Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    157s
  • max time network
    176s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    03-02-2022 17:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe

  • Size

    828KB

  • MD5

    9501470fe5ea3232193373b54c6d8987

  • SHA1

    f5eaf1fc0691910e9b35d080219f226e8935eb72

  • SHA256

    007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00

  • SHA512

    869946fa03e34de6a51239dd10d8bef9a24adce20807918fb71fdf676cd0dd4dab6fb710c02f20cebdac4e9d2008b53608fbc9379b02b1f62cf0e269782d4e88

Score
10/10
djvuvidar517discoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Family

djvu

C2

http://fuyt.org/test1/get.php

Attributes
  • extension

    .bbbw

  • offline_id

    jYeuANkMCJOEtaXsN8JcBUuEjwSP20EGT4t2Nct1

  • payload_url

    http://lencu.top/dl/build2.exe

    http://fuyt.org/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-qqj8MrDVtG Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0382UIhfSd

rsa_pubkey.plain

Extracted

Family

vidar

Version

49.8

Botnet

517

C2

https://c.im/@prophef3

https://qoto.org/@prophef41
Attributes
  • profile_id

    517

Signatures

  • Detected Djvu ransomware 4 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar Stealer 3 IoCs
    stealer
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
    "C:\Users\Admin\AppData\Local\Temp\007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Users\Admin\AppData\Local\Temp\007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
      "C:\Users\Admin\AppData\Local\Temp\007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe"
      2⤵
      • Adds Run key to start application
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\990e3ece-a982-4807-9edf-c2774dfa40c5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:2780
      • C:\Users\Admin\AppData\Local\Temp\007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
        "C:\Users\Admin\AppData\Local\Temp\007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3736
        • C:\Users\Admin\AppData\Local\Temp\007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe
          "C:\Users\Admin\AppData\Local\Temp\007ae7550fcc0e7368a9ebd1dcc6066145f256af24847075cde83233ced10d00.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2880
          • C:\Users\Admin\AppData\Local\28bf96a8-8143-41c9-93a8-4a93fba3c118\build2.exe
            "C:\Users\Admin\AppData\Local\28bf96a8-8143-41c9-93a8-4a93fba3c118\build2.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:2904
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1468
              6⤵
              • Program crash
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1780

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1972-116-0x00000000023A0000-0x00000000024BB000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2112-118-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2112-117-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2880-128-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2904-134-0x0000000002320000-0x0000000002365000-memory.dmp

    Filesize

    276KB

    Download

  • memory/2904-133-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2904-135-0x00000000001F0000-0x00000000001F2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2904-136-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2904-137-0x00000000745B0000-0x0000000074772000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2904-138-0x00000000777C0000-0x00000000778B1000-memory.dmp

    Filesize

    964KB

    Download

  • memory/2904-132-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2904-131-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2904-141-0x0000000072A90000-0x0000000072AB4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2904-142-0x0000000072AF0000-0x0000000072C24000-memory.dmp

    Filesize

    1.2MB

    Download