Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    114s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    06-12-2021 01:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    575655d5dbd1aa7b8f84d970dd1ee7fab3bd93e86b7e2f8cba3cf562f4a5de45.exe

  • Size

    826KB

  • MD5

    9036ae5ba754bdacf08a02401473d338

  • SHA1

    615df36cf7e06a853d170d7a68c6b652e8cc7688

  • SHA256

    575655d5dbd1aa7b8f84d970dd1ee7fab3bd93e86b7e2f8cba3cf562f4a5de45

  • SHA512

    30b2861d10c65fdc7884b3a42e1836209f0b2d2c69ab826708944a609faf3e9a59d9ac0164144fdea4affb19168017e1dd9e8af410fa57f964c72e82133094d6

Score
10/10
djvudiscoverypersistenceransomwaresuricata

Malware Config

Extracted

Family

djvu

C2

http://tzgl.org/fhsgtsspen6/get.php

Attributes
  • extension

    .wnlu

  • offline_id

    gYuqQ5GsAaJom08TivUVhlPzZDKd916x4NcXrWt1

  • payload_url

    http://kotob.top/dl/build2.exe

    http://tzgl.org/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-m8LBBi8x8F Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0357Sigrj

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 6 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    suricata
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\575655d5dbd1aa7b8f84d970dd1ee7fab3bd93e86b7e2f8cba3cf562f4a5de45.exe
    "C:\Users\Admin\AppData\Local\Temp\575655d5dbd1aa7b8f84d970dd1ee7fab3bd93e86b7e2f8cba3cf562f4a5de45.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Users\Admin\AppData\Local\Temp\575655d5dbd1aa7b8f84d970dd1ee7fab3bd93e86b7e2f8cba3cf562f4a5de45.exe
      "C:\Users\Admin\AppData\Local\Temp\575655d5dbd1aa7b8f84d970dd1ee7fab3bd93e86b7e2f8cba3cf562f4a5de45.exe"
      2⤵
      • Adds Run key to start application
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3684
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\eadaf380-f65a-4b96-8c5e-af48950a141b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:3376
      • C:\Users\Admin\AppData\Local\Temp\575655d5dbd1aa7b8f84d970dd1ee7fab3bd93e86b7e2f8cba3cf562f4a5de45.exe
        "C:\Users\Admin\AppData\Local\Temp\575655d5dbd1aa7b8f84d970dd1ee7fab3bd93e86b7e2f8cba3cf562f4a5de45.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3480
        • C:\Users\Admin\AppData\Local\Temp\575655d5dbd1aa7b8f84d970dd1ee7fab3bd93e86b7e2f8cba3cf562f4a5de45.exe
          "C:\Users\Admin\AppData\Local\Temp\575655d5dbd1aa7b8f84d970dd1ee7fab3bd93e86b7e2f8cba3cf562f4a5de45.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1248

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    MD5

    1c63500df0b57e29edd1a5867d9f0e9b

    SHA1

    0475a0611ac4d171e90b46303b96317fc186b15d

    SHA256

    c8f7c1bd12b80996707a806866379d91dc3008d5d2b0eeeb6d97d418aeeb7914

    SHA512

    29b914ffe63496d98e8ffb76afde49702888743c88bd0fc6aabdf3e8855e3a5389d933a29ccb4564e8d3198c159a1debfb56d6f39f428689f8eb4d497b341bde

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\572BF21E454637C9F000BE1AF9B1E1A9
    MD5

    4658bb40df1d2668f2337c7943a22ebb

    SHA1

    0332e16d3c36292dc43da18f05d42cfdcd4dbde4

    SHA256

    af5e788fbce7a25ea5f2ef384e39a652619910c101c63fbbcbc8c20204322e74

    SHA512

    398208de3a7f824b5911189eb82b7184b40248c5bc42d5abc9564fdc7702cb7f2e83fdfb09601600260eeb8b2b3d5520b2d36aa6252cd67ebd56f755deff8846

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    MD5

    a4d977654867ed9025d3d2d46a16e1e4

    SHA1

    788c0e1ad79ce435f04c1bc5b4d8374037df8385

    SHA256

    2d72b608c30f1b523b88e51a70ac9a6c130315f6b1c5df8872ddf7b3d1a00e1d

    SHA512

    7a444633c6fb2026808d38feef38f6877d780db1541c10975b9e632d12f081d7959d417d9c84045ae2579b46056b5b4aecaa043b7b776af1dcd5773fd0c1439c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9
    MD5

    cd256eacec8f3bad0f4f60675f64de93

    SHA1

    073c5877b6cec81f58b2c5449e6f5e849c0a4ca5

    SHA256

    4af362f94336791b38a8141ddde8697ab6705f3ab3ab2a305909e7fde0a8ef9b

    SHA512

    c5835ba0065d15a29895abe44dae59cd299d3a13daf582c96259e98a71cf12000436b094b44637b91e6d880b667cca210b034fde90d607a364f17a1a1b1a8329

    Download Submit

  • C:\Users\Admin\AppData\Local\eadaf380-f65a-4b96-8c5e-af48950a141b\575655d5dbd1aa7b8f84d970dd1ee7fab3bd93e86b7e2f8cba3cf562f4a5de45.exe
    MD5

    9036ae5ba754bdacf08a02401473d338

    SHA1

    615df36cf7e06a853d170d7a68c6b652e8cc7688

    SHA256

    575655d5dbd1aa7b8f84d970dd1ee7fab3bd93e86b7e2f8cba3cf562f4a5de45

    SHA512

    30b2861d10c65fdc7884b3a42e1836209f0b2d2c69ab826708944a609faf3e9a59d9ac0164144fdea4affb19168017e1dd9e8af410fa57f964c72e82133094d6

    Download Submit

  • memory/1248-125-0x0000000000424141-mapping.dmp

    Download

  • memory/1248-130-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2716-115-0x0000000002127000-0x00000000021B8000-memory.dmp

    Filesize

    580KB

    Download

  • memory/2716-116-0x00000000021C0000-0x00000000022DB000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3376-120-0x0000000000000000-mapping.dmp

    Download

  • memory/3480-122-0x0000000000000000-mapping.dmp

    Download

  • memory/3480-123-0x000000000212A000-0x00000000021BB000-memory.dmp

    Filesize

    580KB

    Download

  • memory/3684-119-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3684-117-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3684-118-0x0000000000424141-mapping.dmp

    Download