Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    127s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    29-11-2021 22:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe

  • Size

    825KB

  • MD5

    2be9be6f27a7de23f03741fdc13d9a25

  • SHA1

    d5965d13a704e796db7d394c63b07e7f06e123ea

  • SHA256

    ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d

  • SHA512

    35fb842270eebaf07f1c006e5b12d6e9d2c21b8c600f1ae18652219e5f43423aa5e6c64c074cbb4d49f51adf9b595192d7d446ae99959c4781edf1a656f1c48c

Score
10/10
djvudiscoverypersistenceransomwaresuricata

Malware Config

Extracted

Family

djvu

C2

http://tzgl.org/lancer/get.php

Attributes
  • extension

    .yqal

  • offline_id

    K3PMMX2aWwpnYby88Dzg7tmaIW7Tv0HMWvSyr7t1

  • payload_url

    http://kotob.top/dl/build2.exe

    http://tzgl.org/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-rIyEiK9ekc Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0356gSd743d

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 6 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    suricata
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe
    "C:\Users\Admin\AppData\Local\Temp\ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Users\Admin\AppData\Local\Temp\ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe
      "C:\Users\Admin\AppData\Local\Temp\ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe"
      2⤵
      • Adds Run key to start application
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:660
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\192ba449-32d6-406c-bd37-44f0831f7334" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:1440
      • C:\Users\Admin\AppData\Local\Temp\ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe
        "C:\Users\Admin\AppData\Local\Temp\ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2380
        • C:\Users\Admin\AppData\Local\Temp\ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe
          "C:\Users\Admin\AppData\Local\Temp\ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:812

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    MD5

    e15da05c12224abc690b1eb313a20137

    SHA1

    80f6284e35fa09eda4e69a5a866f052c9077e1f1

    SHA256

    9708014af393827b1df1614e6d4d99de56f13fbda613e2ead63416a9c2c6e31c

    SHA512

    4d41f757804943d5344476747024dd94aaa6d414d9b1652f9865927234d40c271a42468cde38c2bd68f6e833783ae8ea93727d2eb9e8c24263673eb8dd6b9937

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    MD5

    2bef96fbf39da6a765ed4d36db41fc5a

    SHA1

    af8b93b370a8bfd932552f840d54da310b51c071

    SHA256

    9cf840b96cb69e5c7f2b93630f63e44c20ba7240ce29ffa7e5de6e648c57d3c8

    SHA512

    a05166997abf2f29a1867f2ed649555eb5b153448087025b0d1a77cc14f78da0052a81bfd44d360731ca8b6520646b0d3e51e8fbbc2e045b990505dd46fa24d7

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    MD5

    ca062b1569481badcb89688064d6224a

    SHA1

    45a387ad9af7aa71a9d5cbcc41ac26bb54488183

    SHA256

    d0a87c9f2dddd52f30782689de6042b7036e1745de81eaa5124ca43b4390ecfa

    SHA512

    25924abd66c83d674ebb6d438225be0cc6a80d92c9f652ee0f6dc8df503f520341fcd154ae1beaa54c8b20e63565fea790501b1735c5df56209dce45b295cc9c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    MD5

    7a13ec0d8bd9631ff2e116f48db5ad42

    SHA1

    34caf1c3bf2d211f04606a804b848b04081aa7a1

    SHA256

    32a84156ebdb4252981a0e3fdf096845a9be5e48d372cc28836f604fdca50e6e

    SHA512

    1f4a300b6e1590bb17e58fdaed263401bbd39d2cf701108bddf7cb676c1d76b1016f4cb540be9a5afef8b49a52c407eef9347e63f11e80fe529689114c8129e1

    Download Submit
  • C:\Users\Admin\AppData\Local\192ba449-32d6-406c-bd37-44f0831f7334\ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d.exe
    MD5

    2be9be6f27a7de23f03741fdc13d9a25

    SHA1

    d5965d13a704e796db7d394c63b07e7f06e123ea

    SHA256

    ad314bc4baa58363ed0cbc01f8ec11f55ca7e53a219b2cdceda1b177e0938d8d

    SHA512

    35fb842270eebaf07f1c006e5b12d6e9d2c21b8c600f1ae18652219e5f43423aa5e6c64c074cbb4d49f51adf9b595192d7d446ae99959c4781edf1a656f1c48c

    Download Submit
  • memory/660-121-0x0000000000424141-mapping.dmp
    Download
  • memory/660-122-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/660-120-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/812-128-0x0000000000424141-mapping.dmp
    Download
  • memory/812-133-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1440-123-0x0000000000000000-mapping.dmp
    Download
  • memory/2380-125-0x0000000000000000-mapping.dmp
    Download
  • memory/2380-126-0x00000000008EE000-0x000000000097F000-memory.dmp
    Filesize

    580KB

    Download
  • memory/4024-118-0x0000000000A24000-0x0000000000AB5000-memory.dmp
    Filesize

    580KB

    Download
  • memory/4024-119-0x0000000000BE0000-0x0000000000CFB000-memory.dmp
    Filesize

    1.1MB

    Download