Analysis
-
max time kernel
296s -
max time network
298s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
-
submitted
06/03/2024, 04:50
General
-
Target
41829aa6bf99f391c6f11c6713f93a45b71aeec09a38c8a34cb31fa2acab595a.exe
-
Size
758KB
-
MD5
7ca5059361472925999d587e48f3d882
-
SHA1
4f6773d6e6ee16e6bcab8c3bacc38a3099f0995a
-
SHA256
41829aa6bf99f391c6f11c6713f93a45b71aeec09a38c8a34cb31fa2acab595a
-
SHA512
ea10b262d125d5dc9c837dbb910897157a49fc1488605e66c1bc73f4545aa26e133702b9dd6cdf6ab0a211b3cd9b004b19aa12ca448e5a236330819b4cbf949a
-
SSDEEP
12288:LKEwtE96Il33pXB0J04YheY4MH9v7vmgFc5LhKyjrcakNS6zqt0hVK:LKpy96IFBB0JAsHMH9vFcznrcaqhzqW
Malware Config
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.wisz
-
offline_id
4p0Nzrg1q0ND5of5Gtp2UBjthSXuE8VxnMrd4vt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/a832401adcd58098c699f768ffea4f1720240305114308/7e601a Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0853PsawqS
Extracted
vidar
8.1
e2da5861d01d391b927839bbec00e666
https://steamcommunity.com/profiles/76561199649267298
https://t.me/uprizin
-
profile_id_v2
e2da5861d01d391b927839bbec00e666
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 OPR/96.0.0.0
Signatures
-
Detect Vidar Stealer 5 IoCs
-
Detected Djvu ransomware 16 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\41829aa6bf99f391c6f11c6713f93a45b71aeec09a38c8a34cb31fa2acab595a.exe"C:\Users\Admin\AppData\Local\Temp\41829aa6bf99f391c6f11c6713f93a45b71aeec09a38c8a34cb31fa2acab595a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\41829aa6bf99f391c6f11c6713f93a45b71aeec09a38c8a34cb31fa2acab595a.exe"C:\Users\Admin\AppData\Local\Temp\41829aa6bf99f391c6f11c6713f93a45b71aeec09a38c8a34cb31fa2acab595a.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\106f2736-e73a-468d-9bab-fda73f48e633" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\41829aa6bf99f391c6f11c6713f93a45b71aeec09a38c8a34cb31fa2acab595a.exe"C:\Users\Admin\AppData\Local\Temp\41829aa6bf99f391c6f11c6713f93a45b71aeec09a38c8a34cb31fa2acab595a.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\41829aa6bf99f391c6f11c6713f93a45b71aeec09a38c8a34cb31fa2acab595a.exe"C:\Users\Admin\AppData\Local\Temp\41829aa6bf99f391c6f11c6713f93a45b71aeec09a38c8a34cb31fa2acab595a.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\b5c43924-269b-4770-b552-d920282b4da9\build2.exe"C:\Users\Admin\AppData\Local\b5c43924-269b-4770-b552-d920282b4da9\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\b5c43924-269b-4770-b552-d920282b4da9\build2.exe"C:\Users\Admin\AppData\Local\b5c43924-269b-4770-b552-d920282b4da9\build2.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 7687⤵
- Program crash
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51cfc0a1560c8a6b64e4cdc5c2f8477c6
SHA10ce75dede00bf389dcd14b4c82f2c0b6f9edb2a3
SHA2561aff5542b26102a183b6f0922d1cb3c3b07a32da9f7caf861fb1c0872ea037de
SHA51206ec8042bb4d1de870c19f958d576689cf0fac592211d2cf08a7f09065e615e79b6e2d17e4f5832919c5b57b9ee507500bf415d3747b775f0d8388eb5da7aaf1
-
Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
Filesize
410B
MD50dc8708d1b10f0454d3f58117825b5de
SHA1154ce207dc7a83b2ff58f2553da6beaecb071d9e
SHA256acc9dd68bcbdaadf18b3db9299b585f3d68e8b7b126221bdec3f310a6aef6e69
SHA512dd804290b38cbc15e07eb82b22538a736bc0212e79b4b4c33c22ec1458f97444374992626bba2a3bc02cd9be0568f099018aa869f18fc198285559398a147145
-
Filesize
392B
MD5d2049aeff577fd9efd8f58aeeae55f4d
SHA1fd5fc1f14f06e2ab31a1e996cb14ec3878525ac9
SHA2562a6e48b1e08bd62cea41e42915b02a05c0b15ec0ba17e35d7ddd76001d2a550f
SHA512991f015a5ed033ea9826b2295886498c587053cb7787d900208d1d8ff8e8d68c49d4768caa686dd1db8d4eebf9c0ad14b2876b1cfda8385d41fe778a1b11e81f
-
Filesize
758KB
MD57ca5059361472925999d587e48f3d882
SHA14f6773d6e6ee16e6bcab8c3bacc38a3099f0995a
SHA25641829aa6bf99f391c6f11c6713f93a45b71aeec09a38c8a34cb31fa2acab595a
SHA512ea10b262d125d5dc9c837dbb910897157a49fc1488605e66c1bc73f4545aa26e133702b9dd6cdf6ab0a211b3cd9b004b19aa12ca448e5a236330819b4cbf949a
-
Filesize
219KB
MD5d37b17fc3b9162060a60cd9c9f5f7e2c
SHA15bcd761db5662cebdb06f372d8cb731a9b98d1c5
SHA25636826a94f7aabd1f0d71abc6850e64a499768bd30cab361e8724d546e495e35f
SHA51204b0fcc597afba17b8be46eacee58c7e8d38c7efa9247ab5b3cbf1ae3ed8dc2e6e909b7dab28b2a41f08fb37e950abb6ca97553adf0e20335c6864d942bef6ea
-
Filesize
1KB
MD5106dc121df377c0e9ce1da2a34903c2b
SHA1adc752099c7940108974193f32d53e871cae30c8
SHA256ee2a8bc950324dd2b44c157097c8d657a74d3e9b5518076ca0ef6e8b1c0f2657
SHA512803838c35c6d800114d76de7e26549a18dd605cbf246aa9d4ae1332c0e1ce6cb6ac16944c97bbcfdf97a207f0f7bdec34aadc67169b8e5e03ca8ec544300ee68
-
Filesize
628KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
200KB
-
Filesize
1024KB
-
Filesize
1.1MB
-
Filesize
604KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB