Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    144s
  • max time network
    157s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    26-08-2021 01:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01f06c896c957dc5cd9450298c5503b20478b6b8728aed6f903ae7312dff501b.exe

  • Size

    722KB

  • MD5

    55c13e0408310276dcb7a5356262a987

  • SHA1

    d7d15e0d6298572a83a26ee67bf5488b93cabb05

  • SHA256

    01f06c896c957dc5cd9450298c5503b20478b6b8728aed6f903ae7312dff501b

  • SHA512

    52ac50b3c74d827dce52d44b2f47fbf24a4f5b9eedb32bb5e1126acf49cfb5bc4946cb4259b868d22b934524b0e84553a8df5b688acee1e750180e014fee27b1

Score
10/10
djvuvidar517discoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\_readme.txt

Family

djvu

Ransom Note
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-ykQaS2tRyB Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0328gDrgoC4j04vLx6lqyFlyzpTC55w9igCGDgaBYLhUjv3Rr
URLs

https://we.tl/t-ykQaS2tRyB

Extracted

Family

vidar

Version

40.1

Botnet

517

C2

https://eduarroma.tumblr.com/

Attributes
  • profile_id

    517

Signatures

  • Detected Djvu ransomeware 8 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar Stealer 5 IoCs
    stealer
  • Downloads MZ/PE file
  • Executes dropped EXE 10 IoCs
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01f06c896c957dc5cd9450298c5503b20478b6b8728aed6f903ae7312dff501b.exe
    "C:\Users\Admin\AppData\Local\Temp\01f06c896c957dc5cd9450298c5503b20478b6b8728aed6f903ae7312dff501b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Users\Admin\AppData\Local\Temp\01f06c896c957dc5cd9450298c5503b20478b6b8728aed6f903ae7312dff501b.exe
      "C:\Users\Admin\AppData\Local\Temp\01f06c896c957dc5cd9450298c5503b20478b6b8728aed6f903ae7312dff501b.exe"
      2⤵
      • Adds Run key to start application
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\8bcc96f3-0c3c-411c-a05a-cbc01bf3e7d9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:928
      • C:\Users\Admin\AppData\Local\Temp\01f06c896c957dc5cd9450298c5503b20478b6b8728aed6f903ae7312dff501b.exe
        "C:\Users\Admin\AppData\Local\Temp\01f06c896c957dc5cd9450298c5503b20478b6b8728aed6f903ae7312dff501b.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3724
        • C:\Users\Admin\AppData\Local\Temp\01f06c896c957dc5cd9450298c5503b20478b6b8728aed6f903ae7312dff501b.exe
          "C:\Users\Admin\AppData\Local\Temp\01f06c896c957dc5cd9450298c5503b20478b6b8728aed6f903ae7312dff501b.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Modifies extensions of user files
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2072
          • C:\Users\Admin\AppData\Local\befd9e9d-74eb-43e8-9df2-b867ca45cc0d\build2.exe
            "C:\Users\Admin\AppData\Local\befd9e9d-74eb-43e8-9df2-b867ca45cc0d\build2.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2300
            • C:\Users\Admin\AppData\Local\befd9e9d-74eb-43e8-9df2-b867ca45cc0d\build2.exe
              "C:\Users\Admin\AppData\Local\befd9e9d-74eb-43e8-9df2-b867ca45cc0d\build2.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1296
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\befd9e9d-74eb-43e8-9df2-b867ca45cc0d\build2.exe" & del C:\ProgramData\*.dll & exit
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2624
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /im build2.exe /f
                  8⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2204
                • C:\Windows\SysWOW64\timeout.exe
                  timeout /t 6
                  8⤵
                  • Delays execution with timeout.exe
                  PID:1184
          • C:\Users\Admin\AppData\Local\befd9e9d-74eb-43e8-9df2-b867ca45cc0d\build3.exe
            "C:\Users\Admin\AppData\Local\befd9e9d-74eb-43e8-9df2-b867ca45cc0d\build3.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2188
            • C:\Users\Admin\AppData\Local\befd9e9d-74eb-43e8-9df2-b867ca45cc0d\build3.exe
              "C:\Users\Admin\AppData\Local\befd9e9d-74eb-43e8-9df2-b867ca45cc0d\build3.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1732
              • C:\Windows\SysWOW64\schtasks.exe
                /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                7⤵
                • Creates scheduled task(s)
                PID:2136
  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3936
    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      2⤵
      • Executes dropped EXE
      PID:3788
      • C:\Windows\SysWOW64\schtasks.exe
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        3⤵
        • Creates scheduled task(s)
        PID:1260
  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    PID:4040
    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      2⤵
      • Executes dropped EXE
      PID:1640
  • C:\Users\Admin\AppData\Local\8bcc96f3-0c3c-411c-a05a-cbc01bf3e7d9\01f06c896c957dc5cd9450298c5503b20478b6b8728aed6f903ae7312dff501b.exe
    C:\Users\Admin\AppData\Local\8bcc96f3-0c3c-411c-a05a-cbc01bf3e7d9\01f06c896c957dc5cd9450298c5503b20478b6b8728aed6f903ae7312dff501b.exe --Task
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    PID:1736
    • C:\Users\Admin\AppData\Local\8bcc96f3-0c3c-411c-a05a-cbc01bf3e7d9\01f06c896c957dc5cd9450298c5503b20478b6b8728aed6f903ae7312dff501b.exe
      C:\Users\Admin\AppData\Local\8bcc96f3-0c3c-411c-a05a-cbc01bf3e7d9\01f06c896c957dc5cd9450298c5503b20478b6b8728aed6f903ae7312dff501b.exe --Task
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2080

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1296-131-0x0000000000400000-0x00000000004A1000-memory.dmp

    Filesize

    644KB

    Download

  • memory/1296-135-0x0000000000400000-0x00000000004A1000-memory.dmp

    Filesize

    644KB

    Download

  • memory/1732-146-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1732-141-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2072-127-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2080-173-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2188-145-0x0000000003250000-0x00000000032FE000-memory.dmp

    Filesize

    696KB

    Download

  • memory/2300-134-0x0000000002670000-0x000000000270E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/2916-117-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2916-115-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3128-114-0x0000000004B80000-0x0000000004C9B000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3936-162-0x00000000032A0000-0x00000000032A4000-memory.dmp

    Filesize

    16KB

    Download