Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    300s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01-02-2024 04:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe

  • Size

    744KB

  • MD5

    216eb4859117883f2cc50d593eae48b0

  • SHA1

    b5ae357143d8b21b6918a7862a66aa2e5cebb6a6

  • SHA256

    62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857

  • SHA512

    993b2b1d883697a0b32f29a552efd02f123e5077669ced4064f4f30e9207684ed5e6b2e99bf68ca9a349e21efaccacd584027eb1477f31efc0ab428257dda864

  • SSDEEP

    12288:MBWA0M3AbdrJNvAJ7rc9aqxC+JouNaEpqWwAHfU4X74uLiiFrhjPaFTbfL:VMu5JNvIckqxCjuN7ppM4r4I3xmvf

Score
10/10
djvuvidar1b9d7ec5a25ab9d78c31777a0016a097discoverypersistenceransomwarestealer

Malware Config

Extracted

Family

djvu

C2

http://habrafa.com/test1/get.php

Attributes
  • extension

    .cdpo

  • offline_id

    Bn3q97hwLouKbhkQRNO4SeV07gjdEQVm8NKhg0t1

  • payload_url

    http://brusuax.com/dl/build2.exe

    http://habrafa.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-FCWSCsjEWS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0844OSkw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

C2

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110
Attributes
  • profile_id_v2

    1b9d7ec5a25ab9d78c31777a0016a097

Signatures

  • Detect Vidar Stealer 6 IoCs
    stealer
  • Detected Djvu ransomware 16 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Downloads MZ/PE file
  • Executes dropped EXE 13 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
    "C:\Users\Admin\AppData\Local\Temp\62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Users\Admin\AppData\Local\Temp\62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
      "C:\Users\Admin\AppData\Local\Temp\62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3656
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\738dce87-d53d-4e03-8f0c-248710c50c6b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:1828
      • C:\Users\Admin\AppData\Local\Temp\62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
        "C:\Users\Admin\AppData\Local\Temp\62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4228
        • C:\Users\Admin\AppData\Local\Temp\62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
          "C:\Users\Admin\AppData\Local\Temp\62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:704
          • C:\Users\Admin\AppData\Local\24e02579-537c-4708-835d-4d1374d7fd03\build2.exe
            "C:\Users\Admin\AppData\Local\24e02579-537c-4708-835d-4d1374d7fd03\build2.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2988
            • C:\Users\Admin\AppData\Local\24e02579-537c-4708-835d-4d1374d7fd03\build2.exe
              "C:\Users\Admin\AppData\Local\24e02579-537c-4708-835d-4d1374d7fd03\build2.exe"
              6⤵
              • Executes dropped EXE
              PID:2868
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 1852
                7⤵
                • Program crash
                PID:888
          • C:\Users\Admin\AppData\Local\24e02579-537c-4708-835d-4d1374d7fd03\build3.exe
            "C:\Users\Admin\AppData\Local\24e02579-537c-4708-835d-4d1374d7fd03\build3.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4496
            • C:\Users\Admin\AppData\Local\24e02579-537c-4708-835d-4d1374d7fd03\build3.exe
              "C:\Users\Admin\AppData\Local\24e02579-537c-4708-835d-4d1374d7fd03\build3.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3324
              • C:\Windows\SysWOW64\schtasks.exe
                /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                7⤵
                • Creates scheduled task(s)
                PID:1160
  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4644
      • C:\Windows\SysWOW64\schtasks.exe
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        3⤵
        • Creates scheduled task(s)
        PID:2872
  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    PID:4100
    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      2⤵
      • Executes dropped EXE
      PID:4916
  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    PID:4864
    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      2⤵
      • Executes dropped EXE
      PID:2124
  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    PID:3056
    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      2⤵
      • Executes dropped EXE
      PID:3848
  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    1⤵
    • Executes dropped EXE
    PID:4884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    1KB

    MD5

    8112ab2a9d7578692e66734917d00015

    SHA1

    5dc1f7cb2c66c925d195fb98784917d108a001dd

    SHA256

    919561b1927726f5218e79f21184c4bf7117db4466686fc93d3d5dbc1380033b

    SHA512

    538f1f36b44d628d2ade163cc40deb58b50cb7fbd56019d9526c8233c30771db8542ed5786d311322dfd2e9d44e979da9513c4a0bbc7416b47bb7beca90013d1

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
    Filesize

    724B

    MD5

    8202a1cd02e7d69597995cabbe881a12

    SHA1

    8858d9d934b7aa9330ee73de6c476acf19929ff6

    SHA256

    58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

    SHA512

    97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    410B

    MD5

    611fb885a24860333e16f21317b85b9b

    SHA1

    fc480fe88cf071a52f47633c69d66cebb2cb622d

    SHA256

    0ecd373d31def25b13fe93424977c0c8fbc51ddc490b5e2bbdff7f52870bb419

    SHA512

    1357115c362820d1e378ae7783874729eb31ee76b8696a4d242ae210acd8d3cb88d53e3758bf216e1407e886bd63875b4b234171e27e921c2c7bab6bc138dd38

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
    Filesize

    392B

    MD5

    2e4af05ca2899b7ddda12ee9c3a0d97c

    SHA1

    f1f042b0545579d9b9e2eebdf0b9e973ee9041f0

    SHA256

    9057ad0334290473a45bd0c8b6454b3d22fcbbfcd9cda34aff775ac4b1c17193

    SHA512

    7cc7caca0c579076009f651e8d51e4a610d4678a9900fb0ebbd43aa13036a01ee61de6c8cc465d3d611c9473a00ad1e9a9476be0216f78d0fd02fe583e2c1654

    Download Submit
  • C:\Users\Admin\AppData\Local\24e02579-537c-4708-835d-4d1374d7fd03\build2.exe
    Filesize

    384KB

    MD5

    a2a8142ded2595cdc7ccb435d32ecbb8

    SHA1

    7d45a9e6b02b665d946de55fe6b2b4f321068cb8

    SHA256

    d27beeded9c2f4204fe1334a6f4336b5f379c4811b9ad9311db3eaca0049d0c9

    SHA512

    ae298a1c232ac065c7ed55ea974d80b19b812159a2aac7c8d39c038bd3bdf84bc8a8546e46b01c33844600880ce7fe6b9942fd8ed23ba7b799f5da8878acc0ed

    Download Submit
  • C:\Users\Admin\AppData\Local\24e02579-537c-4708-835d-4d1374d7fd03\build2.exe
    Filesize

    271KB

    MD5

    06c73028c4782c8ece4fb6c30fd42d76

    SHA1

    7e05f3f170977622b8f9750679c5f03d926b084c

    SHA256

    d473e079bae74c2a45487081ba044f063aae168994b1482ad20e5a1416012130

    SHA512

    c54645b9e98f9e8074d09e15f497f0ab8acef97eef43e0d79b2e438bc0aa42af16d0f311bbd288e2f519f14b120919500c44b8021a62b39eb92b3f86ad4a91eb

    Download Submit
  • C:\Users\Admin\AppData\Local\24e02579-537c-4708-835d-4d1374d7fd03\build2.exe
    Filesize

    385KB

    MD5

    63e4a9cd7a8b37335b5f18cefc5dd9d2

    SHA1

    c781a30935afc452b108cc78724b60f389b78874

    SHA256

    c1e75efde3fd1da605135e5c3ffab0073299c80632d136f8eeba9d4a7c98c70f

    SHA512

    3818b5966938704c5830acb5426db7791f6ae476853248d8984b1aff35a6722a0684bea54a53ef6ded1f301f6de9ed044d45f007457a9c0f3a7ea3afc7bf0ecc

    Download Submit
  • C:\Users\Admin\AppData\Local\24e02579-537c-4708-835d-4d1374d7fd03\build3.exe
    Filesize

    299KB

    MD5

    41b883a061c95e9b9cb17d4ca50de770

    SHA1

    1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

    SHA256

    fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

    SHA512

    cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

    Download Submit
  • C:\Users\Admin\AppData\Local\738dce87-d53d-4e03-8f0c-248710c50c6b\62916f8f4ede695e5a8001f4477d72750b4f61846c595ff04fc832acc5118857.exe
    Filesize

    333KB

    MD5

    bb3e41113b9ee6785dc9da97c207d1bd

    SHA1

    c238ae90f9cf44bd672aff7ce95fadd72cfcabfd

    SHA256

    bf92d4b689d86a72c4ef78706efc8ef28456aaf0d2c6f2846f989eb7da1b0fc1

    SHA512

    2108cceb6474cf80e72a97f92fa05652460f4d45744924fcad2c849878c3898f5d0733e5450551662934a13b920fc0a3560697f5b693ee32a7f6f8e1e07e9b14

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    Filesize

    67KB

    MD5

    cc80ac56ee4e7cbb8a7c8b930e07d39c

    SHA1

    0ed2f214ab6b4f9317386c3aa8ccd8357bef1c47

    SHA256

    3a51968cdebd3b6be0e534e191d9f3254ac488e66856c3accc3620236f896113

    SHA512

    a8ca5f2fa029eb43433c9c9afbdae43fd84f634b38e595c5afe650a33adb8701266b165f4d186ebc8c815424d0674cf2a4a9dbb890cec6d7548d053b69fef871

    Download Submit
  • memory/704-24-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/704-53-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/704-22-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/704-23-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/704-63-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/704-29-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/704-30-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/704-36-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/704-37-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/704-34-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1908-98-0x0000000000AD0000-0x0000000000BD0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/2868-46-0x0000000000400000-0x0000000000643000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/2868-66-0x0000000000400000-0x0000000000643000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/2868-51-0x0000000000400000-0x0000000000643000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/2868-52-0x0000000000400000-0x0000000000643000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/2980-1-0x0000000002220000-0x00000000022B3000-memory.dmp
    Filesize

    588KB

    Download
  • memory/2980-3-0x00000000022C0000-0x00000000023DB000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2988-50-0x00000000006D0000-0x0000000000700000-memory.dmp
    Filesize

    192KB

    Download
  • memory/2988-49-0x0000000000760000-0x0000000000860000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/3056-178-0x0000000000A70000-0x0000000000B70000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/3324-77-0x0000000000400000-0x0000000000406000-memory.dmp
    Filesize

    24KB

    Download
  • memory/3324-78-0x0000000000410000-0x00000000004D5000-memory.dmp
    Filesize

    788KB

    Download
  • memory/3324-75-0x0000000000400000-0x0000000000406000-memory.dmp
    Filesize

    24KB

    Download
  • memory/3324-70-0x0000000000400000-0x0000000000406000-memory.dmp
    Filesize

    24KB

    Download
  • memory/3656-2-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/3656-17-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/3656-6-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/3656-4-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/3656-5-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/4100-123-0x0000000000AC0000-0x0000000000BC0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4228-21-0x0000000001FD0000-0x0000000002062000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4496-71-0x0000000000B20000-0x0000000000C20000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4496-73-0x0000000000920000-0x0000000000924000-memory.dmp
    Filesize

    16KB

    Download
  • memory/4864-151-0x0000000000800000-0x0000000000900000-memory.dmp
    Filesize

    1024KB

    Download