Analysis
-
max time kernel
15s -
max time network
300s -
platform
windows10-1703_x64 -
resource
win10-20231220-en -
resource tags
arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system -
submitted
15/01/2024, 04:57
Static task
static1
Behavioral task
behavioral1
Sample
c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
Resource
win10-20231220-en
General
-
Target
c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
-
Size
810KB
-
MD5
07afa7fb45fe53d165679586b77be770
-
SHA1
a4065fbfaa0d0344983f5eaa760504845cdc8f87
-
SHA256
c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6
-
SHA512
a47911bd2fdbb476c9ca96a253f9737411f562185da9f064b6698994cefe9f34187e29ba3be315a2abfba7ef746aff2aaa8b1bda793b4c89c918b6665ef66440
-
SSDEEP
12288:2xkismkgVjrrwdGmfO/SYQiU9By6FKhQseDMqfnu+qcspmi177gJzWF:wkgVaGwO/xXUPy6ohdeAqBqc7z
Malware Config
Extracted
djvu
http://zexeq.com/test1/get.php
-
extension
.cdwe
-
offline_id
dSwr1XNNi5cIitB5eDPbMANcusB1dWGDB8ToUnt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-e21iz7dS58 Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0842ASdw
Signatures
-
Detect Vidar Stealer 5 IoCs
resource yara_rule behavioral2/memory/96-43-0x00000000007F0000-0x000000000083B000-memory.dmp family_vidar_v6 behavioral2/memory/3748-45-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral2/memory/3748-44-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral2/memory/3748-39-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral2/memory/3748-52-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 -
Detected Djvu ransomware 17 IoCs
resource yara_rule behavioral2/memory/1600-6-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4552-4-0x00000000026E0000-0x00000000027FB000-memory.dmp family_djvu behavioral2/memory/1600-5-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1600-2-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1600-1-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1600-17-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3132-24-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3132-23-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3132-22-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3132-30-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3132-29-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3132-46-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4552-47-0x00000000026E0000-0x00000000027FB000-memory.dmp family_djvu behavioral2/memory/3132-57-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3132-56-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3132-54-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3132-59-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Downloads MZ/PE file
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4672 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\416d2e1d-2dd6-4f3a-b064-310d6b5ad152\\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe\" --AutoStart" c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.2ip.ua 4 api.2ip.ua 12 api.2ip.ua -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4552 set thread context of 1600 4552 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 74 PID 4580 set thread context of 3132 4580 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 78 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3744 3748 WerFault.exe 79 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1600 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 1600 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 4552 wrote to memory of 1600 4552 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 74 PID 4552 wrote to memory of 1600 4552 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 74 PID 4552 wrote to memory of 1600 4552 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 74 PID 4552 wrote to memory of 1600 4552 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 74 PID 4552 wrote to memory of 1600 4552 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 74 PID 4552 wrote to memory of 1600 4552 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 74 PID 4552 wrote to memory of 1600 4552 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 74 PID 4552 wrote to memory of 1600 4552 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 74 PID 4552 wrote to memory of 1600 4552 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 74 PID 4552 wrote to memory of 1600 4552 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 74 PID 1600 wrote to memory of 4672 1600 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 77 PID 1600 wrote to memory of 4672 1600 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 77 PID 1600 wrote to memory of 4672 1600 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 77 PID 1600 wrote to memory of 4580 1600 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 75 PID 1600 wrote to memory of 4580 1600 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 75 PID 1600 wrote to memory of 4580 1600 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 75 PID 4580 wrote to memory of 3132 4580 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 78 PID 4580 wrote to memory of 3132 4580 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 78 PID 4580 wrote to memory of 3132 4580 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 78 PID 4580 wrote to memory of 3132 4580 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 78 PID 4580 wrote to memory of 3132 4580 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 78 PID 4580 wrote to memory of 3132 4580 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 78 PID 4580 wrote to memory of 3132 4580 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 78 PID 4580 wrote to memory of 3132 4580 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 78 PID 4580 wrote to memory of 3132 4580 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 78 PID 4580 wrote to memory of 3132 4580 c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe" --Admin IsNotAutoStart IsNotTask4⤵PID:3132
-
C:\Users\Admin\AppData\Local\2c5f7717-a7ff-4232-861e-a2ccff4a23d9\build2.exe"C:\Users\Admin\AppData\Local\2c5f7717-a7ff-4232-861e-a2ccff4a23d9\build2.exe"5⤵PID:96
-
-
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\416d2e1d-2dd6-4f3a-b064-310d6b5ad152" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:4672
-
-
-
C:\Users\Admin\AppData\Local\2c5f7717-a7ff-4232-861e-a2ccff4a23d9\build2.exe"C:\Users\Admin\AppData\Local\2c5f7717-a7ff-4232-861e-a2ccff4a23d9\build2.exe"1⤵PID:3748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 20722⤵
- Program crash
PID:3744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA5124da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD544605ce8ca6de0ade71ba7cede3721a3
SHA13b6eb8dcb9754f67f491bf1824bba0ac166a2e00
SHA2569fda12ec055361c8627ea1c395e56f0a1c565644b092246f7185f512e74deaa8
SHA512d1d340c613dd2f4c596afec129e5bbfc8969dd6a2a09f5bc6bc5ab97682c7beea1ff2f2294d4cd9da6aaa604e56158a448c1bbfcec29d276078cec303093df39
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD5727949379799fb879b4c82c031241521
SHA1360abc1f5fa0a70c31ebaeb3624a8b198a654455
SHA25610f43335c548539b9b0bc6bf5be1b4b6f02aaf9b32e750164c19375a3b959868
SHA5126d918e020b45f984ba219bc37ac93a157d5d3fd6c882a967980d4f0f89fbce5d33307d872296571582fd61c256bfa93f6c254a1e71c551062773efd0fa97d628
-
Filesize
63KB
MD58f24045b0e4ba4a126d902d9ebe0dfe2
SHA1b4aa49d53b81a8b3a1f771d1b6c2bb9c0aa454c9
SHA256a8684e5117c2ed30f5cf10c3cd443f2ef68a8a186e35a819fb476a855f5c4737
SHA5122b87a8d584a6a309c6bcc3f59320c86aca83d8c42831138750856f7aae0c92e81266af699e3c39133f95846a256d1e0032a7b5bb25465077293a12ae746d88b0
-
Filesize
5KB
MD5ef97a1d33f5e22143e60ed22bb1251fa
SHA1c484a23ab9f0a7d1c28440901e880f3a461db4e6
SHA25614e7bbac54197a297bc2820c9192dc7e6bfe04bf79a6546e2f5abd81a97d4ad3
SHA512cecbf2f17366920a2cd92c138b789f4be18f9c80d161f66ff2af37cc7de49c2764b7a4e8dd99abe593de93272c40bf9768f7f338b54ac4134817227473bf04a7
-
Filesize
1KB
MD5fe01c85761f73499aad7b52653767efc
SHA1994ce5a6898ccefbfe7d3cdd21e7b044b98a47ae
SHA256caf7e3d57333c9367bcbeee6fa78a6dbd5ea796f138c9b384a96940de47fdee2
SHA5129af67eeffc27cd1e54740db15101caecfdc5067b78a17865a3bb9ef38e5ce4d8275ab15a3be81788477e05684a28366ffb7bac513af840893741c20813ccc90d
-
C:\Users\Admin\AppData\Local\416d2e1d-2dd6-4f3a-b064-310d6b5ad152\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
Filesize44KB
MD57ad2b9fe5d3b3c6b25b8adfce09a8547
SHA10d1891de86c3bd57d216cb993c76cc78c2cd16d0
SHA256cca8b742fdb16caf328bf0d64f3435cd6667be81674a7b57dcff3a698216f241
SHA5129c4eae9e071e2749f1d1e98dfd77d52f9a5c7539adaa88fc3414bf4ac2ebf8882afb3d579918f9ad53987e9732b4f54691668d6c674207fa6f04d5eb3286a735