Analysis

  • max time kernel
    298s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    15/01/2024, 04:56

General

  • Target

    b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe

  • Size

    811KB

  • MD5

    9244e8dafdb3baa6ebbf1eed741fc1bb

  • SHA1

    ad7620174b2d4ac4461f1d8623e632e4b63fa867

  • SHA256

    b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877

  • SHA512

    c5e79d0f52bf4cf374f86325d4be819573e9cbad4afe57d164c83ce2806095c76b81a7f34dbfe71a64b29563c289a4b872a61459fbc7d9da16308eb0798a10b8

  • SSDEEP

    12288:QpoaBPg7lN6/RFLeoA03fdZh+UwvL1hd4JMuUzgAl8F5bLlt89SOUx5ruaBsi:OgR4XCXcsphd4JMh8vdt896xAaBs

Malware Config

Extracted

Family

djvu

C2

http://zexeq.com/test1/get.php

Attributes
  • extension

    .cdwe

  • offline_id

    dSwr1XNNi5cIitB5eDPbMANcusB1dWGDB8ToUnt1

  • payload_url

    http://brusuax.com/dl/build2.exe

    http://zexeq.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-e21iz7dS58 Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0842ASdw

rsa_pubkey.plain

Signatures

  • Detect Vidar Stealer 5 IoCs
  • Detected Djvu ransomware 15 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies system certificate store 2 TTPs 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
    "C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
      "C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe"
      2⤵
      • Adds Run key to start application
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2824
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\1a841c40-07de-44a9-bedd-c24a30328690" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:948
      • C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
        "C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
          "C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Loads dropped DLL
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2784
          • C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
            "C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2900
  • C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe
    "C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe"
    1⤵
    • Executes dropped EXE
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:1228
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 1452
      2⤵
      • Loads dropped DLL
      • Program crash
      PID:1692

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

          Filesize

          1KB

          MD5

          b7470a9aa569b259d4c2bb3b80ae3aa3

          SHA1

          093290296b7f1e402ef96e4b33a88f064aa401eb

          SHA256

          ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6

          SHA512

          4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

          Filesize

          724B

          MD5

          8202a1cd02e7d69597995cabbe881a12

          SHA1

          8858d9d934b7aa9330ee73de6c476acf19929ff6

          SHA256

          58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

          SHA512

          97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

          Filesize

          1KB

          MD5

          a266bb7dcc38a562631361bbf61dd11b

          SHA1

          3b1efd3a66ea28b16697394703a72ca340a05bd5

          SHA256

          df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

          SHA512

          0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

          Filesize

          410B

          MD5

          e77f2bc5804e7a1f744af1ea7070972c

          SHA1

          8db94531344956166c152163a4ea9e123f000bd6

          SHA256

          ccff609e350153d27c0829ba54828127468f691c028a9564b2451b1d70e24bd3

          SHA512

          e674994e071334c90ef3a090617c0bd9dc870dfcc290bb411b86f1ed0932d652a2d44e187f564ed12ad0b83a60803689bf5b0b4345bb1ae5857bbaf9f92f0932

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          92e4249ba13ad7679cf0c11cd7c66078

          SHA1

          413b21cbf7202a6516e6f9a17a61bc01efe50555

          SHA256

          da46df30188966e39ed3ae59ed076a7b2261b08c3aabbb746c07e5d7905682fc

          SHA512

          549291f29be8a82754aca3c6cdf31373dace732bb6e6a167c8898dba9de74394524189897a1d59f6e28dbeac359ee2ba6d68e8b7e367d5abb2bb6dee9e0c9252

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          bce41f16984f847251021417704a2a23

          SHA1

          1a43c25460ffb2d499bc1a2c3067b0561723d99e

          SHA256

          be9a0c9d3d81e6509b0f2836fde92a2c4ab223f620f520699b6b946f82645862

          SHA512

          3dab28bcf0c7b5c407a903615daee4c5f475acd95ac72dd431f70a93895e01a40ff5d44df70976977c2ded372ce50a4f6c1ca5d42cb2230043004e1e61888fed

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

          Filesize

          392B

          MD5

          ab037d9b7fa676510d4ec3481ac70766

          SHA1

          243ab545a96b308741ede24dd1e5daa6e2f08d10

          SHA256

          814f863b6a48b2a36db29d170d321ba6394d8d68643a02351252cb6e2a065329

          SHA512

          2b61ca9ca654f3b963596bc23f14331a3b7c9acf562a2b7e556fa8203e12bb978ea001789f475c0d81c8a2f7127f2421acb2d3a2ebdfdc9d5b73aeb87bf516e9

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

          Filesize

          242B

          MD5

          47268c3ffbac0c61e214b091fb6facbb

          SHA1

          43861b5bec5145814d57f1513cff7ce5d11d8e74

          SHA256

          d0525e9c72697dcd3b910ff5288580ac0da483bb5d1a975301c9d5126b13754c

          SHA512

          aed989aaf634be8175995fb051b207fb54782fb3a3cebcc0fdb874e8974c8260ebed8d9a4e6d648533957000b8ed29a9db80627f32185abf0646e1fc6ade0084

        • C:\Users\Admin\AppData\Local\1a841c40-07de-44a9-bedd-c24a30328690\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe

          Filesize

          379KB

          MD5

          5d797e409679eea82284f632621d381e

          SHA1

          1a39daedecd2bc86f82be93f5472bf854ea42c55

          SHA256

          0bbcc37eae9bee724392d7bcf4dcc6da1af88842c7e2d330cf2a24797f90ed59

          SHA512

          82630668581a377bba07014a250c4a8c89658d84e1993628c86f2e3cc7614a16e58e61b3e7e09a92ac4e0bb5f8397e8649997c4e9087554308a65dda5bfac156

        • C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe

          Filesize

          104KB

          MD5

          37a2311acfd0a649382f8acb44b5f84c

          SHA1

          46c9b9c005a9e44176de57d53917246cec478cd6

          SHA256

          41c8bba3ff6970ce4cac4599a2ab4854c65bd235346bc4a461e69d72d8481c17

          SHA512

          c3ac8ff1574d456b855201b5ad56e27dcd2a057a56a0b15d433c573c82428feb5f5c4b4cd5f27b719aafa3cf08025658b0b26214ae94c3e6b4571d90780a9066

        • C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe

          Filesize

          130KB

          MD5

          d3f0da32be16048d8e09c4de1138cb96

          SHA1

          57d11a8fbcb85c697acbe220797a886abdee513b

          SHA256

          908968f164e9bd7b8f2956a0f82d520742a1aa8367418df1f0998a17fb7f7ac0

          SHA512

          9ddc2266923ef76d91a7c97760b11a30ad524e19d737eb2b194aed02791c93a687302fcf0e3dbb3184d27df1195066e96ac2f7b68a9067a1cb6581555c82d64c

        • C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe

          Filesize

          124KB

          MD5

          3f4032a03dd330e5610b37669ef7fb33

          SHA1

          626c785d2074043274d45a5c178a47f09f5d0a6a

          SHA256

          a7de3256cb8b91d6dc4f3cdc4edaf072b73253448dd4c4e902006e59cc272875

          SHA512

          66a3c62d45f36814b2813e626bd8589ba2b4c59e7bf533e5806dcabb5aaae30508b47b5cd0499d0d24134868f7102cc343cda4c04d7ea73154ac767bf41c513d

        • C:\Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe

          Filesize

          112KB

          MD5

          2fa91df5f2e1f224f09febef7b0a4933

          SHA1

          c17ea646c85f20cc525b3f150deefd8b8826a244

          SHA256

          51b2f2a87b218ce2141707428cfe6dfa65fd5595c1162001a912e1124910e36a

          SHA512

          ee5e2429987405b1939bcb9031e562abb2a99678c883ae62455a7c5be6f381ea8c0c92ea2e69b03bbf34a4b6eacd66ff5b6f290f687fa97974e918b1e0baf1d9

        • C:\Users\Admin\AppData\Local\Temp\Tar44CE.tmp

          Filesize

          67KB

          MD5

          f5c6e61c91a7b253dbe6462e615ca9dd

          SHA1

          590d200344662206b57813537f2827896a73ac97

          SHA256

          d4a26b899102dc12f1d13af2113635fdbed10f37f2a6cc7b45f9589b3062f8eb

          SHA512

          0ebd863c46e6ce48ad67da98aeb599be5122e867e558c458cc41d9471da43ee7f5067a21ebc0cd387b121c14b6f3dc9e9169405c36d71f64f210d3d2a062f950

        • \Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe

          Filesize

          263KB

          MD5

          0b35986e46e2d0938eb91431983b8dc6

          SHA1

          e4ee9a3e8bca24ac1be81391a592e8f685ea02a3

          SHA256

          4cd49614ab78719ccee3ed7dceff9c50c2da010042eba2eb32e0bb90fbdbffa5

          SHA512

          62313eadfe92dbe8e3065095001c0221c25b2044a47c151d072827e8953becf5f52deaa5274de007ef52f50082b9c6f3c2d34cab9536d4e9f5299f8bdd996d1d

        • \Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe

          Filesize

          357KB

          MD5

          dd13edb641027266050a817a341413f4

          SHA1

          9d78717d8c0e36528b47c2b19b400c0e4067911d

          SHA256

          9fb21e9bb6e3ae9abbf20c43f2bef9f9efd5cd5c128afeef26a1c9cfec98eb17

          SHA512

          61283697c5541eda9333ab601c818388eb06e7e81d967804915365cb9cc79f95f46c4179ff71daabf414bee8cd15f967739bcd1245a7fcc9a7403f2fa3821a6c

        • \Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe

          Filesize

          118KB

          MD5

          bcfbed5369d194284bffd441c44ed1d0

          SHA1

          9cb909598415a906bde667a2d2c2bb334779d665

          SHA256

          df3496dd84f96610eed78cd3a17628e085e7af78fe90d250c62f945bdb1ffa10

          SHA512

          52ada2a37a1ae5574aca28db52266378fc5c0bfc99bdce63057c08d751333a021782a6f053b67bfb9dca5cb704ea6b29b0c518c7c38c13ee8b0179b5f4715b3e

        • \Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe

          Filesize

          263KB

          MD5

          fb43147c03f7a6d085e138f2b3708418

          SHA1

          f41d6c594fa581a60650d119e5089313b2ca9f00

          SHA256

          143c91d11dc5d687cde50f8eccbd4b7d90a57bea361323ba6273b6c596073c0d

          SHA512

          ddba7812c9dde9342d243930ff31fceba7fcc6d037f3f53c37242cf70533b354da329f6d20a53c03a563af70ff00d455c0db6948b36b718375a1e05a720cc5c7

        • \Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe

          Filesize

          137KB

          MD5

          0588890c13a01b0e8a72d02a0286f47c

          SHA1

          4b8ce85288e926bbdbe02cf37001bef00c8b11a5

          SHA256

          784cf1489e65f620fb7c29741c6386da729d9021a34701761e72bb89dc82919f

          SHA512

          ef9589a3bdd50d0267954e4195008f842dbfe8fa365f83649fcd2cd47bfedad6cc339dde2943347abd576e3f53c3cdd4c3535d556c654fa8581701fc83c017a9

        • \Users\Admin\AppData\Local\82a50f60-3da1-4701-8546-ab7c7abc9cb1\build2.exe

          Filesize

          273KB

          MD5

          05cfb5662a31f3bbd39b792435bdc8f6

          SHA1

          06eccfdf15f1bac9e18212b14a247c3eefd0aac0

          SHA256

          de1b6b2abbe4102cec8ec7dea380f0676cbab2d4975c2a8296ddb31fa62208ea

          SHA512

          70ed4a8ee0281490a1fea253b94924a63615bd6f336152fb9a80693f778894b3859cd8f452b44e3dd8761db0f5f479dfeb8d91959685839c9bf47fe312037f2e

        • memory/1228-92-0x0000000000400000-0x000000000065E000-memory.dmp

          Filesize

          2.4MB

        • memory/1228-219-0x0000000000400000-0x000000000065E000-memory.dmp

          Filesize

          2.4MB

        • memory/1228-93-0x0000000000400000-0x000000000065E000-memory.dmp

          Filesize

          2.4MB

        • memory/1228-85-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/1228-87-0x0000000000400000-0x000000000065E000-memory.dmp

          Filesize

          2.4MB

        • memory/2580-46-0x0000000000320000-0x00000000003B1000-memory.dmp

          Filesize

          580KB

        • memory/2580-51-0x0000000000320000-0x00000000003B1000-memory.dmp

          Filesize

          580KB

        • memory/2784-53-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2784-218-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2784-220-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2784-71-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2784-69-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2784-70-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2784-52-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2784-217-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2784-215-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2784-128-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2816-3-0x0000000002150000-0x000000000226B000-memory.dmp

          Filesize

          1.1MB

        • memory/2816-0-0x0000000000270000-0x0000000000301000-memory.dmp

          Filesize

          580KB

        • memory/2816-1-0x0000000000270000-0x0000000000301000-memory.dmp

          Filesize

          580KB

        • memory/2824-5-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2824-8-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2824-7-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2824-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2824-44-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2900-91-0x0000000000230000-0x000000000027B000-memory.dmp

          Filesize

          300KB

        • memory/2900-89-0x0000000000520000-0x0000000000620000-memory.dmp

          Filesize

          1024KB

        • memory/2900-223-0x0000000000520000-0x0000000000620000-memory.dmp

          Filesize

          1024KB