Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    110s
  • max time network
    121s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    30-11-2021 04:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1780545e2c01c041c55913c9fb2c4baff27278477256aee89b1371e2de35846.exe

  • Size

    708KB

  • MD5

    3b95bb63162de582ac3336d25a297b8b

  • SHA1

    7591ae401abd0dad880dd1ceed76975f0e50ae5b

  • SHA256

    c1780545e2c01c041c55913c9fb2c4baff27278477256aee89b1371e2de35846

  • SHA512

    10fa8404fe0ac6162930c49511e5c4290098f93d286841466c7232927ea3092ae655eeb34f8746c6e3ec72c33ab362a5a09423337d5f9a510e3a740b11950710

Score
10/10
djvudiscoverypersistenceransomware

Malware Config

Extracted

Family

djvu

C2

http://tzgl.org/lancer/get.php

Attributes
  • extension

    .yqal

  • offline_id

    K3PMMX2aWwpnYby88Dzg7tmaIW7Tv0HMWvSyr7t1

  • payload_url

    http://kotob.top/dl/build2.exe

    http://tzgl.org/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-rIyEiK9ekc Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0356gSd743d

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 6 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1780545e2c01c041c55913c9fb2c4baff27278477256aee89b1371e2de35846.exe
    "C:\Users\Admin\AppData\Local\Temp\c1780545e2c01c041c55913c9fb2c4baff27278477256aee89b1371e2de35846.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3196
    • C:\Users\Admin\AppData\Local\Temp\c1780545e2c01c041c55913c9fb2c4baff27278477256aee89b1371e2de35846.exe
      "C:\Users\Admin\AppData\Local\Temp\c1780545e2c01c041c55913c9fb2c4baff27278477256aee89b1371e2de35846.exe"
      2⤵
      • Adds Run key to start application
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\50446490-8120-4851-a15a-989380a18250" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:1300
      • C:\Users\Admin\AppData\Local\Temp\c1780545e2c01c041c55913c9fb2c4baff27278477256aee89b1371e2de35846.exe
        "C:\Users\Admin\AppData\Local\Temp\c1780545e2c01c041c55913c9fb2c4baff27278477256aee89b1371e2de35846.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1176
        • C:\Users\Admin\AppData\Local\Temp\c1780545e2c01c041c55913c9fb2c4baff27278477256aee89b1371e2de35846.exe
          "C:\Users\Admin\AppData\Local\Temp\c1780545e2c01c041c55913c9fb2c4baff27278477256aee89b1371e2de35846.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:524

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    MD5

    e15da05c12224abc690b1eb313a20137

    SHA1

    80f6284e35fa09eda4e69a5a866f052c9077e1f1

    SHA256

    9708014af393827b1df1614e6d4d99de56f13fbda613e2ead63416a9c2c6e31c

    SHA512

    4d41f757804943d5344476747024dd94aaa6d414d9b1652f9865927234d40c271a42468cde38c2bd68f6e833783ae8ea93727d2eb9e8c24263673eb8dd6b9937

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    MD5

    2bef96fbf39da6a765ed4d36db41fc5a

    SHA1

    af8b93b370a8bfd932552f840d54da310b51c071

    SHA256

    9cf840b96cb69e5c7f2b93630f63e44c20ba7240ce29ffa7e5de6e648c57d3c8

    SHA512

    a05166997abf2f29a1867f2ed649555eb5b153448087025b0d1a77cc14f78da0052a81bfd44d360731ca8b6520646b0d3e51e8fbbc2e045b990505dd46fa24d7

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    MD5

    2da0b1694a734fc727fd14b74ef0f26a

    SHA1

    0a06fb3ab86efc412a62182eac4124a734558866

    SHA256

    7d23b87142a8226b6d27cb519c541ba542c164588fc7562caa0cafc851caf9ce

    SHA512

    18730de42f1d47163bc9daff84a8fdca56da7a0d9f18723025c74a0b7ca653c413cb7910be013229d5367a5a297c60cdead8c79fda56807184dcb2a1c3a1af15

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    MD5

    711d2d2d385c6f55e242fa4dd793284f

    SHA1

    e0e78b8e23760f2fb2845a61753b58748a4b57c0

    SHA256

    c915433efb2f968911d3ae49049f3387367d7e61d1bb50e054070e5ef7534ad4

    SHA512

    4926cfeed1c19a1064c14596f5fcfe72070563180fc59475c511bab3513468a2020a3b70e89c68b44c9e03b9ecc9d827acaff3bb6093cec406a5b8469ac83cf2

    Download Submit
  • C:\Users\Admin\AppData\Local\50446490-8120-4851-a15a-989380a18250\c1780545e2c01c041c55913c9fb2c4baff27278477256aee89b1371e2de35846.exe
    MD5

    3b95bb63162de582ac3336d25a297b8b

    SHA1

    7591ae401abd0dad880dd1ceed76975f0e50ae5b

    SHA256

    c1780545e2c01c041c55913c9fb2c4baff27278477256aee89b1371e2de35846

    SHA512

    10fa8404fe0ac6162930c49511e5c4290098f93d286841466c7232927ea3092ae655eeb34f8746c6e3ec72c33ab362a5a09423337d5f9a510e3a740b11950710

    Download Submit
  • memory/524-127-0x0000000000424141-mapping.dmp
    Download
  • memory/524-132-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1176-125-0x0000000000000000-mapping.dmp
    Download
  • memory/1300-123-0x0000000000000000-mapping.dmp
    Download
  • memory/2100-119-0x0000000000424141-mapping.dmp
    Download
  • memory/2100-122-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2100-118-0x0000000000400000-0x0000000000537000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/3196-121-0x0000000004AF0000-0x0000000004C0B000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/3196-120-0x0000000004A30000-0x0000000004AC1000-memory.dmp
    Filesize

    580KB

    Download