Analysis
-
max time kernel
294s -
max time network
253s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
-
submitted
06/07/2023, 07:10
General
-
Target
499118129de280703e1ec684ed3ceb1872335cb30c1c2845570e20e3eedbebdb.exe
-
Size
734KB
-
MD5
ed7b6cfcffed6c403a0f829f59e8d86d
-
SHA1
0806c35ffc28e471464f8665f1fbbec301732126
-
SHA256
499118129de280703e1ec684ed3ceb1872335cb30c1c2845570e20e3eedbebdb
-
SHA512
62f7c0ae6b23ac3b549b0da3ed49b508795b524404a2af54dfd3e6b24c9ea1652502cfb977a59746bbeb0e3454a786240756b451ad1502cef088699aa6a68559
-
SSDEEP
12288:9IdqZUzOt/bRS5TZayZ123EBZ/Bq8XC+TW6hpPNFt4YR5Q9Yiwd0rRLGGlC:GuUzOt/85FbX205qXq9NFSM8YiW0llk
Malware Config
Extracted
djvu
http://zexeq.com/test1/get.php
-
extension
.wazp
-
offline_id
V5TMuF1BBuDZFeJXDU5xmjrzp6rwS1IuZWNpDCt1
-
payload_url
http://colisumy.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-6Dm02j1lRa Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0738ISdik
Extracted
vidar
4.6
dcad9d884915bbb6106f78e5e2ea6168
https://steamcommunity.com/profiles/76561199523054520
https://t.me/game4serv
-
profile_id_v2
dcad9d884915bbb6106f78e5e2ea6168
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0
Signatures
-
Detected Djvu ransomware 16 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\499118129de280703e1ec684ed3ceb1872335cb30c1c2845570e20e3eedbebdb.exe"C:\Users\Admin\AppData\Local\Temp\499118129de280703e1ec684ed3ceb1872335cb30c1c2845570e20e3eedbebdb.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\499118129de280703e1ec684ed3ceb1872335cb30c1c2845570e20e3eedbebdb.exe"C:\Users\Admin\AppData\Local\Temp\499118129de280703e1ec684ed3ceb1872335cb30c1c2845570e20e3eedbebdb.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\e49e949e-b10d-4891-9cb3-f7a8d4a7a89f" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\499118129de280703e1ec684ed3ceb1872335cb30c1c2845570e20e3eedbebdb.exe"C:\Users\Admin\AppData\Local\Temp\499118129de280703e1ec684ed3ceb1872335cb30c1c2845570e20e3eedbebdb.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\499118129de280703e1ec684ed3ceb1872335cb30c1c2845570e20e3eedbebdb.exe"C:\Users\Admin\AppData\Local\Temp\499118129de280703e1ec684ed3ceb1872335cb30c1c2845570e20e3eedbebdb.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\6b3180e9-a1d4-4278-93fc-f63b8162f3d1\build2.exe"C:\Users\Admin\AppData\Local\6b3180e9-a1d4-4278-93fc-f63b8162f3d1\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\6b3180e9-a1d4-4278-93fc-f63b8162f3d1\build2.exe"C:\Users\Admin\AppData\Local\6b3180e9-a1d4-4278-93fc-f63b8162f3d1\build2.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD524841482658226cf5631326daa54421c
SHA13f7c084495be359a47dd42b07c3b16a28c330714
SHA2561beda9a89d19114be6dc72214190ba114f6eb935862fa07b8ced5ad6a78641b2
SHA512551f85388f5152436942b091afc3baf4370b6d9321d916692405f14c654c5cb0a676a3a8fff90e780831838708df8231a9f55e2fff9d2cb084cc0e3cebe212b4
-
Filesize
1KB
MD5291a62996406ac03c2f31f84f0e2d7d5
SHA1a363cc38fc7c7563baef34600a383832c28cccb1
SHA25641f08f992bb2f99622ba91712b4275c4d7c217012286a4c5ffe107a828daa92d
SHA512053d6d0d44e0f8c6e5d6b5fc573436e1be683eaf0ffea83d634cde4de3ee0c9288cc6bb7831c0ce42afde3e14a348efa0badcfb4544f5ebb0471071b54780d3f
-
Filesize
488B
MD567dcfb8b36107362d3e9148518dfe594
SHA1ca729f84b5ba0966fe99899952940c5bba1acd71
SHA2565efec70bc0335fbd6f32e62d2cd35188f729ef8c360dc30fdc9d826a61089bb3
SHA5124e9fede7cd104f3ea82a8ac7dfb10aedc7e8322e451338a742dc47fecb75b68e6cf965d3d28db599eabf39ff297059400957e46f1af5ccbb8bd851c555541554
-
Filesize
482B
MD59494fbdcce3d42e7b30f1d2cf49c1a65
SHA16e2e30e38b37ef945ca9bbe96752e27909de8476
SHA256034de2fead5b153e7f9a3e78d0a738fe675819b17ac6c0806b21a3c5df64a5df
SHA512554df4aef6a845a588f9da7df5165a8e39afea56a8354467f5697bcc96b562db838253b3482d8402e5f84335ec2b40316604d8e5e462ed46b420b6253b4f7d61
-
Filesize
418KB
MD53567ceb7b97d51ca25326b7fb5c8ec6f
SHA18cccc90870e6a00cc8240dfab61dfd46c30cbd65
SHA2564df6328ec1e748df2043ceca410088ca2018b6635d91f29451b53ed4416cdac2
SHA5123ded0d9fa7716e9395b92afd11fdfe503b9c4c9ec7bfaf899a191dad37a230803f3cb1e506ff32d2a280de74e42b032e7e8cb491059b1eb62d5a2b36bda65ed9
-
Filesize
418KB
MD53567ceb7b97d51ca25326b7fb5c8ec6f
SHA18cccc90870e6a00cc8240dfab61dfd46c30cbd65
SHA2564df6328ec1e748df2043ceca410088ca2018b6635d91f29451b53ed4416cdac2
SHA5123ded0d9fa7716e9395b92afd11fdfe503b9c4c9ec7bfaf899a191dad37a230803f3cb1e506ff32d2a280de74e42b032e7e8cb491059b1eb62d5a2b36bda65ed9
-
Filesize
418KB
MD53567ceb7b97d51ca25326b7fb5c8ec6f
SHA18cccc90870e6a00cc8240dfab61dfd46c30cbd65
SHA2564df6328ec1e748df2043ceca410088ca2018b6635d91f29451b53ed4416cdac2
SHA5123ded0d9fa7716e9395b92afd11fdfe503b9c4c9ec7bfaf899a191dad37a230803f3cb1e506ff32d2a280de74e42b032e7e8cb491059b1eb62d5a2b36bda65ed9
-
Filesize
1KB
MD504346db9f24a19c03a2578a79ca5252f
SHA126b510857e84ffaa0e5b89c3724a2a79c6311236
SHA256266c1ffdde59dfb922cd80a835257e277b85cbda7659028243286aea760190d3
SHA512cee5a839780c30ff6c99374d6b6905f1af3a061fdda6eb682e5d1b06a4c0077156d6b34c88d55567aa0ca2b57514d8cba433e90168bb1cb27c5af3fa150c46f2
-
Filesize
734KB
MD5ed7b6cfcffed6c403a0f829f59e8d86d
SHA10806c35ffc28e471464f8665f1fbbec301732126
SHA256499118129de280703e1ec684ed3ceb1872335cb30c1c2845570e20e3eedbebdb
SHA51262f7c0ae6b23ac3b549b0da3ed49b508795b524404a2af54dfd3e6b24c9ea1652502cfb977a59746bbeb0e3454a786240756b451ad1502cef088699aa6a68559
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
564KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
644KB
-
Filesize
644KB
-
Filesize
644KB
-
Filesize
972KB
-
Filesize
644KB
-
Filesize
644KB
-
Filesize
644KB
-
Filesize
644KB
-
Filesize
1.1MB