Analysis Overview
SHA256
5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989
Threat Level: Known bad
The file 5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989 was found to be: Known bad.
Malicious Activity Summary
Detect Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
Modifies file permissions
Loads dropped DLL
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-15 04:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-15 04:51
Reported
2024-01-15 04:57
Platform
win7-20231215-en
Max time kernel
300s
Max time network
160s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\edc48970-8386-4c1f-8bd6-86a23fcc9bfd\\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2424 set thread context of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe | C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe |
| PID 2916 set thread context of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe | C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe |
| PID 796 set thread context of 1112 | N/A | C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe | C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
"C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe"
C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
"C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\edc48970-8386-4c1f-8bd6-86a23fcc9bfd" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
"C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
"C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe
"C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe"
C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe
"C:\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 1456
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| KR | 211.168.53.110:80 | zexeq.com | tcp |
| SA | 5.163.230.46:80 | brusuax.com | tcp |
| KR | 211.168.53.110:80 | zexeq.com | tcp |
| KR | 211.168.53.110:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| KR | 211.168.53.110:80 | zexeq.com | tcp |
| KR | 211.168.53.110:80 | zexeq.com | tcp |
Files
memory/2424-0-0x0000000000580000-0x0000000000612000-memory.dmp
memory/2128-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2424-1-0x0000000000580000-0x0000000000612000-memory.dmp
memory/2424-4-0x0000000001E00000-0x0000000001F1B000-memory.dmp
memory/2128-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2424-7-0x0000000000580000-0x0000000000612000-memory.dmp
memory/2128-8-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2128-9-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\edc48970-8386-4c1f-8bd6-86a23fcc9bfd\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
| MD5 | 72fd6329b754dd39cfec917c900abb53 |
| SHA1 | fa5e56d102dacecf25547c850e3624b41a85c62b |
| SHA256 | 5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989 |
| SHA512 | 0c3bd337190662d25af61cce7c5f2fd86c72ec7e0d73e9c2a4fc9ff816f0e5d331b881d9548086db9496ff98755791e23a5346e5d5888a8e08b7203e2a62ea55 |
memory/2128-27-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2916-28-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2916-30-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2700-35-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2700-36-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 59fc789bb238cbc7ea9a1fa558aa2135 |
| SHA1 | 214c76eed4e7e41f383922e67bd82913a8b0886f |
| SHA256 | 290f8d4d48dea4fc69dd120d151ef84840bfdc234431580223c8218a8eee7aa9 |
| SHA512 | 42e8980b2a0ac693838c685f67d3f142049d58c93ab38e5206190a6f9d8e828688061b1432b07556d2b63f6bc2dc8a8714fd8dfb14dcac170d17b23b10c68ddc |
C:\Users\Admin\AppData\Local\Temp\Cab5F7E.tmp
| MD5 | 73f101cb474d2101e5ef76e684e3bace |
| SHA1 | 8d7a75e1d3addd0b2b4b394f25c4f59890bde628 |
| SHA256 | 0dfa3f44ecad5dd8e55961e9e87f8fdc4227ead46ad0f318ca52190419b49013 |
| SHA512 | 3a69cfda58907fa7044677dfc2ad77d6bc7377ec93b21651e6bf0367de11bffd1a94111f5b17d6fde3dd3c13999753d389f5300d32f25be6f658a5995b67a95a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | bb1201b2ff981b3808cd3522c73d47c4 |
| SHA1 | a945e830bbddcbcc16d06e47cc841cff58836d3b |
| SHA256 | 8e54d8a5f3e75478548fbed8bd4a9eb68a56821f0c468699b2ef16e10327559e |
| SHA512 | 57cdcafe515066e182fee915bfc9ad0365595b8d5ab3040c8227a7bb552487d196200514bb0e2b29179a44ffa7a9c1f9b55ec30dc606d049cd7985244a854ce2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b4d3c11015eb23850394f9e41a509fd9 |
| SHA1 | 090d8f05edfe72f0af93678d8c5cccf9c1def122 |
| SHA256 | 8fa61e82fbf5fb7825776f35265a65ed071c646f7f49e793f1eaf1130f0c0205 |
| SHA512 | a837f4dc1bdbfb12ed73b0d2ae7c27c203f20c812599e4b65ad00df2b5baa31e44aca869d55988b1d8fee2d12d2966a3f82eac38447045bf52599bf4a6a312c7 |
memory/2700-49-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2700-50-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\1f68550d-3640-4c88-9687-be3fc029f82d\build2.exe
| MD5 | c4070da9f9b0581171af16e681ccdff8 |
| SHA1 | 3fb4182921fdc3acd7873ebe113ac5522585312a |
| SHA256 | 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0 |
| SHA512 | c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427 |
memory/796-66-0x00000000001C0000-0x000000000020B000-memory.dmp
memory/796-65-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1112-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1112-68-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2700-71-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1112-73-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1112-72-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar874A.tmp
| MD5 | 58a5a4c467264ca380e8af576aea5fc6 |
| SHA1 | b088408b194566e5374f07b6a1def6367248734c |
| SHA256 | a2c25ad847e0839251881e10d61b39a3d6ec151ed82951b121bb77ecb065c021 |
| SHA512 | 4c4d32117aa43c852d204de4897881dff6589595e73be4b03c332d4d08bf41fae99b3c7f7c4f87f3d078ae1d44486bb009f6d20be763fbd76c399d68595a1ccf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b2961270991fb0e5ec63c69726007c84 |
| SHA1 | 70a97ecec3e431738f9825cd62d3cef45d752f7c |
| SHA256 | dcc92e02cef83ad45ded312a190b4241861107bf8b52ab8c2bff8b9207f3bcec |
| SHA512 | f83c8a6ae486ecf9ec6a00e2f1fc5a709eafbb73a72e015f7e0e474c3c83b7dbafc4f79cf9d38e5ee7580be7fe1e2ef4c64e2e2944661d1159a343a03f9ceb5e |
memory/1112-193-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2700-197-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2700-200-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2700-199-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2700-201-0x0000000000400000-0x0000000000537000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-15 04:51
Reported
2024-01-15 04:57
Platform
win10-20231215-en
Max time kernel
298s
Max time network
298s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\dc68dece-be16-4b9f-a710-d0fd190858cb\\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3380 set thread context of 3876 | N/A | C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe | C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe |
| PID 364 set thread context of 4896 | N/A | C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe | C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe |
| PID 772 set thread context of 1480 | N/A | C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe | C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
"C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe"
C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
"C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\dc68dece-be16-4b9f-a710-d0fd190858cb" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
"C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
"C:\Users\Admin\AppData\Local\Temp\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe
"C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe"
C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe
"C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1896
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.193.125.74.in-addr.arpa | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| AR | 186.13.17.220:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| BG | 95.158.162.200:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 220.17.13.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.162.158.95.in-addr.arpa | udp |
| BG | 95.158.162.200:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| BG | 95.158.162.200:80 | zexeq.com | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.0.202.116.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| DE | 116.202.0.196:10220 | 116.202.0.196 | tcp |
| US | 20.231.121.79:80 | tcp | |
| BG | 95.158.162.200:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
| BG | 95.158.162.200:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.116.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
Files
memory/3380-1-0x0000000000A60000-0x0000000000AF6000-memory.dmp
memory/3380-2-0x00000000022A0000-0x00000000023BB000-memory.dmp
memory/3876-3-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3876-4-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3876-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3876-6-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\dc68dece-be16-4b9f-a710-d0fd190858cb\5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989.exe
| MD5 | 72fd6329b754dd39cfec917c900abb53 |
| SHA1 | fa5e56d102dacecf25547c850e3624b41a85c62b |
| SHA256 | 5a34ca5e10a7a7d16004ac527df6de33aae7029574ac58d27fc4070070060989 |
| SHA512 | 0c3bd337190662d25af61cce7c5f2fd86c72ec7e0d73e9c2a4fc9ff816f0e5d331b881d9548086db9496ff98755791e23a5346e5d5888a8e08b7203e2a62ea55 |
memory/3876-17-0x0000000000400000-0x0000000000537000-memory.dmp
memory/364-21-0x0000000000870000-0x0000000000910000-memory.dmp
memory/4896-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4896-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4896-24-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 11581ed9bf85b0762bf9b961896437dc |
| SHA1 | 3e3abd053edb2ec712e42a12e7611fbc0c918c94 |
| SHA256 | 8ee0f48aa91271b864f9820021b729f0032be7423d0a1f369f02d20b0db954ca |
| SHA512 | 65cf11c761fd7ae7040242ceab43c3576f9021f203c1bd0be260ffcc73ed09ee5e8898ab9158d2743e38c08e52fc972dd4157af4c323a6677e3a37d207da7198 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 8269da8ab4a44aa7076d53a87a3e6d7b |
| SHA1 | d23ea909b27994ffc29d2760c14fdcf54bf33b9c |
| SHA256 | c9eef76da9cd8e392e3e755c866a12fb3c3d47b0cd167ce9f6ddc3a66702f90d |
| SHA512 | 65d76174905cc9f321cc81b083f407fbb4af9d66ac691a6ae0a466f016735c616f295347a033a4c7ff7a5a93d2235a430603dd0eb8615c318d123fce5972c49f |
memory/4896-29-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4896-30-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\e0d07755-3ba1-4fb8-9a23-b7ae607427d2\build2.exe
| MD5 | c4070da9f9b0581171af16e681ccdff8 |
| SHA1 | 3fb4182921fdc3acd7873ebe113ac5522585312a |
| SHA256 | 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0 |
| SHA512 | c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427 |
memory/4896-38-0x0000000000400000-0x0000000000537000-memory.dmp
memory/772-40-0x00000000005D0000-0x00000000006D0000-memory.dmp
memory/772-41-0x0000000000810000-0x000000000085B000-memory.dmp
memory/1480-42-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1480-45-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1480-46-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1480-51-0x0000000000400000-0x000000000065E000-memory.dmp
memory/4896-53-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4896-55-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4896-56-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4896-58-0x0000000000400000-0x0000000000537000-memory.dmp