Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
13/01/2024, 01:07
General
-
Target
14a5973627a876bdbafb029a26084f64.exe
-
Size
817KB
-
MD5
14a5973627a876bdbafb029a26084f64
-
SHA1
5514e9a9d8806406ff9921c9be25bd1e314b0b9b
-
SHA256
bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5
-
SHA512
e6cefb5181f6bfef6c17afc961e5d8186115ce01e06160a4c08b88933f314f9e64010c04936e2511af543e49218fc4186bc59239e5d4254b10b3d517ca644808
-
SSDEEP
12288:zesZm5MEXDLUudx8Qp5+C6+gNfGtQaUkyUExxald2R6I6RR1nPK6AuVW:E5MOeQp5NgNfTkyUExxalYQNjZP0uVW
Malware Config
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.cdpo
-
offline_id
Bn3q97hwLouKbhkQRNO4SeV07gjdEQVm8NKhg0t1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-FCWSCsjEWS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0844OSkw
Signatures
-
Detect Vidar Stealer 5 IoCs
-
Detected Djvu ransomware 17 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\14a5973627a876bdbafb029a26084f64.exe"C:\Users\Admin\AppData\Local\Temp\14a5973627a876bdbafb029a26084f64.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\14a5973627a876bdbafb029a26084f64.exe"C:\Users\Admin\AppData\Local\Temp\14a5973627a876bdbafb029a26084f64.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\d4247385-f593-4131-9c8b-18268826c3c0" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\14a5973627a876bdbafb029a26084f64.exe"C:\Users\Admin\AppData\Local\Temp\14a5973627a876bdbafb029a26084f64.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\14a5973627a876bdbafb029a26084f64.exe"C:\Users\Admin\AppData\Local\Temp\14a5973627a876bdbafb029a26084f64.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\45ebb746-a978-4f01-af55-328acf61e31d\build2.exe"C:\Users\Admin\AppData\Local\45ebb746-a978-4f01-af55-328acf61e31d\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\45ebb746-a978-4f01-af55-328acf61e31d\build2.exe"C:\Users\Admin\AppData\Local\45ebb746-a978-4f01-af55-328acf61e31d\build2.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 21887⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\45ebb746-a978-4f01-af55-328acf61e31d\build3.exe"C:\Users\Admin\AppData\Local\45ebb746-a978-4f01-af55-328acf61e31d\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\45ebb746-a978-4f01-af55-328acf61e31d\build3.exe"C:\Users\Admin\AppData\Local\45ebb746-a978-4f01-af55-328acf61e31d\build3.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Creates scheduled task(s)
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3932 -ip 39321⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"3⤵
- Creates scheduled task(s)
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51a5a4d4587426c60f5430f7d8dd2f3a4
SHA1e13512e746665b5da9cf6c19e36b2651edfbbb05
SHA2565ef8b74df59ad2233b8d40cea334c416975a910ea76892cb3946016a5602aa73
SHA5127c0d45af1577fea5649db6050195dbd5f129e2a0503171f02ccc5053f443ff294f2fd413070e613b30a80461bd88a24d77f769b4f76fb96552e79485a2bc7bcb
-
Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
Filesize
410B
MD5fe9b71822251d5c214a081e632005a92
SHA10b570657e53c292cdec1250c1599f697e033f52c
SHA256042cb189a7d811175d49e998b6eabba873347670a59b7cce42778686cae5326b
SHA5127f636fb3ecfc3960a276874c544085b77f68e96dbbfc04bc0528a00bda1cb60c456ce0d376cbb10738f51bf2ccecc07c1ed028490f1e28476cdc9889fb43d6a5
-
Filesize
392B
MD552369ca0f8cf7281b23fd22379cae27f
SHA18956402b4aed44436d0dca3e725890938594b28e
SHA256261971c3811dafccf638c3d4172bf256b755bb6cc2519f6172e77c2020f23634
SHA5122ed61e703361935a9d6bf1e7c40d2ac4c34f0cb50af40aa6d3adb91c353e01a4a7c96c723a2381059d67553e7c76d6da24f264e18c17bf3752133aa7d0a34b0a
-
Filesize
358KB
MD5c4070da9f9b0581171af16e681ccdff8
SHA13fb4182921fdc3acd7873ebe113ac5522585312a
SHA25626063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0
SHA512c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427
-
Filesize
22KB
MD5db90a3e2c7536a275c7020bb9e04ead4
SHA1959887c31ace3340b62ffe27b0634227c006de82
SHA2562899a55187bd4a974197b3bed4214dba3f6eba8de2f17f6709d7a1d94bc1f02c
SHA512f8555316c1738dbc9635da614011482afaa732b1549acbbed1b0cf2351f1ab5ea55b62164604912ecf496924872525890e04e1356ab0407d125b3ada71cd89a5
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
96KB
MD5408d67a62cae095e18fbda3eedffe6fb
SHA17d5fa2e079ba8bacf1ec558b7c4b14f91e7e5514
SHA256e2af7405f96cb7aee6b9902d74a58a7082163cb8cf4471b2a5c7b1ddab42e6e1
SHA512a3aa38e073835e2567f567b73ad198e94865f1f1f6f76239a103007daa2434512a9d0670e5ee7d348bdc039be92aab16579db4055ef2045285c613dfd0db5de0
-
Filesize
817KB
MD514a5973627a876bdbafb029a26084f64
SHA15514e9a9d8806406ff9921c9be25bd1e314b0b9b
SHA256bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5
SHA512e6cefb5181f6bfef6c17afc961e5d8186115ce01e06160a4c08b88933f314f9e64010c04936e2511af543e49218fc4186bc59239e5d4254b10b3d517ca644808
-
Filesize
1.1MB
-
Filesize
644KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
300KB
-
Filesize
1024KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
804KB
-
Filesize
1024KB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
612KB
-
Filesize
1024KB
-
Filesize
16KB