Analysis
-
max time kernel
297s -
max time network
300s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
15/01/2024, 05:00
Static task
static1
Behavioral task
behavioral1
Sample
fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
Resource
win10-20231215-en
General
-
Target
fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
-
Size
832KB
-
MD5
7e0c3507ccd7fa02823e5158f26b9fea
-
SHA1
308ce97fd7585c6623346a5c5623c5b441f79b62
-
SHA256
fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581
-
SHA512
80f90eb5451c0d79f13d7db44683bcb349b0daa604b8ee280833d84acd1f99e3b17dde3ff68617c48fe2032040bba2fefff0e3c69b540542fc9600da7d3f894c
-
SSDEEP
12288:zBOvaA3lBcw8byxsNCESC58EFt7laSdyf6jiwGbF8lpKeAJMOib4MJ:QH36vAS53lh0yjitJ3eAJ/iMO
Malware Config
Extracted
djvu
http://zexeq.com/test1/get.php
-
extension
.cdwe
-
offline_id
dSwr1XNNi5cIitB5eDPbMANcusB1dWGDB8ToUnt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-e21iz7dS58 Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0842ASdw
Signatures
-
Detect Vidar Stealer 5 IoCs
resource yara_rule behavioral2/memory/2988-39-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral2/memory/3856-42-0x00000000020F0000-0x000000000213B000-memory.dmp family_vidar_v6 behavioral2/memory/2988-45-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral2/memory/2988-44-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 behavioral2/memory/2988-52-0x0000000000400000-0x000000000065E000-memory.dmp family_vidar_v6 -
Detected Djvu ransomware 16 IoCs
resource yara_rule behavioral2/memory/3656-1-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3656-6-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3656-5-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2980-3-0x0000000002220000-0x000000000233B000-memory.dmp family_djvu behavioral2/memory/3656-2-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3656-17-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2956-23-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2956-24-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2956-22-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2956-29-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2956-30-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2956-46-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2956-57-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2956-56-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2956-54-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/2956-58-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 3856 build2.exe 2988 build2.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4744 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\df201177-d6f1-403d-82c6-f32c0a856607\\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe\" --AutoStart" fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 api.2ip.ua 2 api.2ip.ua 9 api.2ip.ua -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2980 set thread context of 3656 2980 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 16 PID 3540 set thread context of 2956 3540 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 35 PID 3856 set thread context of 2988 3856 build2.exe 78 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3676 2988 WerFault.exe 78 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3656 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 3656 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 2956 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 2956 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2980 wrote to memory of 3656 2980 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 16 PID 2980 wrote to memory of 3656 2980 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 16 PID 2980 wrote to memory of 3656 2980 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 16 PID 2980 wrote to memory of 3656 2980 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 16 PID 2980 wrote to memory of 3656 2980 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 16 PID 2980 wrote to memory of 3656 2980 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 16 PID 2980 wrote to memory of 3656 2980 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 16 PID 2980 wrote to memory of 3656 2980 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 16 PID 2980 wrote to memory of 3656 2980 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 16 PID 2980 wrote to memory of 3656 2980 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 16 PID 3656 wrote to memory of 4744 3656 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 37 PID 3656 wrote to memory of 4744 3656 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 37 PID 3656 wrote to memory of 4744 3656 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 37 PID 3656 wrote to memory of 3540 3656 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 36 PID 3656 wrote to memory of 3540 3656 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 36 PID 3656 wrote to memory of 3540 3656 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 36 PID 3540 wrote to memory of 2956 3540 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 35 PID 3540 wrote to memory of 2956 3540 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 35 PID 3540 wrote to memory of 2956 3540 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 35 PID 3540 wrote to memory of 2956 3540 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 35 PID 3540 wrote to memory of 2956 3540 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 35 PID 3540 wrote to memory of 2956 3540 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 35 PID 3540 wrote to memory of 2956 3540 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 35 PID 3540 wrote to memory of 2956 3540 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 35 PID 3540 wrote to memory of 2956 3540 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 35 PID 3540 wrote to memory of 2956 3540 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 35 PID 2956 wrote to memory of 3856 2956 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 79 PID 2956 wrote to memory of 3856 2956 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 79 PID 2956 wrote to memory of 3856 2956 fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe 79 PID 3856 wrote to memory of 2988 3856 build2.exe 78 PID 3856 wrote to memory of 2988 3856 build2.exe 78 PID 3856 wrote to memory of 2988 3856 build2.exe 78 PID 3856 wrote to memory of 2988 3856 build2.exe 78 PID 3856 wrote to memory of 2988 3856 build2.exe 78 PID 3856 wrote to memory of 2988 3856 build2.exe 78 PID 3856 wrote to memory of 2988 3856 build2.exe 78 PID 3856 wrote to memory of 2988 3856 build2.exe 78 PID 3856 wrote to memory of 2988 3856 build2.exe 78 PID 3856 wrote to memory of 2988 3856 build2.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe"C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe"C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe"C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3540
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\df201177-d6f1-403d-82c6-f32c0a856607" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:4744
-
-
-
C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe"C:\Users\Admin\AppData\Local\Temp\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe" --Admin IsNotAutoStart IsNotTask1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe"C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3856
-
-
C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe"C:\Users\Admin\AppData\Local\27ab44ae-40f5-4f60-bf99-3ac58bc09a89\build2.exe"1⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 20402⤵
- Program crash
PID:3676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5b7470a9aa569b259d4c2bb3b80ae3aa3
SHA1093290296b7f1e402ef96e4b33a88f064aa401eb
SHA256ee8aeed77dd9f1631fa75845214d75bfe04951a61892410ee369035e13fd14c6
SHA5124da3fc09260692f159c37b068664852931b712c8173de5e4b294799ac33ecf179055aaeb016fd0afad88cbfc50a571c4c88033dca56a573431af7462ea7979be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5dd10d0917a6de815007061ceab2f9858
SHA145c2e20bf6253438ba7b8d6147aa73c35d62bf5a
SHA2564f260fc725d0e8dad1707964503ab9abb6c7875a3de8cffe90d572f772bf98c4
SHA512f492933c212806a315af8712235ab901c491ddb505ef514d74159c7600eb17998df841a6b342d99b95ab8ec46ba64aac667455e48f8a377ac83c03a9ba39c356
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD5f92c0b93181f7682f6d77f8af3c36499
SHA175ab8169f3957329255f22303745e70a074d59e6
SHA25639720551284c236816ee58482891e249769855ea82ad359d40dff9179a165bb6
SHA512ebb03769bc7647289dad0ea98e9a0b487739c1f7c46fdd16fb2264c2057a4a63419a3a725b7d39ad7ea8835e52589cbd9b624b9d72cc917377ffac2407f7b1ea
-
Filesize
41KB
MD5616621be84a8fd899b7faf2902ef6ebe
SHA1fa30297b1abc2800ab7475d68cfd418d5fb05b7a
SHA2560ac095a964fa6d2e8c6cd15e014792cbb99df1995ce368b04d091a5fc9c6b6b8
SHA51218026b6cf831ceef7a04b2271a86439f8d1e919eadf65c014e292964df9fb3600e6e7960727ad4aa494726d16a37a0f4a3dd6ea92a81fd20417aa8eb63574b4d
-
Filesize
33KB
MD529d75bd1a91b7cdeb73fc2f227d0a7c2
SHA128cf770aead8400153666bf2a4537053eb187269
SHA25613c60a54b695c2e13b21f95ea38198f8294b8c9561117bd0981b68bd6ca805c1
SHA5121bc4ea86d464f7befc672b8ca351ddedf9d405153b5d23e8531f0678c909f3b8f395322e227ca3ecda1e88cd2266c10131d82fd45784a9311dde859af01363c0
-
Filesize
27KB
MD51f79a2d92212e4afaf81ca196bacb291
SHA161ae3c38481fb8fcadc3b4df63932aebe1cb4520
SHA2566beccacecf877202e84b0565fccaf77bc6075b83fe009d9238aa59ac64f523c3
SHA512b37f070c10e6eb07111182b2168f0e41e7c17bb782fd1105992ab7acf1dfbadc4208fe4d351fa446fd46bd231d47457d26855f6d6bb8ca5ec5343b399a4b7ecc
-
C:\Users\Admin\AppData\Local\df201177-d6f1-403d-82c6-f32c0a856607\fadf10b3ec4fd1bdc37866d4c5d2a9816d2a7541bc213ed0a123cb427ddbd581.exe
Filesize115KB
MD5771d9306b4cfbbca7c47f52ab6c40217
SHA15fbc05a8d829f061775e041a41b032e9e8cd2dce
SHA25608f08c53c8388a075cb7ba93f5336d5827b525da351c24a4706d9aeedf72dd71
SHA5125b211651d74f5417d702072af374295dcd2a0f1fde0f70c1cf25282b74c639e3d5ab5a9f7bf89e8742053bc947f1a3853fbf2352356c3729fc0448fdc18b5a60