Analysis
-
max time kernel
146s -
max time network
132s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
-
submitted
24/10/2023, 10:06
General
-
Target
cf133e2b313ee49be8ef0422f1d1a1670b69aa45617d2475f4cfb991bd786204.exe
-
Size
682KB
-
MD5
1cb8a0fd9dd19e2e075b83ee4a923675
-
SHA1
fcbd81eac625d5857072aa7a169ebded83198ece
-
SHA256
cf133e2b313ee49be8ef0422f1d1a1670b69aa45617d2475f4cfb991bd786204
-
SHA512
6d595927c4407e1c53981c42fbe1182a0826dcc98ac1d62cc26f1e419f83b52b0cc6eb6ac229dc5634ec95592981d0f3fd4384160eba57a3e1ea838d6fe366bb
-
SSDEEP
12288:Vif5ZMOBe0qoRtW00C7dHfr9gKD0gx7U6c+6uVRVI+HOOQhVfdu:VaZJxLRtgC7dHfeQUV+rRu+P4
Malware Config
Extracted
djvu
http://zexeq.com/test1/get.php
-
extension
.itqw
-
offline_id
9FgVtzPuDnE9NZWeLG9q9D2SjzVyIqJJ4jFNKXt1
-
payload_url
http://colisumy.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-cGZhpvUKxk Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0809JOsie
Extracted
vidar
6.2
58f391d2f33b9f5a2ddb51a3516986eb
https://steamcommunity.com/profiles/76561199564671869
https://t.me/scubytale
-
profile_id_v2
58f391d2f33b9f5a2ddb51a3516986eb
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 OPR/104.0.0.0
Signatures
-
Detected Djvu ransomware 17 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf133e2b313ee49be8ef0422f1d1a1670b69aa45617d2475f4cfb991bd786204.exe"C:\Users\Admin\AppData\Local\Temp\cf133e2b313ee49be8ef0422f1d1a1670b69aa45617d2475f4cfb991bd786204.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cf133e2b313ee49be8ef0422f1d1a1670b69aa45617d2475f4cfb991bd786204.exe"C:\Users\Admin\AppData\Local\Temp\cf133e2b313ee49be8ef0422f1d1a1670b69aa45617d2475f4cfb991bd786204.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\ad069fd7-499a-4046-ac5d-ec2f7e43cc3b" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\cf133e2b313ee49be8ef0422f1d1a1670b69aa45617d2475f4cfb991bd786204.exe"C:\Users\Admin\AppData\Local\Temp\cf133e2b313ee49be8ef0422f1d1a1670b69aa45617d2475f4cfb991bd786204.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cf133e2b313ee49be8ef0422f1d1a1670b69aa45617d2475f4cfb991bd786204.exe"C:\Users\Admin\AppData\Local\Temp\cf133e2b313ee49be8ef0422f1d1a1670b69aa45617d2475f4cfb991bd786204.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\16ef1595-644d-4d66-a944-68b72fea13d9\build2.exe"C:\Users\Admin\AppData\Local\16ef1595-644d-4d66-a944-68b72fea13d9\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\16ef1595-644d-4d66-a944-68b72fea13d9\build2.exe"C:\Users\Admin\AppData\Local\16ef1595-644d-4d66-a944-68b72fea13d9\build2.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\16ef1595-644d-4d66-a944-68b72fea13d9\build2.exe" & exit7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Users\Admin\AppData\Local\16ef1595-644d-4d66-a944-68b72fea13d9\build3.exe"C:\Users\Admin\AppData\Local\16ef1595-644d-4d66-a944-68b72fea13d9\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\16ef1595-644d-4d66-a944-68b72fea13d9\build3.exe"C:\Users\Admin\AppData\Local\16ef1595-644d-4d66-a944-68b72fea13d9\build3.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Creates scheduled task(s)
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"3⤵
- Creates scheduled task(s)
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ce089bc586ac5ee737ac5cb6e9697281
SHA173dba8846a9cc0da803f084b951a7843c7336c02
SHA256412fad745614d2ce4524860ae353a10b7c61a91dce76c381c560988eb40cba7f
SHA512d2e14f73c9fa41158efc5268d743e8cbb0f740920fc4ae0d0efa364f81cabc1c66e70850dce56936c385a7f566e2cc5bf26c6ee15979d97ee84587e3b524a877
-
Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
Filesize
410B
MD530cfc7561491320a179de72234975ef9
SHA110d6f62a2848a6f519386365eab34c00dcc0feb6
SHA256322c0743c4df5f41795677a9e831ad5108d6922d65214072718a47bf7216b11e
SHA5122bf81b4bfd85c5e1f2223741418145ae2f3bf6764f5e88638ab6dfb3f370d09fb810f0c36aebedf962b2b51632a1d799a19aad3874d84a319741cb15ca2532e0
-
Filesize
392B
MD54a70f71021183e770f0712001d5e31ec
SHA172b9efefbbd6aac8879e0520ecdba7f254bc2b92
SHA25628fbe085f47c5049bc48ca5ce5785bd867405b5cabc14b6ef32e302fe5395136
SHA512758888238a5facf41518a98564b265c8d1f5fd409564203c8628dc8baa95be64c2446f741922fafe0d507c2f75aba61032c381e02d90e5b25e49f17e330fe67f
-
Filesize
274KB
MD5f8eb48b418d73eecf61ea1a8fec805da
SHA1fdd954d9f9f0d855b969b7188ca5d7296a249fc2
SHA256470eb462001b2d0ec0ec2134840f413606181370b223af0a257d2bf95a71c60f
SHA512c431ef1f37b35c75e63bd46aeac8d20f012f2f7b93583815ae1982af10a29c6b25296dcee739ed28e0c089be82f8bc2d48b50368e83ebd5590457a701651b144
-
Filesize
274KB
MD5f8eb48b418d73eecf61ea1a8fec805da
SHA1fdd954d9f9f0d855b969b7188ca5d7296a249fc2
SHA256470eb462001b2d0ec0ec2134840f413606181370b223af0a257d2bf95a71c60f
SHA512c431ef1f37b35c75e63bd46aeac8d20f012f2f7b93583815ae1982af10a29c6b25296dcee739ed28e0c089be82f8bc2d48b50368e83ebd5590457a701651b144
-
Filesize
274KB
MD5f8eb48b418d73eecf61ea1a8fec805da
SHA1fdd954d9f9f0d855b969b7188ca5d7296a249fc2
SHA256470eb462001b2d0ec0ec2134840f413606181370b223af0a257d2bf95a71c60f
SHA512c431ef1f37b35c75e63bd46aeac8d20f012f2f7b93583815ae1982af10a29c6b25296dcee739ed28e0c089be82f8bc2d48b50368e83ebd5590457a701651b144
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
682KB
MD51cb8a0fd9dd19e2e075b83ee4a923675
SHA1fcbd81eac625d5857072aa7a169ebded83198ece
SHA256cf133e2b313ee49be8ef0422f1d1a1670b69aa45617d2475f4cfb991bd786204
SHA5126d595927c4407e1c53981c42fbe1182a0826dcc98ac1d62cc26f1e419f83b52b0cc6eb6ac229dc5634ec95592981d0f3fd4384160eba57a3e1ea838d6fe366bb
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
972KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
1024KB
-
Filesize
312KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1024KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
644KB
-
Filesize
1.1MB
-
Filesize
16KB
-
Filesize
1024KB
-
Filesize
644KB