Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2024, 01:07
Static task
static1
Behavioral task
behavioral1
Sample
14a5973627a876bdbafb029a26084f64.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
14a5973627a876bdbafb029a26084f64.exe
Resource
win10v2004-20231215-en
General
-
Target
14a5973627a876bdbafb029a26084f64.exe
-
Size
817KB
-
MD5
14a5973627a876bdbafb029a26084f64
-
SHA1
5514e9a9d8806406ff9921c9be25bd1e314b0b9b
-
SHA256
bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5
-
SHA512
e6cefb5181f6bfef6c17afc961e5d8186115ce01e06160a4c08b88933f314f9e64010c04936e2511af543e49218fc4186bc59239e5d4254b10b3d517ca644808
-
SSDEEP
12288:zesZm5MEXDLUudx8Qp5+C6+gNfGtQaUkyUExxald2R6I6RR1nPK6AuVW:E5MOeQp5NgNfTkyUExxalYQNjZP0uVW
Malware Config
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.cdpo
-
offline_id
Bn3q97hwLouKbhkQRNO4SeV07gjdEQVm8NKhg0t1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-FCWSCsjEWS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0844OSkw
Signatures
-
Detect Vidar Stealer 5 IoCs
resource yara_rule behavioral2/memory/3932-52-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral2/memory/3932-49-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral2/memory/3932-53-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral2/memory/2372-48-0x00000000007E0000-0x000000000082B000-memory.dmp family_vidar_v6 behavioral2/memory/3932-57-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 -
Detected Djvu ransomware 17 IoCs
resource yara_rule behavioral2/memory/1296-2-0x0000000002620000-0x000000000273B000-memory.dmp family_djvu behavioral2/memory/1612-4-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1612-5-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1612-3-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1612-6-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1612-15-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2684-20-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2684-21-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2684-22-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2684-28-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2684-27-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2684-32-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2684-35-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2684-34-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2684-56-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2684-59-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2684-72-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 14a5973627a876bdbafb029a26084f64.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 14a5973627a876bdbafb029a26084f64.exe -
Executes dropped EXE 6 IoCs
pid Process 2372 build2.exe 3932 build2.exe 5000 build3.exe 3260 build3.exe 3312 mstsca.exe 3940 mstsca.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1872 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d4247385-f593-4131-9c8b-18268826c3c0\\14a5973627a876bdbafb029a26084f64.exe\" --AutoStart" 14a5973627a876bdbafb029a26084f64.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 61 api.2ip.ua 38 api.2ip.ua 39 api.2ip.ua -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 1296 set thread context of 1612 1296 14a5973627a876bdbafb029a26084f64.exe 96 PID 4952 set thread context of 2684 4952 14a5973627a876bdbafb029a26084f64.exe 102 PID 2372 set thread context of 3932 2372 build2.exe 105 PID 5000 set thread context of 3260 5000 build3.exe 112 PID 3312 set thread context of 3940 3312 mstsca.exe 128 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1292 3932 WerFault.exe 105 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 772 schtasks.exe 3128 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1612 14a5973627a876bdbafb029a26084f64.exe 1612 14a5973627a876bdbafb029a26084f64.exe 2684 14a5973627a876bdbafb029a26084f64.exe 2684 14a5973627a876bdbafb029a26084f64.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1296 wrote to memory of 1612 1296 14a5973627a876bdbafb029a26084f64.exe 96 PID 1296 wrote to memory of 1612 1296 14a5973627a876bdbafb029a26084f64.exe 96 PID 1296 wrote to memory of 1612 1296 14a5973627a876bdbafb029a26084f64.exe 96 PID 1296 wrote to memory of 1612 1296 14a5973627a876bdbafb029a26084f64.exe 96 PID 1296 wrote to memory of 1612 1296 14a5973627a876bdbafb029a26084f64.exe 96 PID 1296 wrote to memory of 1612 1296 14a5973627a876bdbafb029a26084f64.exe 96 PID 1296 wrote to memory of 1612 1296 14a5973627a876bdbafb029a26084f64.exe 96 PID 1296 wrote to memory of 1612 1296 14a5973627a876bdbafb029a26084f64.exe 96 PID 1296 wrote to memory of 1612 1296 14a5973627a876bdbafb029a26084f64.exe 96 PID 1296 wrote to memory of 1612 1296 14a5973627a876bdbafb029a26084f64.exe 96 PID 1612 wrote to memory of 1872 1612 14a5973627a876bdbafb029a26084f64.exe 97 PID 1612 wrote to memory of 1872 1612 14a5973627a876bdbafb029a26084f64.exe 97 PID 1612 wrote to memory of 1872 1612 14a5973627a876bdbafb029a26084f64.exe 97 PID 1612 wrote to memory of 4952 1612 14a5973627a876bdbafb029a26084f64.exe 99 PID 1612 wrote to memory of 4952 1612 14a5973627a876bdbafb029a26084f64.exe 99 PID 1612 wrote to memory of 4952 1612 14a5973627a876bdbafb029a26084f64.exe 99 PID 4952 wrote to memory of 2684 4952 14a5973627a876bdbafb029a26084f64.exe 102 PID 4952 wrote to memory of 2684 4952 14a5973627a876bdbafb029a26084f64.exe 102 PID 4952 wrote to memory of 2684 4952 14a5973627a876bdbafb029a26084f64.exe 102 PID 4952 wrote to memory of 2684 4952 14a5973627a876bdbafb029a26084f64.exe 102 PID 4952 wrote to memory of 2684 4952 14a5973627a876bdbafb029a26084f64.exe 102 PID 4952 wrote to memory of 2684 4952 14a5973627a876bdbafb029a26084f64.exe 102 PID 4952 wrote to memory of 2684 4952 14a5973627a876bdbafb029a26084f64.exe 102 PID 4952 wrote to memory of 2684 4952 14a5973627a876bdbafb029a26084f64.exe 102 PID 4952 wrote to memory of 2684 4952 14a5973627a876bdbafb029a26084f64.exe 102 PID 4952 wrote to memory of 2684 4952 14a5973627a876bdbafb029a26084f64.exe 102 PID 2684 wrote to memory of 2372 2684 14a5973627a876bdbafb029a26084f64.exe 104 PID 2684 wrote to memory of 2372 2684 14a5973627a876bdbafb029a26084f64.exe 104 PID 2684 wrote to memory of 2372 2684 14a5973627a876bdbafb029a26084f64.exe 104 PID 2372 wrote to memory of 3932 2372 build2.exe 105 PID 2372 wrote to memory of 3932 2372 build2.exe 105 PID 2372 wrote to memory of 3932 2372 build2.exe 105 PID 2372 wrote to memory of 3932 2372 build2.exe 105 PID 2372 wrote to memory of 3932 2372 build2.exe 105 PID 2372 wrote to memory of 3932 2372 build2.exe 105 PID 2372 wrote to memory of 3932 2372 build2.exe 105 PID 2372 wrote to memory of 3932 2372 build2.exe 105 PID 2372 wrote to memory of 3932 2372 build2.exe 105 PID 2372 wrote to memory of 3932 2372 build2.exe 105 PID 2684 wrote to memory of 5000 2684 14a5973627a876bdbafb029a26084f64.exe 110 PID 2684 wrote to memory of 5000 2684 14a5973627a876bdbafb029a26084f64.exe 110 PID 2684 wrote to memory of 5000 2684 14a5973627a876bdbafb029a26084f64.exe 110 PID 5000 wrote to memory of 3260 5000 build3.exe 112 PID 5000 wrote to memory of 3260 5000 build3.exe 112 PID 5000 wrote to memory of 3260 5000 build3.exe 112 PID 5000 wrote to memory of 3260 5000 build3.exe 112 PID 5000 wrote to memory of 3260 5000 build3.exe 112 PID 5000 wrote to memory of 3260 5000 build3.exe 112 PID 5000 wrote to memory of 3260 5000 build3.exe 112 PID 5000 wrote to memory of 3260 5000 build3.exe 112 PID 5000 wrote to memory of 3260 5000 build3.exe 112 PID 3260 wrote to memory of 772 3260 build3.exe 114 PID 3260 wrote to memory of 772 3260 build3.exe 114 PID 3260 wrote to memory of 772 3260 build3.exe 114 PID 3312 wrote to memory of 3940 3312 mstsca.exe 128 PID 3312 wrote to memory of 3940 3312 mstsca.exe 128 PID 3312 wrote to memory of 3940 3312 mstsca.exe 128 PID 3312 wrote to memory of 3940 3312 mstsca.exe 128 PID 3312 wrote to memory of 3940 3312 mstsca.exe 128 PID 3312 wrote to memory of 3940 3312 mstsca.exe 128 PID 3312 wrote to memory of 3940 3312 mstsca.exe 128 PID 3312 wrote to memory of 3940 3312 mstsca.exe 128 PID 3312 wrote to memory of 3940 3312 mstsca.exe 128 PID 3940 wrote to memory of 3128 3940 mstsca.exe 129
Processes
-
C:\Users\Admin\AppData\Local\Temp\14a5973627a876bdbafb029a26084f64.exe"C:\Users\Admin\AppData\Local\Temp\14a5973627a876bdbafb029a26084f64.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\14a5973627a876bdbafb029a26084f64.exe"C:\Users\Admin\AppData\Local\Temp\14a5973627a876bdbafb029a26084f64.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\d4247385-f593-4131-9c8b-18268826c3c0" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:1872
-
-
C:\Users\Admin\AppData\Local\Temp\14a5973627a876bdbafb029a26084f64.exe"C:\Users\Admin\AppData\Local\Temp\14a5973627a876bdbafb029a26084f64.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\14a5973627a876bdbafb029a26084f64.exe"C:\Users\Admin\AppData\Local\Temp\14a5973627a876bdbafb029a26084f64.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\45ebb746-a978-4f01-af55-328acf61e31d\build2.exe"C:\Users\Admin\AppData\Local\45ebb746-a978-4f01-af55-328acf61e31d\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Local\45ebb746-a978-4f01-af55-328acf61e31d\build2.exe"C:\Users\Admin\AppData\Local\45ebb746-a978-4f01-af55-328acf61e31d\build2.exe"6⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 21887⤵
- Program crash
PID:1292
-
-
-
-
C:\Users\Admin\AppData\Local\45ebb746-a978-4f01-af55-328acf61e31d\build3.exe"C:\Users\Admin\AppData\Local\45ebb746-a978-4f01-af55-328acf61e31d\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Users\Admin\AppData\Local\45ebb746-a978-4f01-af55-328acf61e31d\build3.exe"C:\Users\Admin\AppData\Local\45ebb746-a978-4f01-af55-328acf61e31d\build3.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Creates scheduled task(s)
PID:772
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3932 -ip 39321⤵PID:4448
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"3⤵
- Creates scheduled task(s)
PID:3128
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD51a5a4d4587426c60f5430f7d8dd2f3a4
SHA1e13512e746665b5da9cf6c19e36b2651edfbbb05
SHA2565ef8b74df59ad2233b8d40cea334c416975a910ea76892cb3946016a5602aa73
SHA5127c0d45af1577fea5649db6050195dbd5f129e2a0503171f02ccc5053f443ff294f2fd413070e613b30a80461bd88a24d77f769b4f76fb96552e79485a2bc7bcb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5fe9b71822251d5c214a081e632005a92
SHA10b570657e53c292cdec1250c1599f697e033f52c
SHA256042cb189a7d811175d49e998b6eabba873347670a59b7cce42778686cae5326b
SHA5127f636fb3ecfc3960a276874c544085b77f68e96dbbfc04bc0528a00bda1cb60c456ce0d376cbb10738f51bf2ccecc07c1ed028490f1e28476cdc9889fb43d6a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD552369ca0f8cf7281b23fd22379cae27f
SHA18956402b4aed44436d0dca3e725890938594b28e
SHA256261971c3811dafccf638c3d4172bf256b755bb6cc2519f6172e77c2020f23634
SHA5122ed61e703361935a9d6bf1e7c40d2ac4c34f0cb50af40aa6d3adb91c353e01a4a7c96c723a2381059d67553e7c76d6da24f264e18c17bf3752133aa7d0a34b0a
-
Filesize
358KB
MD5c4070da9f9b0581171af16e681ccdff8
SHA13fb4182921fdc3acd7873ebe113ac5522585312a
SHA25626063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0
SHA512c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427
-
Filesize
22KB
MD5db90a3e2c7536a275c7020bb9e04ead4
SHA1959887c31ace3340b62ffe27b0634227c006de82
SHA2562899a55187bd4a974197b3bed4214dba3f6eba8de2f17f6709d7a1d94bc1f02c
SHA512f8555316c1738dbc9635da614011482afaa732b1549acbbed1b0cf2351f1ab5ea55b62164604912ecf496924872525890e04e1356ab0407d125b3ada71cd89a5
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
96KB
MD5408d67a62cae095e18fbda3eedffe6fb
SHA17d5fa2e079ba8bacf1ec558b7c4b14f91e7e5514
SHA256e2af7405f96cb7aee6b9902d74a58a7082163cb8cf4471b2a5c7b1ddab42e6e1
SHA512a3aa38e073835e2567f567b73ad198e94865f1f1f6f76239a103007daa2434512a9d0670e5ee7d348bdc039be92aab16579db4055ef2045285c613dfd0db5de0
-
C:\Users\Admin\AppData\Local\d4247385-f593-4131-9c8b-18268826c3c0\14a5973627a876bdbafb029a26084f64.exe
Filesize817KB
MD514a5973627a876bdbafb029a26084f64
SHA15514e9a9d8806406ff9921c9be25bd1e314b0b9b
SHA256bd2b3bc973155b2f6b0866245d933619550d127f292cb912e9cea106fb8392a5
SHA512e6cefb5181f6bfef6c17afc961e5d8186115ce01e06160a4c08b88933f314f9e64010c04936e2511af543e49218fc4186bc59239e5d4254b10b3d517ca644808