Analysis
-
max time kernel
51s -
max time network
108s -
platform
windows10-1703_x64 -
resource
win10-20231220-en -
resource tags
arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system -
submitted
15/01/2024, 04:51
Static task
static1
Behavioral task
behavioral1
Sample
59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
Resource
win10-20231220-en
General
-
Target
59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
-
Size
832KB
-
MD5
cea0a866170628872d7005075d21d53c
-
SHA1
62e1130b5f8ceac4319411a88f99edd4ec34e7de
-
SHA256
59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7
-
SHA512
62158e1c7dd966b3ba8af87e5f0d4e012c3267d48fd7dc731c7f7d24fe0cba2921f43cc68c194d3153879f5ac200cf3159a4ff34dc4ffe47b9468290a62fd458
-
SSDEEP
12288:zByfvgQflKMWCKkJet0TPJlXn7VG0QWomYJ5LkOecH+6XYstKP8276PdbW1n2/IJ:q1fEL7dOnnIdXr7H+6In376xW1nsdy
Malware Config
Extracted
djvu
http://zexeq.com/test1/get.php
-
extension
.cdwe
-
offline_id
dSwr1XNNi5cIitB5eDPbMANcusB1dWGDB8ToUnt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-e21iz7dS58 Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0842ASdw
Signatures
-
Detect Vidar Stealer 5 IoCs
resource yara_rule behavioral2/memory/4080-39-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral2/memory/4080-45-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral2/memory/4080-44-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral2/memory/1348-43-0x00000000020F0000-0x000000000213B000-memory.dmp family_vidar_v6 behavioral2/memory/4080-51-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 -
Detected Djvu ransomware 16 IoCs
resource yara_rule behavioral2/memory/1620-2-0x0000000002190000-0x00000000022AB000-memory.dmp family_djvu behavioral2/memory/4780-4-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4780-5-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4780-6-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4780-3-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4780-17-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1668-23-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1668-22-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1668-24-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1668-29-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1668-30-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1668-47-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1668-55-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1668-56-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1668-53-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1668-57-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 1348 build2.exe 4080 build2.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4460 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f8d1d28d-7452-4c55-b079-47a4da0efcf1\\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe\" --AutoStart" 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 api.2ip.ua 2 api.2ip.ua 7 api.2ip.ua -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1620 set thread context of 4780 1620 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 74 PID 4748 set thread context of 1668 4748 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 78 PID 1348 set thread context of 4080 1348 build2.exe 79 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4944 4080 WerFault.exe 79 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4780 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 4780 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 1668 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 1668 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 1620 wrote to memory of 4780 1620 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 74 PID 1620 wrote to memory of 4780 1620 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 74 PID 1620 wrote to memory of 4780 1620 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 74 PID 1620 wrote to memory of 4780 1620 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 74 PID 1620 wrote to memory of 4780 1620 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 74 PID 1620 wrote to memory of 4780 1620 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 74 PID 1620 wrote to memory of 4780 1620 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 74 PID 1620 wrote to memory of 4780 1620 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 74 PID 1620 wrote to memory of 4780 1620 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 74 PID 1620 wrote to memory of 4780 1620 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 74 PID 4780 wrote to memory of 4460 4780 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 75 PID 4780 wrote to memory of 4460 4780 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 75 PID 4780 wrote to memory of 4460 4780 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 75 PID 4780 wrote to memory of 4748 4780 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 76 PID 4780 wrote to memory of 4748 4780 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 76 PID 4780 wrote to memory of 4748 4780 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 76 PID 4748 wrote to memory of 1668 4748 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 78 PID 4748 wrote to memory of 1668 4748 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 78 PID 4748 wrote to memory of 1668 4748 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 78 PID 4748 wrote to memory of 1668 4748 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 78 PID 4748 wrote to memory of 1668 4748 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 78 PID 4748 wrote to memory of 1668 4748 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 78 PID 4748 wrote to memory of 1668 4748 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 78 PID 4748 wrote to memory of 1668 4748 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 78 PID 4748 wrote to memory of 1668 4748 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 78 PID 4748 wrote to memory of 1668 4748 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 78 PID 1668 wrote to memory of 1348 1668 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 80 PID 1668 wrote to memory of 1348 1668 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 80 PID 1668 wrote to memory of 1348 1668 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe 80 PID 1348 wrote to memory of 4080 1348 build2.exe 79 PID 1348 wrote to memory of 4080 1348 build2.exe 79 PID 1348 wrote to memory of 4080 1348 build2.exe 79 PID 1348 wrote to memory of 4080 1348 build2.exe 79 PID 1348 wrote to memory of 4080 1348 build2.exe 79 PID 1348 wrote to memory of 4080 1348 build2.exe 79 PID 1348 wrote to memory of 4080 1348 build2.exe 79 PID 1348 wrote to memory of 4080 1348 build2.exe 79 PID 1348 wrote to memory of 4080 1348 build2.exe 79 PID 1348 wrote to memory of 4080 1348 build2.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe"C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe"C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\f8d1d28d-7452-4c55-b079-47a4da0efcf1" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:4460
-
-
C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe"C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe"C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe"C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1348
-
-
-
-
-
C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe"C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe"1⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 19162⤵
- Program crash
PID:4944
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA5124da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD504ca323335976f7ed1b8cf5ebe1ebd7c
SHA18dbd4d9a9d0642bcc37b5ea1ed45345bfd828211
SHA2569190095c14c3ce50346f7f789239f997d06ebc92e3edfcc647e9b40a8317522f
SHA512b4184ffc47b9e280f1f98316763d709ef97f8670fac1f0804a3f5a802600f07fecb440b97c7d7783813a479efb66aa388c7db6d184673c7a90fde3d2dd3fce07
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD589e3600293b1790349601358899b60cb
SHA13a37042f9c2fb874ad978828cd87efdf81f1aa74
SHA256891d0d7b696094e3d1d7c7d773e1cbd5df14da221fb3d8529ef47a7811de2080
SHA512d4780608fa6cfd23224516ea1b0a0176de7104e7aab9ae38c021cdb49f08ed1b4025ac64727c1112d43937213eb7c6e16dc47e6b174c490aee5293403fa42ce6
-
Filesize
355KB
MD5ff75f5779e0ddad79a3ef14166bb9630
SHA1634f0a968b08a70181eb1fff4efb20dbeaa6516c
SHA256ac15d93f4a5a15aee6640e7dddd0f590ceed9adedca3df1e40fa0f43ec81dc91
SHA512ee92ff0cef8ebf0ca136d1918f6ed7a9767dbb3fda65615901f6aa8a98c02000599b3bba01fe64a3eb3ffdebdd15494909163362496c38f2ff98f144bd8ab837
-
Filesize
57KB
MD5c73531e4cc088ed5ec1f8562282ec700
SHA13c5f393faeb751597f3d7328130859630300f5fc
SHA2562e028881839d5820bdeba0b9102bf656798e002cb35b40f63dd776fde8816f67
SHA5120f6d43d5c27fe7e860b5edc24989e9802191e13bb30628629ec061900fa7f0a60938daa61a3c097e69060357c6537e99b387e610229f809a0c697f9df54d5e8d
-
Filesize
24KB
MD52907d24bf4358f06e28ab1586e31a5df
SHA15bf51ab4f2d1fe9c0c0d75506da29b5fbdb7e499
SHA2561ef71558ed1992a6fc85d7171c3a4a370ace0c3dc81561ebb42c66450f835ccf
SHA512479ed57538a04f4985f8108033f2cf038a1ced379ea480c045e4096d90c346661348f60194be19c39b0f7a0c7facba0fc03f6acfeba83dae31bd51e332f858da
-
C:\Users\Admin\AppData\Local\f8d1d28d-7452-4c55-b079-47a4da0efcf1\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
Filesize196KB
MD553854321deddd90ba43a81b1d7c60712
SHA1feffadda60ad0b54478f03cb09dd678e65b28d91
SHA256d09aac0a2ac7b7770940bcfcca21d44370fe72df7a74871d27c6714aebc69c97
SHA512a13f1722c1c73d80b023cc7c3057bf1724d527c92b72ba952e62fe4c3110885b4cfa85ccfb8f940d65c89debb53de629266e2001c779419ef5db3b8d6e374bcc