Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    105s
  • max time network
    120s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    30-11-2021 05:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e426393ce90dff7fc03ecd889a638486d6b5d8211dd5597c6c009bdbf3ace73.exe

  • Size

    706KB

  • MD5

    ba33a8cf4dc2dd02a1492daf3e6b3bb5

  • SHA1

    cf69a946ef5462c625fc4739aff6f25c4eabe31b

  • SHA256

    0e426393ce90dff7fc03ecd889a638486d6b5d8211dd5597c6c009bdbf3ace73

  • SHA512

    c40f2ef7e632ef8c507ae23adba633712cd9ceab079fee0d14f0210f9ceb30e7b5df4d4b6bc42981248b3479ed1729027d74921e9bcfff31795ab14baea2ecc1

Score
10/10
djvudiscoverypersistenceransomware

Malware Config

Extracted

Family

djvu

C2

http://tzgl.org/fhsgtsspen6/get.php

Attributes
  • extension

    .moia

  • offline_id

    K3PMMX2aWwpnYby88Dzg7tmaIW7Tv0HMWvSyr7t1

  • payload_url

    http://kotob.top/dl/build2.exe

    http://tzgl.org/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-rIyEiK9ekc Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0355gSd743d

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 6 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e426393ce90dff7fc03ecd889a638486d6b5d8211dd5597c6c009bdbf3ace73.exe
    "C:\Users\Admin\AppData\Local\Temp\0e426393ce90dff7fc03ecd889a638486d6b5d8211dd5597c6c009bdbf3ace73.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Users\Admin\AppData\Local\Temp\0e426393ce90dff7fc03ecd889a638486d6b5d8211dd5597c6c009bdbf3ace73.exe
      "C:\Users\Admin\AppData\Local\Temp\0e426393ce90dff7fc03ecd889a638486d6b5d8211dd5597c6c009bdbf3ace73.exe"
      2⤵
      • Adds Run key to start application
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\4dd1e308-b23c-4521-9cfe-f42aafceb1d6" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:2260
      • C:\Users\Admin\AppData\Local\Temp\0e426393ce90dff7fc03ecd889a638486d6b5d8211dd5597c6c009bdbf3ace73.exe
        "C:\Users\Admin\AppData\Local\Temp\0e426393ce90dff7fc03ecd889a638486d6b5d8211dd5597c6c009bdbf3ace73.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1364
        • C:\Users\Admin\AppData\Local\Temp\0e426393ce90dff7fc03ecd889a638486d6b5d8211dd5597c6c009bdbf3ace73.exe
          "C:\Users\Admin\AppData\Local\Temp\0e426393ce90dff7fc03ecd889a638486d6b5d8211dd5597c6c009bdbf3ace73.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2296

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    MD5

    e15da05c12224abc690b1eb313a20137

    SHA1

    80f6284e35fa09eda4e69a5a866f052c9077e1f1

    SHA256

    9708014af393827b1df1614e6d4d99de56f13fbda613e2ead63416a9c2c6e31c

    SHA512

    4d41f757804943d5344476747024dd94aaa6d414d9b1652f9865927234d40c271a42468cde38c2bd68f6e833783ae8ea93727d2eb9e8c24263673eb8dd6b9937

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    MD5

    2bef96fbf39da6a765ed4d36db41fc5a

    SHA1

    af8b93b370a8bfd932552f840d54da310b51c071

    SHA256

    9cf840b96cb69e5c7f2b93630f63e44c20ba7240ce29ffa7e5de6e648c57d3c8

    SHA512

    a05166997abf2f29a1867f2ed649555eb5b153448087025b0d1a77cc14f78da0052a81bfd44d360731ca8b6520646b0d3e51e8fbbc2e045b990505dd46fa24d7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    MD5

    0861087e9fafa4fa6bcc0ee4df870570

    SHA1

    55df77c2305a2d4fddee9e2a8106bbc22ed36d65

    SHA256

    dda26a7f1fd1597dd9dcd7e43b635c481c282ad788df9b3bb70757e86f76dc0f

    SHA512

    0b5cc00c0d33f36be4a73753c5eb19fae6c5eaa48fd6af2bae810af40b3649e3a75358598adafae05cb64a2e757e309063bbf5e07cf4c51ea1401862bf011cd0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    MD5

    399c3923e834dd1f218bb9b1d0eefe14

    SHA1

    f4450a8cb2b607ce6466ae496ebbdcf9e632874f

    SHA256

    285323e85a94123f196cff58793a84f6fa38e3e6c212696b50b499f9068490c7

    SHA512

    d3c0a0bf882c0c0b86a12bbacf6fa75c69e0c97cecc19a0afa8b39b8f26c35deea531dd046132dd4d49203f7a17bbd3a36b1c0135abe3d0a9f37824b87e37a2f

    Download Submit

  • C:\Users\Admin\AppData\Local\4dd1e308-b23c-4521-9cfe-f42aafceb1d6\0e426393ce90dff7fc03ecd889a638486d6b5d8211dd5597c6c009bdbf3ace73.exe
    MD5

    ba33a8cf4dc2dd02a1492daf3e6b3bb5

    SHA1

    cf69a946ef5462c625fc4739aff6f25c4eabe31b

    SHA256

    0e426393ce90dff7fc03ecd889a638486d6b5d8211dd5597c6c009bdbf3ace73

    SHA512

    c40f2ef7e632ef8c507ae23adba633712cd9ceab079fee0d14f0210f9ceb30e7b5df4d4b6bc42981248b3479ed1729027d74921e9bcfff31795ab14baea2ecc1

    Download Submit

  • memory/1364-125-0x0000000000000000-mapping.dmp

    Download

  • memory/2260-122-0x0000000000000000-mapping.dmp

    Download

  • memory/2296-128-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2296-127-0x0000000000424141-mapping.dmp

    Download

  • memory/2392-121-0x0000000004B00000-0x0000000004C1B000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2392-120-0x0000000004A60000-0x0000000004AF1000-memory.dmp

    Filesize

    580KB

    Download

  • memory/2720-124-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2720-118-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2720-119-0x0000000000424141-mapping.dmp

    Download