Analysis

  • max time kernel
    295s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    15/01/2024, 04:57

General

  • Target

    c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe

  • Size

    810KB

  • MD5

    07afa7fb45fe53d165679586b77be770

  • SHA1

    a4065fbfaa0d0344983f5eaa760504845cdc8f87

  • SHA256

    c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6

  • SHA512

    a47911bd2fdbb476c9ca96a253f9737411f562185da9f064b6698994cefe9f34187e29ba3be315a2abfba7ef746aff2aaa8b1bda793b4c89c918b6665ef66440

  • SSDEEP

    12288:2xkismkgVjrrwdGmfO/SYQiU9By6FKhQseDMqfnu+qcspmi177gJzWF:wkgVaGwO/xXUPy6ohdeAqBqc7z

Malware Config

Extracted

Family

djvu

C2

http://zexeq.com/test1/get.php

Attributes
  • extension

    .cdwe

  • offline_id

    dSwr1XNNi5cIitB5eDPbMANcusB1dWGDB8ToUnt1

  • payload_url

    http://brusuax.com/dl/build2.exe

    http://zexeq.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-e21iz7dS58 Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0842ASdw

rsa_pubkey.plain

Signatures

  • Detect Vidar Stealer 5 IoCs
  • Detected Djvu ransomware 14 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
    "C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
      "C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1888
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\c9694d6b-38b7-4597-9328-f327c57c0aa4" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:2904
      • C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
        "C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2720
        • C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
          "C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1356
          • C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
            "C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2084
            • C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
              "C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe"
              6⤵
              • Executes dropped EXE
              • Modifies system certificate store
              • Suspicious use of WriteProcessMemory
              PID:2112
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 1440
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:2504

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

          Filesize

          1KB

          MD5

          b7470a9aa569b259d4c2bb3b80ae3aa3

          SHA1

          093290296b7f1e402ef96e4b33a88f064aa401eb

          SHA256

          ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6

          SHA512

          4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

          Filesize

          724B

          MD5

          8202a1cd02e7d69597995cabbe881a12

          SHA1

          8858d9d934b7aa9330ee73de6c476acf19929ff6

          SHA256

          58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

          SHA512

          97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

          Filesize

          410B

          MD5

          f31d5c5bf9375633b9286d0d5b375458

          SHA1

          c3b7d745f792350a47ff412f51047e2700e6c6b4

          SHA256

          92d3e1b18d3d584ee0078f0f533358b2268a5365a3303c0d8f7a3b188981070e

          SHA512

          4c1642dec922a60510f192be1da86d3e362d24ee059c83a18d3d8b87d4ef34ac68a03f803df435501067e1ab6f5a49294ac32c8961b7181f568dd6a2c4fa83c7

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          89a0c1c21f3bd545e158879bed7a8228

          SHA1

          4b38d02bdfc1574f36afa41531c55529df763d04

          SHA256

          5f694dfef7674a2a7194f6016f653fef5d581ee6b8636464aee4e8ba48132e42

          SHA512

          ac075d58748b91fda370c5c79451bb5fb691fa09f56e337675b19fa3329e1045f76c6cac3f28fcc81f41cc640e1154c615149abab650bcfb8f31a1628ce33f8d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          9423b96985768570a95246bb08952e28

          SHA1

          3ce52f0dff9e71dd0722e4b51531175fc6c73268

          SHA256

          d631f9f346af6b6d6e07a0f599e20fe177174a8c2944d01f0291453adcd05c82

          SHA512

          3a0a948c61a1e3983f1f61190c467289b770a40d9fa415b05d87061d737483513c5a6fa66d8f1445ddfa73b3c79cd9f5b525ee2cce371362eb624bbe51ba0069

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

          Filesize

          392B

          MD5

          616ef8e533eec916885308024aafe48e

          SHA1

          5f42dfe598f6b6ee1a31839bbbc9c028b7d2ff6c

          SHA256

          0c6c1253ddd7bae0ef012920f88c4150c21443464f8fa8078504b0ad6d2f2e22

          SHA512

          daa96bc706990b6fd96242d15455647a0315c5f4ffd407682938ec504b984ae43ee88007f3ea5600633434518830572b1e9e2fd853b0b1ff3e69f98861ecf5c8

        • C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe

          Filesize

          265KB

          MD5

          55a7daea46e293fa9bf4c1e243bcf405

          SHA1

          99061832836e646cc5c58025ca6de08c985ac68c

          SHA256

          6c74c9fe6046767d60df451ab627ee488111eaa82bab035daad1d90d6d41ce1e

          SHA512

          a51f47a77f13d59d0f5f83c6f607a550000b7693821b48a41a1412147a9aa5a837d712e78ec96f5f7d185c2772eb7241bc42624a0acc5ac89d7d15d722060f3a

        • C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe

          Filesize

          234KB

          MD5

          33b11b6a7a2afb431ede5d36f06940c6

          SHA1

          5e06682e4644f1ff858297d1b023bc3f3be44c2f

          SHA256

          af8b4702af58b11b4d4935bd60064c23d020b0a24bfc3b8ed7fb9f318d530da6

          SHA512

          bb73b026b3e17f8de30eaa272115f8edc59e48834b53a762a121e038d8cb71743f98a879c95ae9dd4b38fcae24e8469e1beadb28d45893d281a52ec34dc6ff78

        • C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe

          Filesize

          201KB

          MD5

          27dd517ce59cb2d294cf664d9e7cbe50

          SHA1

          a35d64c2b10326bdd5b9ec103669edf60e82d0ca

          SHA256

          2e7f5d862172e2ade52a1a0077b068e43735d40a30c6ff293168c055910c9b1a

          SHA512

          5a32465d8818e97174dfe36de6ebff60eff2fd66ccab93346649ed413b0890cd38b90d6bbc0a792a60a1f92711fea0270205db765fce4992282fc3830fad2356

        • C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe

          Filesize

          138KB

          MD5

          95fa82818b09faaf29e49db216e67b59

          SHA1

          2e827e2694ab73733f2fa23a846b186c23124ac5

          SHA256

          bdeaa1fa185fac8563112c99f98a9e178224fb03c590cb93cfa31cfcf174850f

          SHA512

          dbc8803bccfd39e4d26c93c30002cae1f698cb7c1e3b7d601f9d8d72ec15719ad350feb3ee37d67de2852005cd2a46c6d117f35484ed4e21b8f88e64c64ff0fd

        • C:\Users\Admin\AppData\Local\Temp\Cab4940.tmp

          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        • C:\Users\Admin\AppData\Local\Temp\Tar676B.tmp

          Filesize

          171KB

          MD5

          9c0c641c06238516f27941aa1166d427

          SHA1

          64cd549fb8cf014fcd9312aa7a5b023847b6c977

          SHA256

          4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

          SHA512

          936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

        • C:\Users\Admin\AppData\Local\c9694d6b-38b7-4597-9328-f327c57c0aa4\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe

          Filesize

          614KB

          MD5

          38fac68cda54410b4e04271adfb5f905

          SHA1

          7b859379d5cf75ea6f7ce28a548e98bc092b7777

          SHA256

          7953af02b394cf7ad1fac3202df4ef47ad3397c51123799fa0be9ddb08e16133

          SHA512

          288ffd48dc72442ba5ae2132dd9afb7717b3352275f3c4ad24edbb81a3e62047c9d6c568e1308cd99a7705252d2ceee0d2d2cc0641fe87ee46f5b3050543aee0

        • \Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe

          Filesize

          358KB

          MD5

          c4070da9f9b0581171af16e681ccdff8

          SHA1

          3fb4182921fdc3acd7873ebe113ac5522585312a

          SHA256

          26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0

          SHA512

          c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427

        • \Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe

          Filesize

          206KB

          MD5

          0431cb8e36a74e4b0378bc97069e7ae1

          SHA1

          00d90d43700e3c072dabaacb511f0f57ec2df4ce

          SHA256

          2daf1caa0302954352b04b81f66dea0e2f9e1eb566e0b1ac67b877df6cc765e5

          SHA512

          d85609624ca9d75a6b618e774dd6fe83cfcd96644d1019d1eb50bf71b799bcc5e619502dcb2257729a70a5c0fcd81fd3533c877b63dcf8512c9a8702789640b7

        • \Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe

          Filesize

          326KB

          MD5

          ff63e9b7a52eab1cd039bfe4072a8216

          SHA1

          1b1ba9bbedcbeecaece8629e6a4e15c6b38122ad

          SHA256

          ce37a41e7ecbc5f7f59488d679fc13a780d64bfb2e84c6da0d6782a9940d45b2

          SHA512

          45cb1d90d2bdf258d1b49109985282fb736ba3805e24efcba2ee71c8d1a1f9ecbac43a25ad9c29d8b233f1689b5a863776fe1cce28960d55450fe2e200c155be

        • \Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe

          Filesize

          262KB

          MD5

          a2627830af7d1ff75c7606461de62601

          SHA1

          ded6c1393484fdb2cb76f54c3cba8ff9f59dbadd

          SHA256

          8732609ee2c59b5ae851f97bf434c8a1e15b2bbb9c18fb433ad6e55c05e411c2

          SHA512

          863d01021e23ace70726f507768aa3cee013fb28d29b7bb79743f0580351013f925f25cc27fec23f7755111fdb8469b76a33e8fb9cda981e1b556e89fca38baa

        • \Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe

          Filesize

          219KB

          MD5

          0a2b1a7792cddc54139263be91b9f83a

          SHA1

          aa7f0c411e778a3e0ddcdd9299b3a198a33f4e74

          SHA256

          2657b81283e43270700463ed49206c7e3b7499e4ae2b2a02ce9aade496037a03

          SHA512

          d5bb6ad68f1ccb7815861ef32f307cb54555d18309d8638066fdd1cf7fbc18545b69477a4aa6f0d845a18e77d459908e4a916eb1686b12d3e05020b9be3db3bd

        • memory/1356-136-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/1356-156-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/1356-122-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/1356-286-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/1356-39-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/1356-135-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/1356-282-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/1356-285-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/1356-284-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/1888-5-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/1888-8-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/1888-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/1888-7-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/1888-26-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2084-155-0x00000000002E0000-0x0000000000307000-memory.dmp

          Filesize

          156KB

        • memory/2084-157-0x00000000003A0000-0x00000000003EB000-memory.dmp

          Filesize

          300KB

        • memory/2112-150-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2112-280-0x0000000000400000-0x000000000065E000-memory.dmp

          Filesize

          2.4MB

        • memory/2112-152-0x0000000000400000-0x000000000065E000-memory.dmp

          Filesize

          2.4MB

        • memory/2112-158-0x0000000000400000-0x000000000065E000-memory.dmp

          Filesize

          2.4MB

        • memory/2112-159-0x0000000000400000-0x000000000065E000-memory.dmp

          Filesize

          2.4MB

        • memory/2552-1-0x0000000000270000-0x0000000000301000-memory.dmp

          Filesize

          580KB

        • memory/2552-0-0x0000000000270000-0x0000000000301000-memory.dmp

          Filesize

          580KB

        • memory/2552-3-0x00000000008F0000-0x0000000000A0B000-memory.dmp

          Filesize

          1.1MB

        • memory/2720-27-0x00000000002A0000-0x0000000000331000-memory.dmp

          Filesize

          580KB

        • memory/2720-37-0x00000000002A0000-0x0000000000331000-memory.dmp

          Filesize

          580KB