Analysis Overview
SHA256
c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6
Threat Level: Known bad
The file c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6 was found to be: Known bad.
Malicious Activity Summary
Vidar
Djvu Ransomware
Detected Djvu ransomware
Detect Vidar Stealer
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Modifies file permissions
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-15 04:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-15 04:57
Reported
2024-01-15 05:02
Platform
win7-20231215-en
Max time kernel
295s
Max time network
156s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c9694d6b-38b7-4597-9328-f327c57c0aa4\\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2552 set thread context of 1888 | N/A | C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe | C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe |
| PID 2720 set thread context of 1356 | N/A | C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe | C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe |
| PID 2084 set thread context of 2112 | N/A | C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe | C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe"
C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\c9694d6b-38b7-4597-9328-f327c57c0aa4" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
"C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe"
C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
"C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 1440
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| BG | 95.158.162.200:80 | zexeq.com | tcp |
| MX | 187.211.34.211:80 | brusuax.com | tcp |
| BG | 95.158.162.200:80 | zexeq.com | tcp |
| BG | 95.158.162.200:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| BG | 95.158.162.200:80 | zexeq.com | tcp |
| FI | 65.109.241.139:443 | 65.109.241.139 | tcp |
| BG | 95.158.162.200:80 | zexeq.com | tcp |
Files
memory/2552-0-0x0000000000270000-0x0000000000301000-memory.dmp
memory/2552-1-0x0000000000270000-0x0000000000301000-memory.dmp
memory/1888-7-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1888-8-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1888-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2552-3-0x00000000008F0000-0x0000000000A0B000-memory.dmp
memory/1888-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\c9694d6b-38b7-4597-9328-f327c57c0aa4\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
| MD5 | 38fac68cda54410b4e04271adfb5f905 |
| SHA1 | 7b859379d5cf75ea6f7ce28a548e98bc092b7777 |
| SHA256 | 7953af02b394cf7ad1fac3202df4ef47ad3397c51123799fa0be9ddb08e16133 |
| SHA512 | 288ffd48dc72442ba5ae2132dd9afb7717b3352275f3c4ad24edbb81a3e62047c9d6c568e1308cd99a7705252d2ceee0d2d2cc0641fe87ee46f5b3050543aee0 |
memory/1888-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2720-27-0x00000000002A0000-0x0000000000331000-memory.dmp
memory/2720-37-0x00000000002A0000-0x0000000000331000-memory.dmp
memory/1356-39-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1356-122-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab4940.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 89a0c1c21f3bd545e158879bed7a8228 |
| SHA1 | 4b38d02bdfc1574f36afa41531c55529df763d04 |
| SHA256 | 5f694dfef7674a2a7194f6016f653fef5d581ee6b8636464aee4e8ba48132e42 |
| SHA512 | ac075d58748b91fda370c5c79451bb5fb691fa09f56e337675b19fa3329e1045f76c6cac3f28fcc81f41cc640e1154c615149abab650bcfb8f31a1628ce33f8d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 616ef8e533eec916885308024aafe48e |
| SHA1 | 5f42dfe598f6b6ee1a31839bbbc9c028b7d2ff6c |
| SHA256 | 0c6c1253ddd7bae0ef012920f88c4150c21443464f8fa8078504b0ad6d2f2e22 |
| SHA512 | daa96bc706990b6fd96242d15455647a0315c5f4ffd407682938ec504b984ae43ee88007f3ea5600633434518830572b1e9e2fd853b0b1ff3e69f98861ecf5c8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | f31d5c5bf9375633b9286d0d5b375458 |
| SHA1 | c3b7d745f792350a47ff412f51047e2700e6c6b4 |
| SHA256 | 92d3e1b18d3d584ee0078f0f533358b2268a5365a3303c0d8f7a3b188981070e |
| SHA512 | 4c1642dec922a60510f192be1da86d3e362d24ee059c83a18d3d8b87d4ef34ac68a03f803df435501067e1ab6f5a49294ac32c8961b7181f568dd6a2c4fa83c7 |
memory/1356-135-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1356-136-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
| MD5 | 33b11b6a7a2afb431ede5d36f06940c6 |
| SHA1 | 5e06682e4644f1ff858297d1b023bc3f3be44c2f |
| SHA256 | af8b4702af58b11b4d4935bd60064c23d020b0a24bfc3b8ed7fb9f318d530da6 |
| SHA512 | bb73b026b3e17f8de30eaa272115f8edc59e48834b53a762a121e038d8cb71743f98a879c95ae9dd4b38fcae24e8469e1beadb28d45893d281a52ec34dc6ff78 |
C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
| MD5 | 55a7daea46e293fa9bf4c1e243bcf405 |
| SHA1 | 99061832836e646cc5c58025ca6de08c985ac68c |
| SHA256 | 6c74c9fe6046767d60df451ab627ee488111eaa82bab035daad1d90d6d41ce1e |
| SHA512 | a51f47a77f13d59d0f5f83c6f607a550000b7693821b48a41a1412147a9aa5a837d712e78ec96f5f7d185c2772eb7241bc42624a0acc5ac89d7d15d722060f3a |
\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
| MD5 | c4070da9f9b0581171af16e681ccdff8 |
| SHA1 | 3fb4182921fdc3acd7873ebe113ac5522585312a |
| SHA256 | 26063c78e5418610471a9f3a00a155d7d1e5b29856e1979ba3bdc42681a871d0 |
| SHA512 | c7569cea7f1a841e7cac9cd41287dba3bcacf2cf9dee7bece88800848a7ad5dc4cd2bdc896c7389f0f1144079bbe168048b3f722bcd76fa5d6e14f3081bb6427 |
memory/2084-157-0x00000000003A0000-0x00000000003EB000-memory.dmp
memory/2112-159-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2112-158-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1356-156-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2084-155-0x00000000002E0000-0x0000000000307000-memory.dmp
C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
| MD5 | 95fa82818b09faaf29e49db216e67b59 |
| SHA1 | 2e827e2694ab73733f2fa23a846b186c23124ac5 |
| SHA256 | bdeaa1fa185fac8563112c99f98a9e178224fb03c590cb93cfa31cfcf174850f |
| SHA512 | dbc8803bccfd39e4d26c93c30002cae1f698cb7c1e3b7d601f9d8d72ec15719ad350feb3ee37d67de2852005cd2a46c6d117f35484ed4e21b8f88e64c64ff0fd |
memory/2112-152-0x0000000000400000-0x000000000065E000-memory.dmp
memory/2112-150-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
| MD5 | 27dd517ce59cb2d294cf664d9e7cbe50 |
| SHA1 | a35d64c2b10326bdd5b9ec103669edf60e82d0ca |
| SHA256 | 2e7f5d862172e2ade52a1a0077b068e43735d40a30c6ff293168c055910c9b1a |
| SHA512 | 5a32465d8818e97174dfe36de6ebff60eff2fd66ccab93346649ed413b0890cd38b90d6bbc0a792a60a1f92711fea0270205db765fce4992282fc3830fad2356 |
C:\Users\Admin\AppData\Local\Temp\Tar676B.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9423b96985768570a95246bb08952e28 |
| SHA1 | 3ce52f0dff9e71dd0722e4b51531175fc6c73268 |
| SHA256 | d631f9f346af6b6d6e07a0f599e20fe177174a8c2944d01f0291453adcd05c82 |
| SHA512 | 3a0a948c61a1e3983f1f61190c467289b770a40d9fa415b05d87061d737483513c5a6fa66d8f1445ddfa73b3c79cd9f5b525ee2cce371362eb624bbe51ba0069 |
\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
| MD5 | a2627830af7d1ff75c7606461de62601 |
| SHA1 | ded6c1393484fdb2cb76f54c3cba8ff9f59dbadd |
| SHA256 | 8732609ee2c59b5ae851f97bf434c8a1e15b2bbb9c18fb433ad6e55c05e411c2 |
| SHA512 | 863d01021e23ace70726f507768aa3cee013fb28d29b7bb79743f0580351013f925f25cc27fec23f7755111fdb8469b76a33e8fb9cda981e1b556e89fca38baa |
\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
| MD5 | ff63e9b7a52eab1cd039bfe4072a8216 |
| SHA1 | 1b1ba9bbedcbeecaece8629e6a4e15c6b38122ad |
| SHA256 | ce37a41e7ecbc5f7f59488d679fc13a780d64bfb2e84c6da0d6782a9940d45b2 |
| SHA512 | 45cb1d90d2bdf258d1b49109985282fb736ba3805e24efcba2ee71c8d1a1f9ecbac43a25ad9c29d8b233f1689b5a863776fe1cce28960d55450fe2e200c155be |
\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
| MD5 | 0431cb8e36a74e4b0378bc97069e7ae1 |
| SHA1 | 00d90d43700e3c072dabaacb511f0f57ec2df4ce |
| SHA256 | 2daf1caa0302954352b04b81f66dea0e2f9e1eb566e0b1ac67b877df6cc765e5 |
| SHA512 | d85609624ca9d75a6b618e774dd6fe83cfcd96644d1019d1eb50bf71b799bcc5e619502dcb2257729a70a5c0fcd81fd3533c877b63dcf8512c9a8702789640b7 |
\Users\Admin\AppData\Local\0900a04d-6112-4fa1-869c-221d528b66f8\build2.exe
| MD5 | 0a2b1a7792cddc54139263be91b9f83a |
| SHA1 | aa7f0c411e778a3e0ddcdd9299b3a198a33f4e74 |
| SHA256 | 2657b81283e43270700463ed49206c7e3b7499e4ae2b2a02ce9aade496037a03 |
| SHA512 | d5bb6ad68f1ccb7815861ef32f307cb54555d18309d8638066fdd1cf7fbc18545b69477a4aa6f0d845a18e77d459908e4a916eb1686b12d3e05020b9be3db3bd |
memory/2112-280-0x0000000000400000-0x000000000065E000-memory.dmp
memory/1356-282-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1356-284-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1356-285-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1356-286-0x0000000000400000-0x0000000000537000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-15 04:57
Reported
2024-01-15 05:02
Platform
win10-20231220-en
Max time kernel
15s
Max time network
300s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Vidar
Downloads MZ/PE file
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\416d2e1d-2dd6-4f3a-b064-310d6b5ad152\\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4552 set thread context of 1600 | N/A | C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe | C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe |
| PID 4580 set thread context of 3132 | N/A | C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe | C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\2c5f7717-a7ff-4232-861e-a2ccff4a23d9\build2.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe"
C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe"
C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\416d2e1d-2dd6-4f3a-b064-310d6b5ad152" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
"C:\Users\Admin\AppData\Local\Temp\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\2c5f7717-a7ff-4232-861e-a2ccff4a23d9\build2.exe
"C:\Users\Admin\AppData\Local\2c5f7717-a7ff-4232-861e-a2ccff4a23d9\build2.exe"
C:\Users\Admin\AppData\Local\2c5f7717-a7ff-4232-861e-a2ccff4a23d9\build2.exe
"C:\Users\Admin\AppData\Local\2c5f7717-a7ff-4232-861e-a2ccff4a23d9\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 2072
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 220.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.193.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| BA | 109.175.29.39:80 | zexeq.com | tcp |
| KR | 211.168.53.110:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 39.29.175.109.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.53.168.211.in-addr.arpa | udp |
| KR | 211.168.53.110:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| KR | 211.168.53.110:80 | zexeq.com | tcp |
| DE | 116.202.0.196:10220 | tcp | |
| US | 8.8.8.8:53 | 196.0.202.116.in-addr.arpa | udp |
| KR | 211.168.53.110:80 | zexeq.com | tcp |
| DE | 116.202.0.196:10220 | tcp | |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| DE | 116.202.0.196:10220 | tcp | |
| DE | 116.202.0.196:10220 | tcp | |
| KR | 211.168.53.110:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| GB | 88.221.134.96:80 | tcp | |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
memory/1600-6-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4552-4-0x00000000026E0000-0x00000000027FB000-memory.dmp
memory/1600-5-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4552-3-0x0000000000960000-0x00000000009FD000-memory.dmp
memory/1600-2-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1600-1-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\416d2e1d-2dd6-4f3a-b064-310d6b5ad152\c02005305c2ccc9e74c9a43ba13aadaf32b07e6af5b1620172ef47ee798fc9a6.exe
| MD5 | 7ad2b9fe5d3b3c6b25b8adfce09a8547 |
| SHA1 | 0d1891de86c3bd57d216cb993c76cc78c2cd16d0 |
| SHA256 | cca8b742fdb16caf328bf0d64f3435cd6667be81674a7b57dcff3a698216f241 |
| SHA512 | 9c4eae9e071e2749f1d1e98dfd77d52f9a5c7539adaa88fc3414bf4ac2ebf8882afb3d579918f9ad53987e9732b4f54691668d6c674207fa6f04d5eb3286a735 |
memory/1600-17-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3132-24-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3132-23-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 727949379799fb879b4c82c031241521 |
| SHA1 | 360abc1f5fa0a70c31ebaeb3624a8b198a654455 |
| SHA256 | 10f43335c548539b9b0bc6bf5be1b4b6f02aaf9b32e750164c19375a3b959868 |
| SHA512 | 6d918e020b45f984ba219bc37ac93a157d5d3fd6c882a967980d4f0f89fbce5d33307d872296571582fd61c256bfa93f6c254a1e71c551062773efd0fa97d628 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b7470a9aa569b259d4c2bb3b80ae3aa3 |
| SHA1 | 093290296b7f1e402ef96e4b33a88f064aa401eb |
| SHA256 | ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6 |
| SHA512 | 4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 44605ce8ca6de0ade71ba7cede3721a3 |
| SHA1 | 3b6eb8dcb9754f67f491bf1824bba0ac166a2e00 |
| SHA256 | 9fda12ec055361c8627ea1c395e56f0a1c565644b092246f7185f512e74deaa8 |
| SHA512 | d1d340c613dd2f4c596afec129e5bbfc8969dd6a2a09f5bc6bc5ab97682c7beea1ff2f2294d4cd9da6aaa604e56158a448c1bbfcec29d276078cec303093df39 |
memory/3132-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4580-21-0x0000000000AF0000-0x0000000000B8B000-memory.dmp
memory/3132-30-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3132-29-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\2c5f7717-a7ff-4232-861e-a2ccff4a23d9\build2.exe
| MD5 | ef97a1d33f5e22143e60ed22bb1251fa |
| SHA1 | c484a23ab9f0a7d1c28440901e880f3a461db4e6 |
| SHA256 | 14e7bbac54197a297bc2820c9192dc7e6bfe04bf79a6546e2f5abd81a97d4ad3 |
| SHA512 | cecbf2f17366920a2cd92c138b789f4be18f9c80d161f66ff2af37cc7de49c2764b7a4e8dd99abe593de93272c40bf9768f7f338b54ac4134817227473bf04a7 |
memory/96-43-0x00000000007F0000-0x000000000083B000-memory.dmp
memory/3748-45-0x0000000000400000-0x000000000065E000-memory.dmp
memory/3748-44-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Local\2c5f7717-a7ff-4232-861e-a2ccff4a23d9\build2.exe
| MD5 | fe01c85761f73499aad7b52653767efc |
| SHA1 | 994ce5a6898ccefbfe7d3cdd21e7b044b98a47ae |
| SHA256 | caf7e3d57333c9367bcbeee6fa78a6dbd5ea796f138c9b384a96940de47fdee2 |
| SHA512 | 9af67eeffc27cd1e54740db15101caecfdc5067b78a17865a3bb9ef38e5ce4d8275ab15a3be81788477e05684a28366ffb7bac513af840893741c20813ccc90d |
memory/96-40-0x00000000005B0000-0x00000000006B0000-memory.dmp
memory/3748-39-0x0000000000400000-0x000000000065E000-memory.dmp
C:\Users\Admin\AppData\Local\2c5f7717-a7ff-4232-861e-a2ccff4a23d9\build2.exe
| MD5 | 8f24045b0e4ba4a126d902d9ebe0dfe2 |
| SHA1 | b4aa49d53b81a8b3a1f771d1b6c2bb9c0aa454c9 |
| SHA256 | a8684e5117c2ed30f5cf10c3cd443f2ef68a8a186e35a819fb476a855f5c4737 |
| SHA512 | 2b87a8d584a6a309c6bcc3f59320c86aca83d8c42831138750856f7aae0c92e81266af699e3c39133f95846a256d1e0032a7b5bb25465077293a12ae746d88b0 |
memory/3132-46-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4552-47-0x00000000026E0000-0x00000000027FB000-memory.dmp
memory/3748-52-0x0000000000400000-0x000000000065E000-memory.dmp
memory/3132-57-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3132-56-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3132-54-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3132-59-0x0000000000400000-0x0000000000537000-memory.dmp