe
            "C:\Users\Admin\AppData\Local\6b3180e9-a1d4-4278-93fc-f63b8162f3d1\build2.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3400
            • C:\Users\Admin\AppData\Local\6b3180e9-a1d4-4278-93fc-f63b8162f3d1\build2.exe
              "C:\Users\Admin\AppData\Local\6b3180e9-a1d4-4278-93fc-f63b8162f3d1\build2.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              PID:4896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

1
T1222

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    2KB

    MD5

    24841482658226cf5631326daa54421c

    SHA1

    3f7c084495be359a47dd42b07c3b16a28c330714

    SHA256

    1beda9a89d19114be6dc72214190ba114f6eb935862fa07b8ced5ad6a78641b2

    SHA512

    551f85388f5152436942b091afc3baf4370b6d9321d916692405f14c654c5cb0a676a3a8fff90e780831838708df8231a9f55e2fff9d2cb084cc0e3cebe212b4

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    1KB

    MD5

    291a62996406ac03c2f31f84f0e2d7d5

    SHA1

    a363cc38fc7c7563baef34600a383832c28cccb1

    SHA256

    41f08f992bb2f99622ba91712b4275c4d7c217012286a4c5ffe107a828daa92d

    SHA512

    053d6d0d44e0f8c6e5d6b5fc573436e1be683eaf0ffea83d634cde4de3ee0c9288cc6bb7831c0ce42afde3e14a348efa0badcfb4544f5ebb0471071b54780d3f

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    488B

    MD5

    67dcfb8b36107362d3e9148518dfe594

    SHA1

    ca729f84b5ba0966fe99899952940c5bba1acd71

    SHA256

    5efec70bc0335fbd6f32e62d2cd35188f729ef8c360dc30fdc9d826a61089bb3

    SHA512

    4e9fede7cd104f3ea82a8ac7dfb10aedc7e8322e451338a742dc47fecb75b68e6cf965d3d28db599eabf39ff297059400957e46f1af5ccbb8bd851c555541554

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    482B

    MD5

    9494fbdcce3d42e7b30f1d2cf49c1a65

    SHA1

    6e2e30e38b37ef945ca9bbe96752e27909de8476

    SHA256

    034de2fead5b153e7f9a3e78d0a738fe675819b17ac6c0806b21a3c5df64a5df

    SHA512

    554df4aef6a845a588f9da7df5165a8e39afea56a8354467f5697bcc96b562db838253b3482d8402e5f84335ec2b40316604d8e5e462ed46b420b6253b4f7d61

    Download Submit
  • C:\Users\Admin\AppData\Local\6b3180e9-a1d4-4278-93fc-f63b8162f3d1\build2.exe
    Filesize

    418KB

    MD5

    3567ceb7b97d51ca25326b7fb5c8ec6f

    SHA1

    8cccc90870e6a00cc8240dfab61dfd46c30cbd65

    SHA256

    4df6328ec1e748df2043ceca410088ca2018b6635d91f29451b53ed4416cdac2

    SHA512

    3ded0d9fa7716e9395b92afd11fdfe503b9c4c9ec7bfaf899a191dad37a230803f3cb1e506ff32d2a280de74e42b032e7e8cb491059b1eb62d5a2b36bda65ed9

    Download Submit
  • C:\Users\Admin\AppData\Local\6b3180e9-a1d4-4278-93fc-f63b8162f3d1\build2.exe
    Filesize

    418KB

    MD5

    3567ceb7b97d51ca25326b7fb5c8ec6f

    SHA1

    8cccc90870e6a00cc8240dfab61dfd46c30cbd65

    SHA256

    4df6328ec1e748df2043ceca410088ca2018b6635d91f29451b53ed4416cdac2

    SHA512

    3ded0d9fa7716e9395b92afd11fdfe503b9c4c9ec7bfaf899a191dad37a230803f3cb1e506ff32d2a280de74e42b032e7e8cb491059b1eb62d5a2b36bda65ed9

    Download Submit
  • C:\Users\Admin\AppData\Local\6b3180e9-a1d4-4278-93fc-f63b8162f3d1\build2.exe
    Filesize

    418KB

    MD5

    3567ceb7b97d51ca25326b7fb5c8ec6f

    SHA1

    8cccc90870e6a00cc8240dfab61dfd46c30cbd65

    SHA256

    4df6328ec1e748df2043ceca410088ca2018b6635d91f29451b53ed4416cdac2

    SHA512

    3ded0d9fa7716e9395b92afd11fdfe503b9c4c9ec7bfaf899a191dad37a230803f3cb1e506ff32d2a280de74e42b032e7e8cb491059b1eb62d5a2b36bda65ed9

    Download Submit
  • C:\Users\Admin\AppData\Local\6b3180e9-a1d4-4278-93fc-f63b8162f3d1\build3.exe
    Filesize

    1KB

    MD5

    04346db9f24a19c03a2578a79ca5252f

    SHA1

    26b510857e84ffaa0e5b89c3724a2a79c6311236

    SHA256

    266c1ffdde59dfb922cd80a835257e277b85cbda7659028243286aea760190d3

    SHA512

    cee5a839780c30ff6c99374d6b6905f1af3a061fdda6eb682e5d1b06a4c0077156d6b34c88d55567aa0ca2b57514d8cba433e90168bb1cb27c5af3fa150c46f2

    Download Submit
  • C:\Users\Admin\AppData\Local\e49e949e-b10d-4891-9cb3-f7a8d4a7a89f\499118129de280703e1ec684ed3ceb1872335cb30c1c2845570e20e3eedbebdb.exe
    Filesize

    734KB

    MD5

    ed7b6cfcffed6c403a0f829f59e8d86d

    SHA1

    0806c35ffc28e471464f8665f1fbbec301732126

    SHA256

    499118129de280703e1ec684ed3ceb1872335cb30c1c2845570e20e3eedbebdb

    SHA512

    62f7c0ae6b23ac3b549b0da3ed49b508795b524404a2af54dfd3e6b24c9ea1652502cfb977a59746bbeb0e3454a786240756b451ad1502cef088699aa6a68559

    Download Submit
  • \ProgramData\mozglue.dll
    Filesize

    593KB

    MD5

    c8fd9be83bc728cc04beffafc2907fe9

    SHA1

    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

    SHA256

    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

    SHA512

    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

    Download Submit
  • \ProgramData\nss3.dll
    Filesize

    2.0MB

    MD5

    1cc453cdf74f31e4d913ff9c10acdde2

    SHA1

    6e85eae544d6e965f15fa5c39700fa7202f3aafe

    SHA256

    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

    SHA512

    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

    Download Submit
  • memory/2632-152-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2632-155-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2632-146-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2632-147-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2632-148-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2632-169-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2632-154-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2632-176-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2632-140-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2632-141-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/3400-167-0x00000000020B0000-0x000000000213D000-memory.dmp
    Filesize

    564KB

    Download
  • memory/4732-122-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/4732-136-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/4732-124-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/4732-130-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/4732-121-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/4896-164-0x0000000000400000-0x00000000004A1000-memory.dmp
    Filesize

    644KB

    Download
  • memory/4896-168-0x0000000000400000-0x00000000004A1000-memory.dmp
    Filesize

    644KB

    Download
  • memory/4896-177-0x0000000000400000-0x00000000004A1000-memory.dmp
    Filesize

    644KB

    Download
  • memory/4896-188-0x0000000061E00000-0x0000000061EF3000-memory.dmp
    Filesize

    972KB

    Download
  • memory/4896-166-0x0000000000400000-0x00000000004A1000-memory.dmp
    Filesize

    644KB

    Download
  • memory/4896-238-0x0000000000400000-0x00000000004A1000-memory.dmp
    Filesize

    644KB

    Download
  • memory/4896-239-0x0000000000400000-0x00000000004A1000-memory.dmp
    Filesize

    644KB

    Download
  • memory/4896-240-0x0000000000400000-0x00000000004A1000-memory.dmp
    Filesize

    644KB

    Download
  • memory/5000-123-0x0000000002200000-0x000000000231B000-memory.dmp
    Filesize

    1.1MB

    Download