Analysis
-
max time kernel
144s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
16/07/2023, 12:15
General
-
Target
c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe
-
Size
812KB
-
MD5
73ecaf10be2b83a9a1e77d3235865eac
-
SHA1
3236e7d9b443a757dbc4dcf902d78c2f8dfaebed
-
SHA256
c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd
-
SHA512
b2c9df901501146d740c0449d3424f2782307463cb5743ca5d03db2714e6d0291d7c66b9b85c55ab4f14a975ae4da429218fbc3bf41cf2f9747a6f3aaca28988
-
SSDEEP
12288:2LQHLjpgE7N1EqephL/prRX54Svv9otwos0CBre7/6eai0Ir7FO:jfSExZephLVRWSv9obsxVhXIPFO
Malware Config
Extracted
djvu
http://zexeq.com/raud/get.php
-
extension
.miqe
-
offline_id
1S27jnaC9TYNiwf9VvJvIx5XCXvgyoDAUXHnu0t1
-
payload_url
http://colisumy.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-nSxayRgUNO Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0746Pokj
Extracted
vidar
4.7
https://t.me/eagl3z
https://t.me/eagl3z
https://steamcommunity.com/profiles/76561199159550234
-
profile_id_v2
https://t.me/eagl3z
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1788.0 uacq
Signatures
-
Detected Djvu ransomware 17 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe"C:\Users\Admin\AppData\Local\Temp\c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe"C:\Users\Admin\AppData\Local\Temp\c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\211697e2-eae8-42ec-8785-08c77492616d" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe"C:\Users\Admin\AppData\Local\Temp\c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe"C:\Users\Admin\AppData\Local\Temp\c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\2204781c-229b-46c5-af25-4f4f30ce3f7b\build2.exe"C:\Users\Admin\AppData\Local\2204781c-229b-46c5-af25-4f4f30ce3f7b\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\2204781c-229b-46c5-af25-4f4f30ce3f7b\build2.exe"C:\Users\Admin\AppData\Local\2204781c-229b-46c5-af25-4f4f30ce3f7b\build2.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\2204781c-229b-46c5-af25-4f4f30ce3f7b\build3.exe"C:\Users\Admin\AppData\Local\2204781c-229b-46c5-af25-4f4f30ce3f7b\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"6⤵
- Creates scheduled task(s)
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"2⤵
- Creates scheduled task(s)
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
2KB
MD5ec50490b07b4d77ae984e14377e81faf
SHA174330d98bc1ef271a37b3ae273efcccab1c335be
SHA25630afe1a3bcc9efa0dd4619e272548ef4ecc76817e67e04f69cb83f1e4380d716
SHA5123972532782f05f3d24f6e8e3ab8362dfc2603c24ffe5728404977b4d13f3dc360b76b6ab8056da98845f53d5d12d9d24981d0e6edcc042d0b885114417945c8f
-
Filesize
1KB
MD5f232260646b9219a0d25be2ba7d3e80f
SHA1748c809b09ab1d39ef17ec453428cbc2449ef7b9
SHA2563217032d47b15ce1c91eb2dc77e765dd9acffb0029756f4dd02ab6c12e0bd65e
SHA5126eb067b352e6920b2fb6981d37ea3e3f59e3b5725a4ca797c34463b6e52e0b9e748d0cf31496b54c989bf7126d55b40d44850b7122f4d9fee3593926c4c6fedb
-
Filesize
488B
MD5434e5afc6b8fcaf32d4268bede602cd1
SHA1f74138ecf0bce9599d7ac8d7bfb0a436903a3cca
SHA2563473a4e3a33d9b6d4a1da18ce75c1f975888bd8cf690bbc691b9d9b0912dbfd4
SHA512a9677ee281d03ab449ed55a023d8853c8d0b3e92a566fe8756655794d6c2e279d6015799b6b1446efabe39b2dcbeb5052e1c30b87f875b9bcefaad7bb42f5d14
-
Filesize
482B
MD530632de87da89c70541ff5d50c4f452f
SHA1b39bf51fde8f2c78cfaafa080d9f59fac550784c
SHA2563e57b2d2a3816c5404f830bf579d6ec00bc3713ea3be3d03b7410e5b0da0bd52
SHA5124b784fe1914e327c891b916f9c551cb3f0325f08a6cdeb4796918fa80d981ef6e4df78ad8ede337ae280bc66e293f62338f2eee451f03918f3a9c3b3e08476e4
-
Filesize
812KB
MD573ecaf10be2b83a9a1e77d3235865eac
SHA13236e7d9b443a757dbc4dcf902d78c2f8dfaebed
SHA256c5e7f5887687af0628996b7c11e5607d79ad6868aabe4aacdf3f9664ad89badd
SHA512b2c9df901501146d740c0449d3424f2782307463cb5743ca5d03db2714e6d0291d7c66b9b85c55ab4f14a975ae4da429218fbc3bf41cf2f9747a6f3aaca28988
-
Filesize
447KB
MD508819e55df0897a6dded1e5e6bf83601
SHA122d39992c6245b86ee8b14e0cc820e46a9094c45
SHA2563dae32e22775721f2f9de5fec79dbcd8d62adaeb057b47c4524e02d130a43b25
SHA51236ed6a07776139fbc4e1f4a90745633466ce40db8a374417cafc5846e3bd7277c56673dc98ef9b2379f286d3f0bacdce62e67f6b01fe177ed1dafa1065036b8b
-
Filesize
447KB
MD508819e55df0897a6dded1e5e6bf83601
SHA122d39992c6245b86ee8b14e0cc820e46a9094c45
SHA2563dae32e22775721f2f9de5fec79dbcd8d62adaeb057b47c4524e02d130a43b25
SHA51236ed6a07776139fbc4e1f4a90745633466ce40db8a374417cafc5846e3bd7277c56673dc98ef9b2379f286d3f0bacdce62e67f6b01fe177ed1dafa1065036b8b
-
Filesize
447KB
MD508819e55df0897a6dded1e5e6bf83601
SHA122d39992c6245b86ee8b14e0cc820e46a9094c45
SHA2563dae32e22775721f2f9de5fec79dbcd8d62adaeb057b47c4524e02d130a43b25
SHA51236ed6a07776139fbc4e1f4a90745633466ce40db8a374417cafc5846e3bd7277c56673dc98ef9b2379f286d3f0bacdce62e67f6b01fe177ed1dafa1065036b8b
-
Filesize
447KB
MD508819e55df0897a6dded1e5e6bf83601
SHA122d39992c6245b86ee8b14e0cc820e46a9094c45
SHA2563dae32e22775721f2f9de5fec79dbcd8d62adaeb057b47c4524e02d130a43b25
SHA51236ed6a07776139fbc4e1f4a90745633466ce40db8a374417cafc5846e3bd7277c56673dc98ef9b2379f286d3f0bacdce62e67f6b01fe177ed1dafa1065036b8b
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
644KB
-
Filesize
644KB
-
Filesize
644KB
-
Filesize
644KB
-
Filesize
972KB
-
Filesize
644KB
-
Filesize
644KB
-
Filesize
644KB
-
Filesize
644KB
-
Filesize
1.1MB
-
Filesize
616KB
-
Filesize
632KB
-
Filesize
564KB
-
Filesize
1024KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB