Analysis
-
max time kernel
298s -
max time network
294s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
-
submitted
05-02-2024 04:53
General
-
Target
66281e09139f827829da257b0976c5bca2db8150b8422da7582bc2c2db33e8ba.exe
-
Size
819KB
-
MD5
aed73fb9a0ebf033d0478fa814e7b8d3
-
SHA1
0058f0b7203c592edf70131b84f6cb1fe784f8a3
-
SHA256
66281e09139f827829da257b0976c5bca2db8150b8422da7582bc2c2db33e8ba
-
SHA512
3a264e0286234e97f5c01816adcd40a408ac66153ce81e4066c22a54f4533a3a34fcb9a3e40db41dee7227ee24a084a89f2b61da9a5cf14ee8b50669ea9ebffb
-
SSDEEP
12288:q2kxn4QFNbM2vZ+UO2Hf55nnVP3xxJSpH136GcAnCPQ8FcNAE2Jr90tPT1td9eY:c/DM28uHZPnG1GAnCPQ2mad9G5tzR
Malware Config
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.cdcc
-
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw
Extracted
vidar
7.6
1b9d7ec5a25ab9d78c31777a0016a097
https://t.me/tvrugrats
https://steamcommunity.com/profiles/76561199627279110
-
profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097
Signatures
-
Detect Vidar Stealer 5 IoCs
-
Detected Djvu ransomware 17 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Executes dropped EXE 11 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\66281e09139f827829da257b0976c5bca2db8150b8422da7582bc2c2db33e8ba.exe"C:\Users\Admin\AppData\Local\Temp\66281e09139f827829da257b0976c5bca2db8150b8422da7582bc2c2db33e8ba.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\66281e09139f827829da257b0976c5bca2db8150b8422da7582bc2c2db33e8ba.exe"C:\Users\Admin\AppData\Local\Temp\66281e09139f827829da257b0976c5bca2db8150b8422da7582bc2c2db33e8ba.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\6db4e148-dad5-4c15-8d2e-110f118eb099" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\66281e09139f827829da257b0976c5bca2db8150b8422da7582bc2c2db33e8ba.exe"C:\Users\Admin\AppData\Local\Temp\66281e09139f827829da257b0976c5bca2db8150b8422da7582bc2c2db33e8ba.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\66281e09139f827829da257b0976c5bca2db8150b8422da7582bc2c2db33e8ba.exe"C:\Users\Admin\AppData\Local\Temp\66281e09139f827829da257b0976c5bca2db8150b8422da7582bc2c2db33e8ba.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\61e5f8b9-8e5f-400d-bf02-d76e81a0aa7b\build2.exe"C:\Users\Admin\AppData\Local\61e5f8b9-8e5f-400d-bf02-d76e81a0aa7b\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\61e5f8b9-8e5f-400d-bf02-d76e81a0aa7b\build2.exe"C:\Users\Admin\AppData\Local\61e5f8b9-8e5f-400d-bf02-d76e81a0aa7b\build2.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 19007⤵
- Program crash
-
C:\Users\Admin\AppData\Local\61e5f8b9-8e5f-400d-bf02-d76e81a0aa7b\build3.exe"C:\Users\Admin\AppData\Local\61e5f8b9-8e5f-400d-bf02-d76e81a0aa7b\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\61e5f8b9-8e5f-400d-bf02-d76e81a0aa7b\build3.exe"C:\Users\Admin\AppData\Local\61e5f8b9-8e5f-400d-bf02-d76e81a0aa7b\build3.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD5c59708a86e78530488f2356251e775a2
SHA117e33e077261cdd9e54d4e58dfb168f15ee93efb
SHA25671719971666e64a4f767e8f9d0b52e822189c4bfb1fe449a0e7c8066c82813c2
SHA51242afd4d2c791ea8cb239130cf4f4d43da0ec39c63049c56796e082282e2ba2f0cd0fd8934b7de3b359ca433b0609ad159fda6f92168168f2d4517f13fbbb3fbf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD589479fb27d4492ef7a565108b8f5de6a
SHA134d3f22983d7b272d4c0c5d7b4fbef4cb0409896
SHA2569ae0d1ae2e0065faeedf8eeee17e9ded2c1428da94d59c0164b871d44ee9d726
SHA512793c5e52c8244b4e597f2a525c8b418ca039e70351e94aca75014460a78659cde6242d67395491e1ac9e0afcf536ad3163f707df57ac8814013c6b4a372faa37
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
392B
MD50b8ce1a89cc891f761debfdc2bc4c36c
SHA1f380a1fa323f5a7b3b17c368abd16003977b59bd
SHA256620f30bcbf8cb3fa7c135efa1d9792735a6562fc469ad113988ad356a94c3dad
SHA512bc2c598e989e941c2abbccacc04280ba350ad53dadc7b5890868a778b24ff3feec025b0ddf1664eac9d1f53342a04e3051e19407a892cbaba3dad69219418d9b
-
C:\Users\Admin\AppData\Local\61e5f8b9-8e5f-400d-bf02-d76e81a0aa7b\build2.exeFilesize
43KB
MD557da394b98f6bf36685c8a9201b197f6
SHA18be4abdd205742aaeeca5b6c2ab3c1d137e1dca4
SHA256b033757b76734a89e200a2bc3e149441d7a1632a3dab62183fee6b35034903fe
SHA512734b65d723bd643edaafca7c42ac5114cbbb2513ec401ee4599b79f66bbd0ba50724605837e8cae41ac16db88126fec0be7af8a60d4885ca63f3a955a4180fcb
-
C:\Users\Admin\AppData\Local\61e5f8b9-8e5f-400d-bf02-d76e81a0aa7b\build2.exeFilesize
56KB
MD56ad4e547d19fedee0253c4b9191c7ce8
SHA1181835d8e933801f6758e342ec32b92f66b6277b
SHA25658f7bbff74d3a690692ab0d69b0531cd08e6d02d4c3ae1ed8a166fcdd3f302b0
SHA51213416dd8196581a7ed70f0fa27434d1bf50e06c228ae2da91a880a9ec944e89c1e2c15fa37131373c4770111f8974ad94a7d1da0f453105f2d3482f58d75ad0d
-
C:\Users\Admin\AppData\Local\61e5f8b9-8e5f-400d-bf02-d76e81a0aa7b\build2.exeFilesize
108KB
MD54daf6151afa178f46994ddce3ef2f70e
SHA1d06aee95fe89e6b6d622c5c6667405419331b3a3
SHA2569c7f3acfa7dac69f9cb0f3cb8fa2e1bd9964ce7b390e86c310486c1b3a32631d
SHA51250fb116fd67547779c0ead0a7d97d354a77fc6e3ccf93b38883917b8b54337af32772e3055fb5cd44f48193a41db8f23cea108351caca47917d7ea7cb98c946c
-
C:\Users\Admin\AppData\Local\61e5f8b9-8e5f-400d-bf02-d76e81a0aa7b\build3.exeFilesize
13KB
MD5cb10624e741be8881fbf0ad65ccf9260
SHA11543814f0c60cacabaffef4f198a9cfac127d381
SHA2560a7bab242f40c7c973f3dc1bd9f87004ac8f6321c41b619a0cf4a6cccc7cb7ed
SHA5120e416716797562786b0daa0c3a380f35fe8067608937ca7c4effa2dd26ef1040f98b7b2ed80a7943d7db3253c8358d228f7099be624fa06b94fa8c917044c344
-
C:\Users\Admin\AppData\Local\61e5f8b9-8e5f-400d-bf02-d76e81a0aa7b\build3.exeFilesize
151KB
MD5fcd62da463e32b2d825ef9fa0517fe27
SHA1758d90874a00d2aa21b38b05cd8abf80f79bdde1
SHA256470964af5381f513217621c5181c83b87789e153061e735abd2ddb4cf7fea456
SHA512aa317396d4cdbf8f0b6bcf1ab15aaf2cc627df9a919931fd089939ab892ae2b45a2ffcd1ecad85983f353b0458ad1544c3f2062dd58737092cfec7738ff44df5
-
C:\Users\Admin\AppData\Local\61e5f8b9-8e5f-400d-bf02-d76e81a0aa7b\build3.exeFilesize
64KB
MD5d52ca247162cef8c1a61ccc5f2106ca1
SHA1495f67d1aadcedd3c5561f01a6b16b07eb3d1525
SHA2566bbccc5f41ed45fb4d6cea622c8e1dcb54347ee61b3e738b3f45ec16f7b1de11
SHA512e49674b6e632282e4f2f3df2c761cfdc6ebb7fed0836a667f91e7bebcf315bb2f04d192fa29c2cbcfdc4b0f046c52a05049594b7777594737d8a1aee549cf4a7
-
C:\Users\Admin\AppData\Local\6db4e148-dad5-4c15-8d2e-110f118eb099\66281e09139f827829da257b0976c5bca2db8150b8422da7582bc2c2db33e8ba.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeFilesize
86KB
MD5a753a293678be299ae1c0e41d6d25178
SHA19091ac7e453d9f8a48248b69d559dabb5fc3e18c
SHA2562a3c5f4ad131e02c97911392e45d146e45aaea34ecd2245ca516b5398e62746b
SHA512f711f29ccac436f83c6296fce4e38754177ed0bed1cb57ee67412e90b758dc93bd72428e2bcfec7d66ef05fad5d5105bb128d2c6bf4f276571d5af7ef381dc13
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeFilesize
145KB
MD59e8474cd0dc883be1417b7d9db0941f5
SHA10e029c2c90aa687e3178e1a7a678a182b05a8630
SHA256387d6a8e1c75c93218ed8dfc7f4601640a8f07c6812adedbefaa1b834759e75c
SHA512f2067d5978cff1112d770734fc7df50ac36799fcc388a962c204c3d0e9bb276cf022b48a6d8d168e1336e4caa7b46e5487fe6529471ca178584536d0ab74848e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeFilesize
2KB
MD5f9aee8d4e92095a85b395f5e0f12740b
SHA1ec5e349ba167f9510922c9dba88dbd483cd431a6
SHA256a78065f63696047664dbd51d0a4851bafc95a887ead06d86b265ff445d968637
SHA5125cdddd9ecf6cf61f01a1d1b19a71606f039e26236f2e03f779775ff9f5ecae3f4dc4c6d236dbb199bcad55f39e705b9027ba024ec75afee463f97e9993580155
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeFilesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
memory/220-179-0x0000000000970000-0x0000000000A70000-memory.dmpFilesize
1024KB
-
memory/744-52-0x0000000000400000-0x0000000000643000-memory.dmpFilesize
2.3MB
-
memory/744-66-0x0000000000400000-0x0000000000643000-memory.dmpFilesize
2.3MB
-
memory/744-49-0x0000000000400000-0x0000000000643000-memory.dmpFilesize
2.3MB
-
memory/744-53-0x0000000000400000-0x0000000000643000-memory.dmpFilesize
2.3MB
-
memory/840-37-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/840-36-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/840-23-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/840-24-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/840-34-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/840-38-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/840-30-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/840-22-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/840-29-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/840-63-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/988-2-0x0000000002250000-0x000000000236B000-memory.dmpFilesize
1.1MB
-
memory/988-1-0x00000000020F0000-0x000000000218F000-memory.dmpFilesize
636KB
-
memory/1180-111-0x0000000000470000-0x000000000051E000-memory.dmpFilesize
696KB
-
memory/1764-20-0x00000000021F0000-0x0000000002291000-memory.dmpFilesize
644KB
-
memory/2284-77-0x0000000000A30000-0x0000000000A34000-memory.dmpFilesize
16KB
-
memory/2284-76-0x0000000000A40000-0x0000000000B40000-memory.dmpFilesize
1024KB
-
memory/2736-105-0x00000000009B0000-0x0000000000AB0000-memory.dmpFilesize
1024KB
-
memory/4212-3-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4212-5-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4212-6-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4212-4-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4212-17-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4632-80-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/4632-75-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/4632-83-0x0000000000410000-0x00000000004D5000-memory.dmpFilesize
788KB
-
memory/4632-81-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/4648-47-0x00000000004C0000-0x00000000005C0000-memory.dmpFilesize
1024KB
-
memory/4648-48-0x00000000007E0000-0x0000000000810000-memory.dmpFilesize
192KB
-
memory/4932-142-0x00000000009D0000-0x0000000000AD0000-memory.dmpFilesize
1024KB