Analysis
-
max time kernel
298s -
max time network
305s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
15/01/2024, 04:56
Static task
static1
Behavioral task
behavioral1
Sample
b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
Resource
win10-20231215-en
General
-
Target
b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
-
Size
811KB
-
MD5
9244e8dafdb3baa6ebbf1eed741fc1bb
-
SHA1
ad7620174b2d4ac4461f1d8623e632e4b63fa867
-
SHA256
b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877
-
SHA512
c5e79d0f52bf4cf374f86325d4be819573e9cbad4afe57d164c83ce2806095c76b81a7f34dbfe71a64b29563c289a4b872a61459fbc7d9da16308eb0798a10b8
-
SSDEEP
12288:QpoaBPg7lN6/RFLeoA03fdZh+UwvL1hd4JMuUzgAl8F5bLlt89SOUx5ruaBsi:OgR4XCXcsphd4JMh8vdt896xAaBs
Malware Config
Extracted
djvu
http://zexeq.com/test1/get.php
-
extension
.cdwe
-
offline_id
dSwr1XNNi5cIitB5eDPbMANcusB1dWGDB8ToUnt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-e21iz7dS58 Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0842ASdw
Signatures
-
Detect Vidar Stealer 5 IoCs
resource yara_rule behavioral2/memory/2440-46-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral2/memory/4068-42-0x0000000002080000-0x00000000020CB000-memory.dmp family_vidar_v6 behavioral2/memory/2440-40-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral2/memory/2440-47-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral2/memory/2440-56-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 -
Detected Djvu ransomware 17 IoCs
resource yara_rule behavioral2/memory/3236-4-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3236-5-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3236-6-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3236-2-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2780-3-0x0000000002670000-0x000000000278B000-memory.dmp family_djvu behavioral2/memory/3236-17-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4128-22-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4128-24-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4128-23-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4128-30-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4128-29-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4128-39-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4128-45-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4128-55-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4128-54-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4128-52-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4128-57-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 4068 build2.exe 2440 build2.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 164 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\43d29600-5dd6-4448-aee8-79e285f7fb51\\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe\" --AutoStart" b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.2ip.ua 4 api.2ip.ua 13 api.2ip.ua -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2780 set thread context of 3236 2780 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 72 PID 4892 set thread context of 4128 4892 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 76 PID 4068 set thread context of 2440 4068 build2.exe 78 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1668 2440 WerFault.exe 78 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3236 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 3236 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 4128 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 4128 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2780 wrote to memory of 3236 2780 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 72 PID 2780 wrote to memory of 3236 2780 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 72 PID 2780 wrote to memory of 3236 2780 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 72 PID 2780 wrote to memory of 3236 2780 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 72 PID 2780 wrote to memory of 3236 2780 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 72 PID 2780 wrote to memory of 3236 2780 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 72 PID 2780 wrote to memory of 3236 2780 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 72 PID 2780 wrote to memory of 3236 2780 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 72 PID 2780 wrote to memory of 3236 2780 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 72 PID 2780 wrote to memory of 3236 2780 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 72 PID 3236 wrote to memory of 164 3236 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 73 PID 3236 wrote to memory of 164 3236 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 73 PID 3236 wrote to memory of 164 3236 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 73 PID 3236 wrote to memory of 4892 3236 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 74 PID 3236 wrote to memory of 4892 3236 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 74 PID 3236 wrote to memory of 4892 3236 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 74 PID 4892 wrote to memory of 4128 4892 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 76 PID 4892 wrote to memory of 4128 4892 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 76 PID 4892 wrote to memory of 4128 4892 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 76 PID 4892 wrote to memory of 4128 4892 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 76 PID 4892 wrote to memory of 4128 4892 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 76 PID 4892 wrote to memory of 4128 4892 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 76 PID 4892 wrote to memory of 4128 4892 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 76 PID 4892 wrote to memory of 4128 4892 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 76 PID 4892 wrote to memory of 4128 4892 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 76 PID 4892 wrote to memory of 4128 4892 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 76 PID 4128 wrote to memory of 4068 4128 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 77 PID 4128 wrote to memory of 4068 4128 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 77 PID 4128 wrote to memory of 4068 4128 b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe 77 PID 4068 wrote to memory of 2440 4068 build2.exe 78 PID 4068 wrote to memory of 2440 4068 build2.exe 78 PID 4068 wrote to memory of 2440 4068 build2.exe 78 PID 4068 wrote to memory of 2440 4068 build2.exe 78 PID 4068 wrote to memory of 2440 4068 build2.exe 78 PID 4068 wrote to memory of 2440 4068 build2.exe 78 PID 4068 wrote to memory of 2440 4068 build2.exe 78 PID 4068 wrote to memory of 2440 4068 build2.exe 78 PID 4068 wrote to memory of 2440 4068 build2.exe 78 PID 4068 wrote to memory of 2440 4068 build2.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\43d29600-5dd6-4448-aee8-79e285f7fb51" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:164
-
-
C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe"C:\Users\Admin\AppData\Local\Temp\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe"C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe"C:\Users\Admin\AppData\Local\33c1cbf3-5700-4b5b-bcf0-873245badf78\build2.exe"6⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 19367⤵
- Program crash
PID:1668
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA5124da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5590edb01a32cb6fa43e01075be2d4af8
SHA102edb562a756399828a6ec14a5636b37e1b3ba7c
SHA256d3d158bba48acf754df84ca27eebb16f6636029212a4c13ff0227feece88dd6a
SHA51245031d2b78d3ee5297090a4457f7d44d3ca5530d3dade78f5bbb1ce7143421cda864b3714e2b4e46cc1a7c6d73c740fc565772ba615ebcc3c82d572e869b3c57
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD5769697d3cfda6384e234f92e8ca141cc
SHA1a88b33273f8362f402a31c98d078ce28d25847bf
SHA256e217dc8f422c50d7560fd033836fd578965cdfa863fb7b5fa37451960ce6ff65
SHA51267389550c2f1be186bbc5c33006ef1d08dbfb1d86575e361025006006df255738d7593011554e90f28a3998be193de53128b02034e0d1745dca5e261fadf6844
-
Filesize
205KB
MD54b1ec785c148475592f2344328bd9a2d
SHA1de99f7bd3dd7fe31ed208e94907b3760659c7146
SHA256550606d4416297ae0c76c8e4c17f813d94c8e3e74bf158c4877692e37d071f1e
SHA51287475eb6159690a2c2619bfee34ef2830997dc8e5f6e4ee389ab5e1036f2c0444a5b427d88764318a34c02bcca5e3c7345b108ad8323a1d52fcb2a396ec50a21
-
Filesize
303KB
MD5c174e289ca298c4fa52fc9025d4a8c52
SHA1c29facd4869d8d2e74e1281f5b98c74f6a996571
SHA2563ced2cde34675e21a2b93805f85a5d3605835182d39146e84fb7265cf2cfaf46
SHA5121df2b666402fa5e1fd0d1beed7eb507a2066636d9aa3f69120b605c53e48fe29334ae0da43be6280b4d11b9218e9fa3cd8ee3d2bd2f61a0290e06a67e53d1619
-
Filesize
257KB
MD570c19c3ee72b34a5bf0cb0393c4576b9
SHA17d576b13bcaa796424c407126e90186dabfcf89e
SHA256e4dc20abd97137131bdfaec25fe2ae80ded6e952082ebeab4f744bb815a7fb75
SHA51227907226d95b63847f7e34d006260faef15194b8e2b67262e140e458fcacbc67e84b4d3d28c309a26e66a4e74dbd7292271403cc0d1f7b0f0eeb9695b9999021
-
C:\Users\Admin\AppData\Local\43d29600-5dd6-4448-aee8-79e285f7fb51\b4292ca36e9f6f183fe330d0efa1980fb616cd7bbf1b9684079030894a3a2877.exe
Filesize1KB
MD55f8089b3a19ea58f0f2431274366dce3
SHA158014605c7eaae071c0ce455ad42c8caa713e68f
SHA2560516efbad9bafe2771191e869fbef3beb29ba8cd6565439caacbcb510f6d3b89
SHA5127b49fd6c906209aec32cac9a5a0cb482831fa951a53c58aaf0f8cee123df6945fc0f702448c6048a59b3192fc6ab36ff9c834762812ed83b82d96188b52adda9