Analysis

  • max time kernel
    300s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    15/01/2024, 04:59

General

  • Target

    ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe

  • Size

    732KB

  • MD5

    20a0d15b3694b4cd8dbcf2281ac08591

  • SHA1

    47a9f1172ab951a2ed68f1fa0122d632ae2a0f66

  • SHA256

    ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc

  • SHA512

    55e990f99031ec607dacb31dce7373111fab676336f98eef7c9a35edb1ea1e69a9e0f00dc79e77b9d7c3158ccf1632634e5884bed89222b3dee96ab4dd6f2d9d

  • SSDEEP

    12288:tCch49jGaKBC3Pv0mxQglpWAarKylD4P3It+kzEwi+GCrebH8Hp0CmD0mXQjnRR:tCP9tP3Pv7QMXwOPw+cGguH8HGlD0mX4

Malware Config

Extracted

Family

djvu

C2

http://habrafa.com/test1/get.php

Attributes
  • extension

    .cdpo

  • offline_id

    Bn3q97hwLouKbhkQRNO4SeV07gjdEQVm8NKhg0t1

  • payload_url

    http://brusuax.com/dl/build2.exe

    http://habrafa.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-FCWSCsjEWS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0844OSkw

rsa_pubkey.plain

Signatures

  • Detect Vidar Stealer 5 IoCs
  • Detected Djvu ransomware 14 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
    "C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
      "C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\8d48942f-f643-4d39-aaf0-87b2aeff60d3" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:2856
      • C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
        "C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2592
        • C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe
          "C:\Users\Admin\AppData\Local\Temp\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2620
          • C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
            "C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2660
  • C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe
    "C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe"
    1⤵
    • Executes dropped EXE
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 1440
      2⤵
      • Loads dropped DLL
      • Program crash
      PID:1632

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

          Filesize

          1KB

          MD5

          b7470a9aa569b259d4c2bb3b80ae3aa3

          SHA1

          093290296b7f1e402ef96e4b33a88f064aa401eb

          SHA256

          ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6

          SHA512

          4da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

          Filesize

          724B

          MD5

          8202a1cd02e7d69597995cabbe881a12

          SHA1

          8858d9d934b7aa9330ee73de6c476acf19929ff6

          SHA256

          58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

          SHA512

          97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

          Filesize

          410B

          MD5

          8448d3aa1248e31218217fc5a32de612

          SHA1

          0c043723f77683b93abf32ce1c44f1d5d1c3f421

          SHA256

          595225b49e46cb3188316c75f0befd0063ddc348d46fd0f1371f4517d12ea3cc

          SHA512

          e83a971266597a9f49a703b5d4aaa662dc3c0c4a4ba9686ad1266102620bbc5c7d1425b2c7a45e0b470af71ccb2ccf164cf2b4ac501b292ee42749abdfd8e4dd

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          160af5a6533a7b64ea8cc1c1f01db434

          SHA1

          7cc7d309e444ffa706f8626212b98ae8eb7891e1

          SHA256

          ff770a582029f8821d0b0ddecbfda32a8946408bd2ca0245000e0d9497f81703

          SHA512

          2d979b6a4477725abeba442d6baf57a8bf4d37417a89fe352d7a7492d02e857ab5035e3c5190cfbea9543b254f5fe3df47d4c8db53f54e531a9483bff46807dd

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          d17e1129fcf1b1171315281d14be9757

          SHA1

          373c5c39ecbe3132654b7c28640ed12091543ac7

          SHA256

          ffc60c52e50d3f520249c2c101afea933c13ea768416022a61c5c1d0df747950

          SHA512

          f53f7d52e61f054deeb33940fd5f2732883de4a0619ca62885bb9133489e7c51fe9e338ef76d06899cabb27691c8d5377bbcc9300a24437b1be96dd9bce43e20

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

          Filesize

          392B

          MD5

          fb93c6f6c919b24deaed6bbf017008cd

          SHA1

          f744f76c86f454676c7805af45e7209b061d25c5

          SHA256

          c74395f967cfe0ed9f0bad14cdb99188370186f95bdfbeae7fe716f07cec6fd9

          SHA512

          8333e070471a65eb23aa574be1ea4bb947e6ecdf1a14a429ddb53f8612b738446660b37e400958999704d85a4b818a4df7489776996dc2d5411e0bbe60046b6e

        • C:\Users\Admin\AppData\Local\8d48942f-f643-4d39-aaf0-87b2aeff60d3\ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc.exe

          Filesize

          732KB

          MD5

          20a0d15b3694b4cd8dbcf2281ac08591

          SHA1

          47a9f1172ab951a2ed68f1fa0122d632ae2a0f66

          SHA256

          ebf7fbefe1d64d2b0c610d6871789faa7f6b8c6d95163e4067c196a7377a64fc

          SHA512

          55e990f99031ec607dacb31dce7373111fab676336f98eef7c9a35edb1ea1e69a9e0f00dc79e77b9d7c3158ccf1632634e5884bed89222b3dee96ab4dd6f2d9d

        • C:\Users\Admin\AppData\Local\Temp\Cab28A6.tmp

          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        • C:\Users\Admin\AppData\Local\Temp\Tar39E6.tmp

          Filesize

          98KB

          MD5

          1f87e0b6221312c5aaaccb8121603088

          SHA1

          bb362447f7435c9e8d58c3cd5ccfc24c186f838f

          SHA256

          f1fb4dc3162af1f0ac16c06dfc05deb8f158ec14b6d4d2d948d43ecaa092b19f

          SHA512

          bb2944efffdda42f16677f5ce69037887a649c7ef3e1826e61a85db4b8cfdd53af91c9f0c6e376ffff14f4293896c1e939463b0e8b2d84d192c3ef9b46efbc0d

        • C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe

          Filesize

          59KB

          MD5

          d3ea3654914c8852f3a87180d1a2c241

          SHA1

          8fbceb89a466cf0d638349c4ab11049eeea92827

          SHA256

          a44378f382dc7d31009893e74486828819f162acf0a56f0abc145ec9d6eb5e93

          SHA512

          758cf04e0f35dea39a89c0975bc8c63cb38572530b24c9f1c98bfd40c620aedb9e5846567efdf6cfd8708112bcf17369417fc61bd60d5280e3f741b58e221a81

        • C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe

          Filesize

          114KB

          MD5

          0b2c3c144d8ef3d86c29c1ea2c2db875

          SHA1

          82e04b00f56bea4df2a0b116042c4f14d6bd7ccb

          SHA256

          d4e18facb6cef797b9a22e0dd6eeddadd3b08551866374dcc94ae26e559d33a1

          SHA512

          ad99aa3457bb7af7957a541c9a9d751685094a07673fb68c0915b3e7052328e5316be92f6115f7102b54e7891a5a034ef9cf0710abc78d89d7feabc9ce7ddda8

        • C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe

          Filesize

          59KB

          MD5

          600baa942b0b4d4e50a6816a766751cd

          SHA1

          4e199b21e8aca88bb3e20d685396a3a1c5abdcc7

          SHA256

          ed4b2bf512c5254c272e316f620afcdad26075ea48b2c67382eda20c1b2d2e5a

          SHA512

          bba6f2df515162fa6b44a258f92cf96f6cdafca5d9a7967d5061300b12f9660bc093efc156b436f0c9bb59e2d7f0f0ec66dc74de2676c1e063870034a8531551

        • C:\Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe

          Filesize

          35KB

          MD5

          b2808651a83ceefb3f6426029b782791

          SHA1

          68ed8fcdef574d26b038a5b8ac83c5b313d6405f

          SHA256

          43fe14f20a4b534f2a9d63701ad88a646b7ebcdb7e465789e8443fec8c7cf325

          SHA512

          733a39ac098d9a28203855c7876090f7d3b466760a93b18245d9fe79de1b6410a4523ab485e702e20af0be0a64680c3ed3157c874c12b3a172d6d69307517519

        • \Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe

          Filesize

          134KB

          MD5

          0ee21651770797e46547373020237d66

          SHA1

          ad50062605bb70be6b1c54a97bd74b958dfe9c30

          SHA256

          87dfdd019f35d2150e54a4f8381edeef3d1c7ff2c35cbf7becf84e8d073c18c5

          SHA512

          1f35aac8018d00fc9c9acec267c15ebc38e1182622655747a4384204a5f53764984953961ff9f67269f97cf950411d655aff54b82178bba67d04ba545e15e337

        • \Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe

          Filesize

          76KB

          MD5

          1f932ddda236e15e47b0bbdfc3afcc71

          SHA1

          4ae50e69606ad10156dc1c73fcadafcc03373a7e

          SHA256

          3217b1922a79d11579e159aa5557f230ba70803bce304f8d227b3b93d32d06fb

          SHA512

          2458e6ae673749c516bff2d83da47c9d0f5c4a50a2fe6bfaa0d7c9696fca5d72bdc22a9103d172237b651bb451d01cc5def1781bb80a33257a708ec1a3565ff2

        • \Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe

          Filesize

          92KB

          MD5

          22e09e303bf210c5a1366eed0be0b294

          SHA1

          8579012d28b1c325facb09e50ee0f33400c98d0f

          SHA256

          ef828c82ba2541737e984e24f16ab37b68810ccd90c836cf18d74e4a90417c7d

          SHA512

          9d5aec3a9787b019191e700366aed9ed6d48a01868ec6588a6b64759b84fd96523a48f5a2eff723cdcee0096c40ea0f2f6d9bc2a67aa559f11cf2928317b3570

        • \Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe

          Filesize

          133KB

          MD5

          19328a290f3992a5f63b0bef89218be4

          SHA1

          5b798f9014af5404f66a9c6022e9a488c1cf4fa6

          SHA256

          2d0e2ea31bef90b5c6c83d5256ab4692a91c6342cc98e2b2f1d0a7f22658cecc

          SHA512

          f02899e8bf27f1265a067b0f9737c4476a6f49331f3be832f63cd396e730eca7c3e30eec39cd293641db5a05b89f8980e5e3eac79bad246e5537c97a3eceb044

        • \Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe

          Filesize

          287KB

          MD5

          39f684a39496bea7e5fe2b862157e633

          SHA1

          bceee6c817276bbf6fc13c8c2e5557f9fea6ae86

          SHA256

          d563a779176ce0e86af4e240924a8fa45c8b9ee18ccca669a361a515f16a9c02

          SHA512

          3589042f766c35050bbaf5c583bfc2d590e4688482707cccc2f12115bdda17114d49dcb0b61328f27d6934860f3ca29271302260fc5d2c1c4ed712103e3eab8b

        • \Users\Admin\AppData\Local\ecd8f061-efcc-40b3-a956-90872f719a6e\build2.exe

          Filesize

          57KB

          MD5

          4d3ada47a82a737dbd9a9672f8659366

          SHA1

          abd8382762eacb4430928cb814bc7f0cac536504

          SHA256

          4914798a45e8808b148480a5345ebd86be9cf696baf372059e52b1074549aaef

          SHA512

          713fa4ea0b71068ca34cddf394ce493c12d0073aba11df43ce5ae1d4234e33053f5b95bd5ad5e3d275c8b4a8ca17a83d04298db6ac0968bb85dfa34eea9b50ba

        • memory/1676-4-0x0000000000700000-0x000000000081B000-memory.dmp

          Filesize

          1.1MB

        • memory/1676-1-0x00000000004C0000-0x0000000000551000-memory.dmp

          Filesize

          580KB

        • memory/1676-0-0x00000000004C0000-0x0000000000551000-memory.dmp

          Filesize

          580KB

        • memory/1676-7-0x00000000004C0000-0x0000000000551000-memory.dmp

          Filesize

          580KB

        • memory/1968-27-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/1968-9-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/1968-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/1968-8-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/1968-5-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2484-73-0x0000000000400000-0x000000000065E000-memory.dmp

          Filesize

          2.4MB

        • memory/2484-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2484-201-0x0000000000400000-0x000000000065E000-memory.dmp

          Filesize

          2.4MB

        • memory/2484-79-0x0000000000400000-0x000000000065E000-memory.dmp

          Filesize

          2.4MB

        • memory/2484-78-0x0000000000400000-0x000000000065E000-memory.dmp

          Filesize

          2.4MB

        • memory/2592-28-0x0000000000270000-0x0000000000301000-memory.dmp

          Filesize

          580KB

        • memory/2592-30-0x0000000000270000-0x0000000000301000-memory.dmp

          Filesize

          580KB

        • memory/2620-36-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2620-80-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2620-54-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2620-56-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2620-57-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2620-49-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2620-50-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2620-35-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2620-208-0x0000000000400000-0x0000000000537000-memory.dmp

          Filesize

          1.2MB

        • memory/2660-76-0x0000000000510000-0x0000000000537000-memory.dmp

          Filesize

          156KB

        • memory/2660-77-0x00000000002B0000-0x00000000002FB000-memory.dmp

          Filesize

          300KB