Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28-03-2024 13:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f1423236641c619b68a50afe9444c09d97a5a3dd8523b9d636f436a46aab0a8.exe

  • Size

    758KB

  • MD5

    1fa9ad2e8e78a5cf27426d029449273f

  • SHA1

    255b6aa9e61304b8b15fecbf3df63c25699dd895

  • SHA256

    2f1423236641c619b68a50afe9444c09d97a5a3dd8523b9d636f436a46aab0a8

  • SHA512

    52b7462f29e61a8350ffb24d83fc222640792ab4558de86c35fe1486ceb9c2b88b42463a074ce285ff5a5de562b93530a1bcd39791d3b7e223758aaa5ee31c95

  • SSDEEP

    12288:53Q5t1+qoYYwwWcyAlK2YDgk3bLyD+AisxpEKYFu5JgEJ/Rb9c7PS3AkY7Foa7OL:5E+jMolZYDgab+3xiKYF+Jpbi7P0AkY5

Score
10/10
djvuvidar5739ef2bbcd39fcd59c5746bfe4238c5discoverypersistenceransomwarestealer

Malware Config

Extracted

Family

djvu

C2

http://sajdfue.com/test1/get.php

Attributes
  • extension

    .vook

  • offline_id

    1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1

  • payload_url

    http://sdfjhuz.com/dl/build2.exe

    http://sajdfue.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0857PsawqS

rsa_pubkey.plain

Extracted

Family

vidar

Version

8.6

Botnet

5739ef2bbcd39fcd59c5746bfe4238c5

C2

https://steamcommunity.com/profiles/76561199658817715

https://t.me/sa9ok
Attributes
  • profile_id_v2

    5739ef2bbcd39fcd59c5746bfe4238c5

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36

Signatures

  • Detect Vidar Stealer 5 IoCs
    stealer
  • Detected Djvu ransomware 18 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Downloads MZ/PE file
  • Executes dropped EXE 10 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f1423236641c619b68a50afe9444c09d97a5a3dd8523b9d636f436a46aab0a8.exe
    "C:\Users\Admin\AppData\Local\Temp\2f1423236641c619b68a50afe9444c09d97a5a3dd8523b9d636f436a46aab0a8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3532
    • C:\Users\Admin\AppData\Local\Temp\2f1423236641c619b68a50afe9444c09d97a5a3dd8523b9d636f436a46aab0a8.exe
      "C:\Users\Admin\AppData\Local\Temp\2f1423236641c619b68a50afe9444c09d97a5a3dd8523b9d636f436a46aab0a8.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\70cea582-393c-454c-baa8-d207d5f9c158" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:5052
      • C:\Users\Admin\AppData\Local\Temp\2f1423236641c619b68a50afe9444c09d97a5a3dd8523b9d636f436a46aab0a8.exe
        "C:\Users\Admin\AppData\Local\Temp\2f1423236641c619b68a50afe9444c09d97a5a3dd8523b9d636f436a46aab0a8.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\Users\Admin\AppData\Local\Temp\2f1423236641c619b68a50afe9444c09d97a5a3dd8523b9d636f436a46aab0a8.exe
          "C:\Users\Admin\AppData\Local\Temp\2f1423236641c619b68a50afe9444c09d97a5a3dd8523b9d636f436a46aab0a8.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4200
          • C:\Users\Admin\AppData\Local\05eb17f8-657c-4639-b9af-0ce23dc8c408\build2.exe
            "C:\Users\Admin\AppData\Local\05eb17f8-657c-4639-b9af-0ce23dc8c408\build2.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:5028
            • C:\Users\Admin\AppData\Local\05eb17f8-657c-4639-b9af-0ce23dc8c408\build2.exe
              "C:\Users\Admin\AppData\Local\05eb17f8-657c-4639-b9af-0ce23dc8c408\build2.exe"
              6⤵
              • Executes dropped EXE
              PID:3140
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 2248
                7⤵
                • Program crash
                PID:1228
          • C:\Users\Admin\AppData\Local\05eb17f8-657c-4639-b9af-0ce23dc8c408\build3.exe
            "C:\Users\Admin\AppData\Local\05eb17f8-657c-4639-b9af-0ce23dc8c408\build3.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3696
            • C:\Users\Admin\AppData\Local\05eb17f8-657c-4639-b9af-0ce23dc8c408\build3.exe
              "C:\Users\Admin\AppData\Local\05eb17f8-657c-4639-b9af-0ce23dc8c408\build3.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1892
              • C:\Windows\SysWOW64\schtasks.exe
                /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                7⤵
                • Creates scheduled task(s)
                PID:4876
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3140 -ip 3140
    1⤵
      PID:1924
    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3636
      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4476
        • C:\Windows\SysWOW64\schtasks.exe
          /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
          3⤵
          • Creates scheduled task(s)
          PID:3964
    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      PID:3544
      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
        2⤵
        • Executes dropped EXE
        PID:3376
    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      PID:1760
      • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
        2⤵
        • Executes dropped EXE
        PID:3596

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    File and Directory Permissions Modification

    1
    T1222

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
      Filesize

      1KB

      MD5

      f213915edaae28d50459918c3bb1de6d

      SHA1

      55c71f771f67ca04df6876eebc30453b328352fc

      SHA256

      e226380b93bacad0e4cb95ecb5369941396f49c3bd6c869367a2b840def41ee9

      SHA512

      1dd92cafe3c45c7739aaa3ede9868597f6a689bc221d18f69d7676f8f2323ced160a22e1df661413465544afe9620f34606078dcc6baf83125d912c768bd1303

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
      Filesize

      724B

      MD5

      8202a1cd02e7d69597995cabbe881a12

      SHA1

      8858d9d934b7aa9330ee73de6c476acf19929ff6

      SHA256

      58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

      SHA512

      97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
      Filesize

      410B

      MD5

      725e59a45068479b418de18b8dd1db5b

      SHA1

      1c895aae90be7590bac2ae8900ab0b663337d347

      SHA256

      f27eba966609d8f8789d6c7e4a13c2c0370b8da13eb8662c32cfdc536326cc0e

      SHA512

      7e05b0aa083153954b12060517b18b248d546b233f44ba43f7f32a41b075f114677b84c0ee834f9aff7759b26be13f3764aa468f47c4931e8e43930b297d24d4

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
      Filesize

      392B

      MD5

      56a35332f12d7c38d991d2d0a01064ab

      SHA1

      8fa9b3be17f0f46931c4f7ac011f689c9c085787

      SHA256

      5f2b4c6a0ec9b016c81ff8a5dcef04dea428e9b62e13b525efa54f6f298eef4a

      SHA512

      4d113b57d6b702f05005b19e2afa13638e6c1a1faaa1f15b26cf8bb7e2dcd171f07ea1401b29cd9550c69c8730db6c534e69805a28eb1837b26b2aebd0995600

      Download Submit
    • C:\Users\Admin\AppData\Local\05eb17f8-657c-4639-b9af-0ce23dc8c408\build2.exe
      Filesize

      277KB

      MD5

      8dae8b6a6be6e3527183594d1c26a2d3

      SHA1

      b87e40cee60869a36e79c88c8a3a34baf0bc4889

      SHA256

      afce72cd3bc717c784962083066e3ede2b0aaadbe0908ec7360096c923774fa5

      SHA512

      0bf065700db647efba39a13a58242a595907e6c11885575cf0bdad9e23ab40583c8a6535464e46d75d075e20d88b7a6305a761df9da787fdc8728483dd48f96e

      Download Submit
    • C:\Users\Admin\AppData\Local\05eb17f8-657c-4639-b9af-0ce23dc8c408\build3.exe
      Filesize

      299KB

      MD5

      41b883a061c95e9b9cb17d4ca50de770

      SHA1

      1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

      SHA256

      fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

      SHA512

      cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

      Download Submit
    • C:\Users\Admin\AppData\Local\70cea582-393c-454c-baa8-d207d5f9c158\2f1423236641c619b68a50afe9444c09d97a5a3dd8523b9d636f436a46aab0a8.exe
      Filesize

      758KB

      MD5

      1fa9ad2e8e78a5cf27426d029449273f

      SHA1

      255b6aa9e61304b8b15fecbf3df63c25699dd895

      SHA256

      2f1423236641c619b68a50afe9444c09d97a5a3dd8523b9d636f436a46aab0a8

      SHA512

      52b7462f29e61a8350ffb24d83fc222640792ab4558de86c35fe1486ceb9c2b88b42463a074ce285ff5a5de562b93530a1bcd39791d3b7e223758aaa5ee31c95

      Download Submit
    • memory/1176-5-0x0000000000400000-0x0000000000537000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1176-17-0x0000000000400000-0x0000000000537000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1176-3-0x0000000000400000-0x0000000000537000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1176-4-0x0000000000400000-0x0000000000537000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1176-6-0x0000000000400000-0x0000000000537000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1760-136-0x0000000000A80000-0x0000000000B80000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/1892-87-0x0000000000410000-0x0000000000413000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1892-85-0x0000000000400000-0x0000000000406000-memory.dmp
      Filesize

      24KB

      Download
    • memory/1892-84-0x0000000000400000-0x0000000000406000-memory.dmp
      Filesize

      24KB

      Download
    • memory/1892-79-0x0000000000400000-0x0000000000406000-memory.dmp
      Filesize

      24KB

      Download
    • memory/2696-20-0x00000000027E0000-0x0000000002877000-memory.dmp
      Filesize

      604KB

      Download
    • memory/3140-49-0x0000000000400000-0x0000000000644000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/3140-55-0x0000000000400000-0x0000000000644000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/3140-54-0x0000000000400000-0x0000000000644000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/3140-76-0x0000000000400000-0x0000000000644000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/3532-1-0x00000000029F0000-0x0000000002A8F000-memory.dmp
      Filesize

      636KB

      Download
    • memory/3532-2-0x0000000002B20000-0x0000000002C3B000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3544-115-0x0000000000890000-0x0000000000990000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/3636-99-0x0000000000B10000-0x0000000000C10000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/3696-80-0x0000000000AB0000-0x0000000000BB0000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/3696-82-0x0000000000A50000-0x0000000000A54000-memory.dmp
      Filesize

      16KB

      Download
    • memory/4200-23-0x0000000000400000-0x0000000000537000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/4200-73-0x0000000000400000-0x0000000000537000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/4200-37-0x0000000000400000-0x0000000000537000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/4200-36-0x0000000000400000-0x0000000000537000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/4200-34-0x0000000000400000-0x0000000000537000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/4200-30-0x0000000000400000-0x0000000000537000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/4200-90-0x0000000000400000-0x0000000000537000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/4200-29-0x0000000000400000-0x0000000000537000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/4200-24-0x0000000000400000-0x0000000000537000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/4200-22-0x0000000000400000-0x0000000000537000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/5028-53-0x00000000007E0000-0x0000000000811000-memory.dmp
      Filesize

      196KB

      Download
    • memory/5028-52-0x0000000000840000-0x0000000000940000-memory.dmp
      Filesize

      1024KB

      Download