Analysis Overview
SHA256
6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e
Threat Level: Known bad
The file 6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
Vidar
Djvu Ransomware
Detect Vidar Stealer
Downloads MZ/PE file
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-15 04:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-15 04:53
Reported
2024-01-15 04:58
Platform
win7-20231215-en
Max time kernel
297s
Max time network
168s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\abf57921-7c74-4723-be80-40b0f03c9352\\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2472 set thread context of 2452 | N/A | C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe | C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe |
| PID 2136 set thread context of 528 | N/A | C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe | C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe |
| PID 1808 set thread context of 2568 | N/A | C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe | C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
"C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe"
C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
"C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\abf57921-7c74-4723-be80-40b0f03c9352" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
"C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
"C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe
"C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe"
C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe
"C:\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 1428
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| KR | 211.181.24.133:80 | zexeq.com | tcp |
| CO | 186.147.159.149:80 | brusuax.com | tcp |
| KR | 211.181.24.133:80 | zexeq.com | tcp |
| KR | 211.181.24.133:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| KR | 211.181.24.133:80 | zexeq.com | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| KR | 211.181.24.133:80 | zexeq.com | tcp |
Files
memory/2472-0-0x0000000000300000-0x0000000000391000-memory.dmp
memory/2472-1-0x0000000000300000-0x0000000000391000-memory.dmp
memory/2452-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2472-3-0x0000000002180000-0x000000000229B000-memory.dmp
memory/2452-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2452-7-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2452-8-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\abf57921-7c74-4723-be80-40b0f03c9352\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
| MD5 | 6e1ad02bf816694f51cee197284676d7 |
| SHA1 | d77d8bfef363dac6948ffd59041520e177884b42 |
| SHA256 | 6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e |
| SHA512 | 4a29311f123e27773287264f82bf913b0a4cbc4424aae0c3d3bd4315f3b6a280f03ef1d1bc76e920238a66aa90b49d14eb3ed6804f0450491546d093ea47bab4 |
memory/2136-27-0x0000000000B60000-0x0000000000BF1000-memory.dmp
memory/2452-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2136-29-0x0000000000B60000-0x0000000000BF1000-memory.dmp
memory/528-34-0x0000000000400000-0x0000000000537000-memory.dmp
memory/528-35-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 9beb1dc135d2bf40a29e531f13f1d2e4 |
| SHA1 | 01362de25af802fe5205210dcc819972ef93b7cf |
| SHA256 | b0e867b73a4fe868952af35099e5fe88d5b56eddb9bacbdc6ae650220dce3854 |
| SHA512 | 53240d976349a22e5ce8ee9d5ab0e7c6836e74cb3bb0b97c3fd47184a14e89a629d74db381d388c3259fd3429cd9e79fc8880472e0614a1a6f8853e41d01eb40 |
C:\Users\Admin\AppData\Local\Temp\CabB0F7.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1d01450b6a732dd95ed5185181aaa715 |
| SHA1 | 55a853361e26d3e915622c51c550beead21d0b03 |
| SHA256 | 63cd63d026b88826eac3ca6fe367d8d5dbc42fd2856b0e9bf44040b0a7d86916 |
| SHA512 | 32ff6b0ca126fe77c7864e732624191556e901db4062b891d7428da6936527ebad8b73a646432fb6698b7747299ecc462385440b95be4156865150d7341b4b83 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | fe94f21ff90dc87f99969de124b03ee7 |
| SHA1 | b51f17060e14403927337b27cba6d0a57adcdb53 |
| SHA256 | 8188c5bcbb7eddd139c1be81d7a9b81732f4bc765c068870e31210e0bae3343d |
| SHA512 | d0923c8b7b072ee46ad967e8c45f0b5d0fd8062968dd586c49f90537aea40dfcb49adb0ca1a19d097b97aeb3b9271c751d1d9ea0b7808c64ab97ff857af40230 |
memory/528-48-0x0000000000400000-0x0000000000537000-memory.dmp
memory/528-49-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\90253e53-5843-468d-823d-d68b680094b2\build2.exe
| MD5 | c4070da9f9b0581171af16e681ccdff8 |
| SHA1 | 3fb4182921fdc3acd7873ebe113ac5522585312a |
| SHA256 | 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0 |
| SHA512 | c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427 |
memory/1808-64-0x0000000000540000-0x0000000000640000-memory.dmp
memory/2568-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1808-66-0x0000000000230000-0x000000000027B000-memory.dmp
memory/2568-67-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2568-70-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2568-72-0x0000000000400000-0x000000000065E000-memory.dmp
memory/528-71-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarDB14.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9b9d2781cd117dd292cd615ac054afbf |
| SHA1 | 12bca71a5adfc005d9097c7ebac021ae0c656978 |
| SHA256 | 678257e103c879d50e9303cb57b992ace2c26d26a4aad5c45e7c5119747ab61d |
| SHA512 | b48291d0970fa4545525eefb2b5561e1a0783bbc45a3b920874162019564e118d275e87e157d6d9138c71bd04830b6d4f0cdde578414e4cd908907c09757cb33 |
memory/2568-171-0x0000000000400000-0x000000000065E000-memory.dmp
memory/528-195-0x0000000000400000-0x0000000000537000-memory.dmp
memory/528-197-0x0000000000400000-0x0000000000537000-memory.dmp
memory/528-198-0x0000000000400000-0x0000000000537000-memory.dmp
memory/528-199-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2568-200-0x0000000000400000-0x000000000065E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-15 04:53
Reported
2024-01-15 04:58
Platform
win10-20231215-en
Max time kernel
299s
Max time network
307s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\609fa6bd-59af-4c0d-8b22-38c39690a586\\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4372 set thread context of 4828 | N/A | C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe | C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe |
| PID 2928 set thread context of 656 | N/A | C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe | C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe |
| PID 4168 set thread context of 4132 | N/A | C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe | C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
"C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe"
C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
"C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\609fa6bd-59af-4c0d-8b22-38c39690a586" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
"C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
"C:\Users\Admin\AppData\Local\Temp\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe
"C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe"
C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe
"C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1908
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.193.125.74.in-addr.arpa | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| CO | 186.147.159.149:80 | brusuax.com | tcp |
| ET | 196.188.169.138:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 149.159.147.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.169.188.196.in-addr.arpa | udp |
| ET | 196.188.169.138:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.0.202.116.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| ET | 196.188.169.138:80 | zexeq.com | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| ET | 196.188.169.138:80 | zexeq.com | tcp |
| ET | 196.188.169.138:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
Files
memory/4372-1-0x0000000002530000-0x00000000025CE000-memory.dmp
memory/4372-2-0x00000000025D0000-0x00000000026EB000-memory.dmp
memory/4828-3-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4828-4-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4828-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4828-6-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\609fa6bd-59af-4c0d-8b22-38c39690a586\6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e.exe
| MD5 | 6e1ad02bf816694f51cee197284676d7 |
| SHA1 | d77d8bfef363dac6948ffd59041520e177884b42 |
| SHA256 | 6e83d5dae916b6c88c9a3c93b6c7c55c5f582c2ecdaa97a89a0d8fc803e8113e |
| SHA512 | 4a29311f123e27773287264f82bf913b0a4cbc4424aae0c3d3bd4315f3b6a280f03ef1d1bc76e920238a66aa90b49d14eb3ed6804f0450491546d093ea47bab4 |
memory/4828-17-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2928-20-0x00000000024B0000-0x000000000254E000-memory.dmp
memory/656-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/656-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/656-24-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 29894420414aa249f11bf24abbe386af |
| SHA1 | 1bc7c7de6768ad408c07732d1a58d30389332cce |
| SHA256 | e2350b4f45ed79c77890ad2e4e6c42037d78c3e5b86007c4b87e8d2ed4cc62be |
| SHA512 | 4c545c46f86f6bf5f05d56a2cc8486f1cb48410d7ba7b47145b2f09ac4d2b71b7c346f0cf711ba836877f6464f01c8b152aef84dff9938e7788231230126083d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | a80c989f02c6438c57ff08ace0bcc76b |
| SHA1 | 49408336eb66ed1d6b0e01da18535f26a3ca4ff6 |
| SHA256 | 8b192448875fbc304724beea1d08cf0d9f34bae2e721305f09682fb29cea4f1b |
| SHA512 | d04a0849ab40572573c3324fa769bbfc74a65f7b42c5a40785d1a52d85a27cef76e1ed0206da252647e5be02d1f5f9b4286ed1311cfce6ad1d7c078721955c28 |
memory/656-29-0x0000000000400000-0x0000000000537000-memory.dmp
memory/656-30-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe
| MD5 | 5d559f4ba8fedb485128d9389b778296 |
| SHA1 | aff6e3e6db266f0138081e18ffbd477a6165a418 |
| SHA256 | f4dbc0a7903fd76a8a774a4d7651890626dc7b6dc359401ee0c605d5316c758c |
| SHA512 | 6b4b2f9374d0ba4b8bbad3ea91adec13323acb359cba5a23d914bb9e5ded0f1f27c6fc23342170c6250bb469655e0660d5dde8c03db5705dfab52555bfeadc36 |
C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe
| MD5 | 58d27cdb2dd179af830b8f913fb0eb13 |
| SHA1 | 668899ba8d286f36757f69ac1ef6cb89b3794479 |
| SHA256 | 4bff957a94d3ec4efb8b07969a1e82dc9abbc19c897d3cd8def3d4a11ce300ed |
| SHA512 | cd220f57394c5660b5c01123ce5fc269c1a6afb7f34081136469d2aa4b49435c3f962d34b69bb3169cb864f745160d032896c9a0d699386a5c39ee18b0129c01 |
memory/4168-40-0x00000000005A0000-0x00000000006A0000-memory.dmp
memory/4132-39-0x0000000000400000-0x000000000065E000-memory.dmp
memory/656-42-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4168-44-0x0000000000530000-0x000000000057B000-memory.dmp
C:\Users\Admin\AppData\Local\3e574088-1159-4aeb-8193-7f855ba9080c\build2.exe
| MD5 | c4070da9f9b0581171af16e681ccdff8 |
| SHA1 | 3fb4182921fdc3acd7873ebe113ac5522585312a |
| SHA256 | 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0 |
| SHA512 | c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427 |
memory/4132-45-0x0000000000400000-0x000000000065E000-memory.dmp
memory/4132-46-0x0000000000400000-0x000000000065E000-memory.dmp
memory/4132-51-0x0000000000400000-0x000000000065E000-memory.dmp
memory/656-53-0x0000000000400000-0x0000000000537000-memory.dmp
memory/656-55-0x0000000000400000-0x0000000000537000-memory.dmp
memory/656-56-0x0000000000400000-0x0000000000537000-memory.dmp
memory/656-57-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4168-59-0x0000000000530000-0x000000000057B000-memory.dmp