Analysis Overview
SHA256
7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668
Threat Level: Known bad
The file 7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668 was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
Vidar
Detect Vidar Stealer
Djvu Ransomware
Downloads MZ/PE file
Modifies file permissions
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Enumerates physical storage devices
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-15 04:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-15 04:53
Reported
2024-01-15 04:58
Platform
win7-20231215-en
Max time kernel
296s
Max time network
158s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\9d530b51-7c10-4fdb-ab63-a2b5b16c0b86\\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2976 set thread context of 2136 | N/A | C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe | C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe |
| PID 1432 set thread context of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe | C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe |
| PID 2896 set thread context of 1652 | N/A | C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe | C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
"C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe"
C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
"C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\9d530b51-7c10-4fdb-ab63-a2b5b16c0b86" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
"C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
"C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe
"C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe"
C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe
"C:\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1456
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| KR | 211.168.53.110:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| BG | 95.158.162.200:80 | zexeq.com | tcp |
| BG | 95.158.162.200:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| BG | 95.158.162.200:80 | zexeq.com | tcp |
| FI | 65.109.241.139:443 | tcp | |
| BG | 95.158.162.200:80 | zexeq.com | tcp |
| BG | 95.158.162.200:80 | zexeq.com | tcp |
Files
memory/2976-0-0x00000000002B0000-0x0000000000342000-memory.dmp
memory/2976-1-0x00000000002B0000-0x0000000000342000-memory.dmp
memory/2136-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2976-3-0x0000000001DE0000-0x0000000001EFB000-memory.dmp
memory/2136-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2136-7-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2136-8-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\9d530b51-7c10-4fdb-ab63-a2b5b16c0b86\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
| MD5 | 2ef95cac7a29f753ddd6722ad578638b |
| SHA1 | ae4b034b625e18192d3f1e4da6a06c56e9241848 |
| SHA256 | 7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668 |
| SHA512 | 08335b9087c9d642935db87223b9a7e6ada2ff9f7a3b4431e7a0200112d11dfe51e0fd0931694a98eba48ee881eefcee37c51bb83892a3b7f9e05b7b38f5d31c |
memory/2136-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1432-28-0x0000000000350000-0x00000000003E2000-memory.dmp
memory/1432-29-0x0000000000350000-0x00000000003E2000-memory.dmp
memory/2708-34-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2708-35-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | ea52eae0b1ac7dc634c6e69553977bb2 |
| SHA1 | a5175b2445970384d0a45ea34aadc8fb3978baed |
| SHA256 | 8025f9084aeadb1947f27ba37402c2b91aa5e1308112615dfe24806802fdefb7 |
| SHA512 | 856f0e5202694fbd257ccd224b368b74c4b3782525d82f5b6f12bddc51f6c7159d0335a12115f46e38761fa100ec2ee6e95223beb54c8cedda59eaa11f320b1c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 7ca6307f3c6d3c642387da9b50996fb4 |
| SHA1 | 77e6ae6ab6a970e4631f29dc8a9aa821b6c7e8b5 |
| SHA256 | 0edec2cce9043228dfc3f439bb54181f368c48b5c54b5390e8585d854d423c77 |
| SHA512 | 61b17213073e42952ff4ba1ee4638269b64235a1dcfe497ec8db34c9a9b24bdd5e8cf0bfd1af747a3a37ffc09296b80501274e7f6507caf5257d9acf56e47205 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 81196706f8118da495eaed0213450462 |
| SHA1 | 4ca806d4fceb33f22c16b7f265f1d45cbf66ee09 |
| SHA256 | cb7712bb4bff270e326d90d879b3c08cae006cc0a104c5b1cd1fe75e64dbb859 |
| SHA512 | f383223651e389e5da3931ecb33925e13b954c6241506969802144ee9ce7b5447ba7343ed4ff760e9644832c4abb0ab1ed36fc12bfb07f102a8d67b0161f969f |
C:\Users\Admin\AppData\Local\Temp\Cab6A38.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/2708-48-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2708-49-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\57248a62-37c4-4061-a127-d2d63976b737\build2.exe
| MD5 | c4070da9f9b0581171af16e681ccdff8 |
| SHA1 | 3fb4182921fdc3acd7873ebe113ac5522585312a |
| SHA256 | 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0 |
| SHA512 | c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427 |
memory/2708-61-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1652-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1652-68-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2896-64-0x0000000000280000-0x0000000000380000-memory.dmp
memory/2896-71-0x0000000000460000-0x00000000004AB000-memory.dmp
memory/1652-72-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1652-73-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar980C.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2444f211e7d2e7896e276a07a9b60eea |
| SHA1 | 4b753eb531fac26dd798d52fc9ff58877d72dd16 |
| SHA256 | f2aed7c92bf7d3560676cacac94a35500c3a76ce2b023f0c1feb4b58f57afe9a |
| SHA512 | d553182641e07706565562ed5920a6e779132aec17bc57f9ed24b2c4101bec692cb0cbdb3a88f865f83f5edb0cff640f043c6a784abb0d550f52c886f2154731 |
memory/1652-194-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2708-197-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2708-199-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2708-200-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2708-201-0x0000000000400000-0x0000000000537000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-15 04:53
Reported
2024-01-15 04:58
Platform
win10-20231220-en
Max time kernel
297s
Max time network
303s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\28ce7fef-f09c-4687-a619-5f0ca079d85e\\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 316 set thread context of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe | C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe |
| PID 2860 set thread context of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe | C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe |
| PID 1800 set thread context of 396 | N/A | C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe | C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
"C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe"
C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
"C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\28ce7fef-f09c-4687-a619-5f0ca079d85e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
"C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
"C:\Users\Admin\AppData\Local\Temp\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe
"C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe"
C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe
"C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 1908
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 220.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.193.125.74.in-addr.arpa | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| KR | 211.168.53.110:80 | zexeq.com | tcp |
| KR | 211.181.24.133:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 110.53.168.211.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.24.181.211.in-addr.arpa | udp |
| KR | 211.181.24.133:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| KR | 211.181.24.133:80 | zexeq.com | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 196.0.202.116.in-addr.arpa | udp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| KR | 211.181.24.133:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
| KR | 211.181.24.133:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
memory/316-1-0x00000000009D0000-0x0000000000A72000-memory.dmp
memory/2684-4-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2684-3-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2684-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2684-6-0x0000000000400000-0x0000000000537000-memory.dmp
memory/316-2-0x0000000002300000-0x000000000241B000-memory.dmp
C:\Users\Admin\AppData\Local\28ce7fef-f09c-4687-a619-5f0ca079d85e\7cb2404fa999ff73f52f546d050cb2dac937b38d6a02849300b2825f13ccd668.exe
| MD5 | 6628eb387c0fb4329dd464a2e690278a |
| SHA1 | fe2a0e08f60b241f8963217d08a985dca531f97c |
| SHA256 | 7200c9ba76424154d3164e096234eb5a89e7f02635b8c019b4ca7beb09188bdf |
| SHA512 | ff0112d8805e328c161d7dc4156ffbb4417a8afbcce50b5f5df3fa10a11f33b821369bfdf636a3911358ea4fd60405bbff33f7d61fc795a2b96f97c0e9e55e00 |
memory/2684-17-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2860-22-0x00000000008A0000-0x0000000000937000-memory.dmp
memory/2004-21-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2004-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2004-24-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 3540b29390984ff8967c0eee238c907a |
| SHA1 | 65e1a15c73b1695308f73c154673cde04c201b23 |
| SHA256 | a7d25b5295a544a47958707fde8445fbc8d47b3f5670bae304239bc37c9f8d47 |
| SHA512 | 32cd7ab111b1155398e9ad38f0b0c273106b38b2942900a1c94bb464d26f79607da798da3a8bf7535311288e776e9a362d7c8f4baab2cfcb828cfe5caf307841 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | feecae61d880321dbbd0d32522d4b852 |
| SHA1 | ee78bf411a139889dc1a691c4277e0e3e3629f7e |
| SHA256 | c55c8a7bd3391a265396f6f8de0490ca8784803c259dfaccb8ecfa83fa04ad12 |
| SHA512 | c94e488487cd21b32be4b964da8f53fb75e0f38df71b58b8f3b391d47d8337207ec8b51c94b9d7178677b48265200366c1db1456ddbe042a80377a6c555bc14a |
memory/2004-30-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2004-29-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe
| MD5 | a7f4a71c03997e5363d8851d071cf00a |
| SHA1 | 881489c07963f9c62d05dec13b8e6b7abadc3a3c |
| SHA256 | 6d3943fce8b3da19e36f379a9707a365c9c62c0c6fe706abbc3ff866a248f60b |
| SHA512 | f2a982d98ee350ca3b09841294ff9ee9bb3028d6b7bab230db94ef6143f766d2b6d18814e10565b16978405398e01fd232cc0d9e608f950dbc9ec1d398f66395 |
memory/1800-41-0x0000000000520000-0x0000000000620000-memory.dmp
memory/1800-44-0x00000000020C0000-0x000000000210B000-memory.dmp
memory/396-43-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe
| MD5 | ba897519cf035a5d589cd1cc43e88acd |
| SHA1 | 0d4320c3e59b679122fbf01ff09ad95ab0ee2d47 |
| SHA256 | ebbe00c547df623096cbd2452fdad6345ebb45c4f2f894123dc830b4959861ee |
| SHA512 | fefeff649f0ef23ce3f2f0f93ca6b2e7a535936be3fdc2269e414c1d71032e1984ec556b9f2d28142603caef13f9c759405c16577511c2b25c4d579918c1ee94 |
memory/396-39-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Local\28033bc3-ca92-4d97-8fbc-cf09c61d8d8c\build2.exe
| MD5 | cac7c1e98cd83b5b9b08e6402801e543 |
| SHA1 | c84fc44831b50e3177a7a6d5b96202a91c883b72 |
| SHA256 | b405fcbef76f9b3dd0cd40889f9475a978bde4034087dd183f97c5ffd546d4e0 |
| SHA512 | 75cc29303a2fc0ae78fbad6120ba5cf18eae7af9d3e2b1e31e4a54e189eeb50b03c7e0b358b5b878cee769e5feeb585a7f6a4e00f1a204d58790f690cc19dc24 |
memory/396-45-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2004-47-0x0000000000400000-0x0000000000537000-memory.dmp
memory/396-51-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2004-53-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2004-56-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2004-55-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2004-57-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1800-59-0x00000000020C0000-0x000000000210B000-memory.dmp