Analysis Overview
SHA256
59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7
Threat Level: Known bad
The file 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7 was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
Vidar
Djvu Ransomware
Detect Vidar Stealer
Downloads MZ/PE file
Modifies file permissions
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-15 04:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-15 04:51
Reported
2024-01-15 04:57
Platform
win7-20231215-en
Max time kernel
294s
Max time network
161s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7170ac16-fcf1-4194-beae-248cec9dca22\\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1936 set thread context of 2756 | N/A | C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe | C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe |
| PID 2480 set thread context of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe | C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe |
| PID 2672 set thread context of 268 | N/A | C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe | C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
"C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe"
C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
"C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\7170ac16-fcf1-4194-beae-248cec9dca22" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
"C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
"C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe
"C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe"
C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe
"C:\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 268 -s 1456
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| AR | 186.13.17.220:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| KR | 211.181.24.133:80 | zexeq.com | tcp |
| KR | 211.181.24.133:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| KR | 211.181.24.133:80 | zexeq.com | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| KR | 211.181.24.133:80 | zexeq.com | tcp |
| KR | 211.181.24.133:80 | zexeq.com | tcp |
Files
memory/1936-0-0x0000000001CE0000-0x0000000001D72000-memory.dmp
memory/1936-1-0x0000000001CE0000-0x0000000001D72000-memory.dmp
memory/1936-3-0x0000000001D80000-0x0000000001E9B000-memory.dmp
memory/2756-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2756-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1936-7-0x0000000001CE0000-0x0000000001D72000-memory.dmp
memory/2756-8-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2756-9-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\7170ac16-fcf1-4194-beae-248cec9dca22\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
| MD5 | cea0a866170628872d7005075d21d53c |
| SHA1 | 62e1130b5f8ceac4319411a88f99edd4ec34e7de |
| SHA256 | 59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7 |
| SHA512 | 62158e1c7dd966b3ba8af87e5f0d4e012c3267d48fd7dc731c7f7d24fe0cba2921f43cc68c194d3153879f5ac200cf3159a4ff34dc4ffe47b9468290a62fd458 |
memory/2756-27-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2480-29-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2480-30-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2604-35-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2604-36-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | dca61f9c346f08c3bd0c46e09a022cb3 |
| SHA1 | 223dea0ea360d1ecef95316e66ae818835fcbead |
| SHA256 | 274f80a1f36ac39f6ffb750120c1c94de26c7e98bc169d4e9cf7feecc75788c5 |
| SHA512 | bc6ec49a04c65540b7d8b0d314994921516644cdcdb5ecf94e3511ded2920fc380dd5af51678af5fec9e3bb9824f0e5d3cbc7fa57b6273ba8518293fe32d5e61 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | d9da13bc21ae5d75d0c5d6e57fef7f6f |
| SHA1 | 57e5a4e1c2ec5db133c2002aa1cab74c9b8cbee2 |
| SHA256 | 3b52e259775f247ded30bb1d8e8b8e9b371782e623f85500a41e55ce9c92ab70 |
| SHA512 | 70e036c2ed4e35e0daef4ba02dee49b3f17f64d79db70b5e6d327063d720ad29774b8365602c1c978a4f235259a26035f9314c209880b778633a9cc2474136d4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 659e69a677f70a2a7ba39e08c7e7096b |
| SHA1 | 4d44fd5df49d3baa5bdc6c61b5c513152089e1d3 |
| SHA256 | a28f564ab24d14258c8620c47206521098090add4e96508c394892280a6f427b |
| SHA512 | 44b3a2374accdfdfad171e721d89c4feab6c0bbc793c2836935274c3826c0f854cb80e0c74fba14ca2c05c758caafc1b184d8749ee64a3f049537b61a5ece621 |
C:\Users\Admin\AppData\Local\Temp\Cab55BE.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/2604-49-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2604-50-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\67aece4f-4149-4231-9706-84d43d71e444\build2.exe
| MD5 | c4070da9f9b0581171af16e681ccdff8 |
| SHA1 | 3fb4182921fdc3acd7873ebe113ac5522585312a |
| SHA256 | 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0 |
| SHA512 | c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427 |
memory/268-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2672-65-0x00000000008C0000-0x00000000009C0000-memory.dmp
memory/2672-67-0x0000000000230000-0x000000000027B000-memory.dmp
memory/268-68-0x0000000000400000-0x000000000065E000-memory.dmp
memory/268-71-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2604-72-0x0000000000400000-0x0000000000537000-memory.dmp
memory/268-73-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar6C3C.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d0fe69a308f7dd4012802ba1e0bbe66d |
| SHA1 | 3d33f18c374266151054f7ef7e9b749da9d07c6c |
| SHA256 | b9fce032c9c31ba175ca26c37a84ca6c802159a6e608740d857e11fc9bff3327 |
| SHA512 | 8a3ce9104c601aaffeb09039c2fb91532077de47f5f867f749553d6aac5acd59adfd40c29d21f384b7de8e9c6c9646b518e612c266b82410e04fa4cad40a9e4b |
memory/268-194-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2604-196-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2604-198-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2604-199-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2604-201-0x0000000000400000-0x0000000000537000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-15 04:51
Reported
2024-01-15 04:56
Platform
win10-20231220-en
Max time kernel
51s
Max time network
108s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f8d1d28d-7452-4c55-b079-47a4da0efcf1\\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1620 set thread context of 4780 | N/A | C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe | C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe |
| PID 4748 set thread context of 1668 | N/A | C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe | C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe |
| PID 1348 set thread context of 4080 | N/A | C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe | C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
"C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe"
C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
"C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\f8d1d28d-7452-4c55-b079-47a4da0efcf1" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
"C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
"C:\Users\Admin\AppData\Local\Temp\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe
"C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe"
C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe
"C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1916
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.193.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| KR | 211.168.53.110:80 | zexeq.com | tcp |
| KR | 211.168.53.110:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 110.53.168.211.in-addr.arpa | udp |
| KR | 211.168.53.110:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| KR | 211.168.53.110:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 196.0.202.116.in-addr.arpa | udp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
| KR | 211.168.53.110:80 | zexeq.com | tcp |
| KR | 211.168.53.110:80 | zexeq.com | tcp |
Files
memory/1620-1-0x00000000020C0000-0x000000000215E000-memory.dmp
memory/1620-2-0x0000000002190000-0x00000000022AB000-memory.dmp
memory/4780-4-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4780-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4780-6-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4780-3-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\f8d1d28d-7452-4c55-b079-47a4da0efcf1\59c0177643779444e51a54f10e3aefaa1849b0dd8e8c9d4b18e62f153a8decb7.exe
| MD5 | 53854321deddd90ba43a81b1d7c60712 |
| SHA1 | feffadda60ad0b54478f03cb09dd678e65b28d91 |
| SHA256 | d09aac0a2ac7b7770940bcfcca21d44370fe72df7a74871d27c6714aebc69c97 |
| SHA512 | a13f1722c1c73d80b023cc7c3057bf1724d527c92b72ba952e62fe4c3110885b4cfa85ccfb8f940d65c89debb53de629266e2001c779419ef5db3b8d6e374bcc |
memory/4780-17-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4748-20-0x00000000020E0000-0x0000000002179000-memory.dmp
memory/1668-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1668-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1668-24-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 89e3600293b1790349601358899b60cb |
| SHA1 | 3a37042f9c2fb874ad978828cd87efdf81f1aa74 |
| SHA256 | 891d0d7b696094e3d1d7c7d773e1cbd5df14da221fb3d8529ef47a7811de2080 |
| SHA512 | d4780608fa6cfd23224516ea1b0a0176de7104e7aab9ae38c021cdb49f08ed1b4025ac64727c1112d43937213eb7c6e16dc47e6b174c490aee5293403fa42ce6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 04ca323335976f7ed1b8cf5ebe1ebd7c |
| SHA1 | 8dbd4d9a9d0642bcc37b5ea1ed45345bfd828211 |
| SHA256 | 9190095c14c3ce50346f7f789239f997d06ebc92e3edfcc647e9b40a8317522f |
| SHA512 | b4184ffc47b9e280f1f98316763d709ef97f8670fac1f0804a3f5a802600f07fecb440b97c7d7783813a479efb66aa388c7db6d184673c7a90fde3d2dd3fce07 |
memory/1668-29-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1668-30-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe
| MD5 | c73531e4cc088ed5ec1f8562282ec700 |
| SHA1 | 3c5f393faeb751597f3d7328130859630300f5fc |
| SHA256 | 2e028881839d5820bdeba0b9102bf656798e002cb35b40f63dd776fde8816f67 |
| SHA512 | 0f6d43d5c27fe7e860b5edc24989e9802191e13bb30628629ec061900fa7f0a60938daa61a3c097e69060357c6537e99b387e610229f809a0c697f9df54d5e8d |
memory/4080-39-0x0000000000400000-0x000000000065E000-memory.dmp
memory/4080-45-0x0000000000400000-0x000000000065E000-memory.dmp
memory/4080-44-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1348-43-0x00000000020F0000-0x000000000213B000-memory.dmp
memory/1348-42-0x0000000000610000-0x0000000000710000-memory.dmp
C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe
| MD5 | 2907d24bf4358f06e28ab1586e31a5df |
| SHA1 | 5bf51ab4f2d1fe9c0c0d75506da29b5fbdb7e499 |
| SHA256 | 1ef71558ed1992a6fc85d7171c3a4a370ace0c3dc81561ebb42c66450f835ccf |
| SHA512 | 479ed57538a04f4985f8108033f2cf038a1ced379ea480c045e4096d90c346661348f60194be19c39b0f7a0c7facba0fc03f6acfeba83dae31bd51e332f858da |
C:\Users\Admin\AppData\Local\60a63f41-fb9d-4683-96d0-bea3693dd6e1\build2.exe
| MD5 | ff75f5779e0ddad79a3ef14166bb9630 |
| SHA1 | 634f0a968b08a70181eb1fff4efb20dbeaa6516c |
| SHA256 | ac15d93f4a5a15aee6640e7dddd0f590ceed9adedca3df1e40fa0f43ec81dc91 |
| SHA512 | ee92ff0cef8ebf0ca136d1918f6ed7a9767dbb3fda65615901f6aa8a98c02000599b3bba01fe64a3eb3ffdebdd15494909163362496c38f2ff98f144bd8ab837 |
memory/1668-47-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4080-51-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1668-55-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1668-56-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1668-53-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1668-57-0x0000000000400000-0x0000000000537000-memory.dmp