Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 09:01

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    18aa090e0b3d0a2a34083e13726f78c8efd60cf5c0a425859a4fa2dfd6330423.exe

  • Size

    194KB

  • MD5

    e23c95d91c7786c48e5273833610046f

  • SHA1

    cafcb78b479773cb1ddd5dfeeb3861e967a3772c

  • SHA256

    18aa090e0b3d0a2a34083e13726f78c8efd60cf5c0a425859a4fa2dfd6330423

  • SHA512

    061c8716a8c14d7fa1527a5b86e94c1c5b6348d095bd3d64ea4db8e66717de91a2b411c22a4d5fa01c622d82118d2037cf3faefa6de7adc54d648c3daefc2697

  • SSDEEP

    3072:6VXmjRFVXL0tfRw05oEZJfrR/jaPDsexSFqnuFMnN0K3/dRhz:oGRFdLCZwoZJfJkDRjnuFO0gx

Score
10/10
djvusmokeloaderbackdoorcollectiondiscoverypersistenceransomwaretrojan

Malware Config

Extracted

Family

djvu

C2

http://winnlinne.com/lancer/get.php

Attributes
  • extension

    .tury

  • offline_id

    Uz66zEbmA32arcxwT81zZhkb23026oHz5iSp8qt1

  • payload_url

    http://rgyui.top/dl/build2.exe

    http://winnlinne.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-o7UXxOstmw Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0585Jhyjd

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 6 IoCs
  • Detects Smokeloader packer 4 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18aa090e0b3d0a2a34083e13726f78c8efd60cf5c0a425859a4fa2dfd6330423.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa090e0b3d0a2a34083e13726f78c8efd60cf5c0a425859a4fa2dfd6330423.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3604
  • C:\Users\Admin\AppData\Local\Temp\36EA.exe
    C:\Users\Admin\AppData\Local\Temp\36EA.exe
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:3088
  • C:\Users\Admin\AppData\Local\Temp\5EA6.exe
    C:\Users\Admin\AppData\Local\Temp\5EA6.exe
    1⤵
    • Executes dropped EXE
    PID:5116
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 340
      2⤵
      • Program crash
      PID:4424
  • C:\Users\Admin\AppData\Local\Temp\7944.exe
    C:\Users\Admin\AppData\Local\Temp\7944.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3276
    • C:\Users\Admin\AppData\Local\Temp\7944.exe
      C:\Users\Admin\AppData\Local\Temp\7944.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\04d9d792-4fd9-4e09-a462-ce5b2865901f" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:2192
  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7BB6.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\7BB6.dll
      2⤵
      • Loads dropped DLL
      PID:4280
  • C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    1⤵
    • Accesses Microsoft Outlook profiles
    • outlook_office_path
    • outlook_win_path
    PID:3588
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe
    1⤵
      PID:1688
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5116 -ip 5116
      1⤵
        PID:2504

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\04d9d792-4fd9-4e09-a462-ce5b2865901f\7944.exe
              Filesize

              713KB

              MD5

              b7bc860cee7201e0c810642890a03246

              SHA1

              d9edc9d61baf9d8cad3f840bba699ffd9219cce0

              SHA256

              ee58c869d7a419d55fe3e6a8cf001ffff107d5d922951b3999b79b2b6c7e1c27

              SHA512

              5e65e33f02c937167a03d283ab6510aab82f221d11ef3c65833bbf669df89136418889e09c5d2d6b6221fe3a47da3bb363a485b9f5ea210cfde35d7b50f7a594

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\36EA.exe
              Filesize

              195KB

              MD5

              0b4f3864efb93d7c5413cb9eaabf587a

              SHA1

              a8a2b31f8ec57b0d7488f725af213248c6cccfb9

              SHA256

              ad7f2ed48ed234dddbb96f3d781704307f0d9def1ea5291d1832597f7aea2e92

              SHA512

              1e475d0622d671f632b6f31a1de4f0a06d64a1b8329ec03496af16780c7e92249b0dde22a9c8fa69692762bc23f42cbc0e6cd194ef3a0b78296956d422601c22

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\36EA.exe
              Filesize

              195KB

              MD5

              0b4f3864efb93d7c5413cb9eaabf587a

              SHA1

              a8a2b31f8ec57b0d7488f725af213248c6cccfb9

              SHA256

              ad7f2ed48ed234dddbb96f3d781704307f0d9def1ea5291d1832597f7aea2e92

              SHA512

              1e475d0622d671f632b6f31a1de4f0a06d64a1b8329ec03496af16780c7e92249b0dde22a9c8fa69692762bc23f42cbc0e6cd194ef3a0b78296956d422601c22

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\5EA6.exe
              Filesize

              194KB

              MD5

              47c6be3e5327af1bfdd2939f5cfc8f16

              SHA1

              18af6a23a52e2fd6f705bb6171eedcb612fe0ec2

              SHA256

              a21c3f23ea8a653b6823851ec4d71b8efccfc347939f9a02008e176eb7c68ac1

              SHA512

              1644c75167a47baf24f05c41aa7fd1c1eaa6ec2288171a788cb2e3aed6f75691930bfc22414e7bdbd13605fc874bd302c19ffbae2869ffcfb0cdb6662502ab9d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\5EA6.exe
              Filesize

              194KB

              MD5

              47c6be3e5327af1bfdd2939f5cfc8f16

              SHA1

              18af6a23a52e2fd6f705bb6171eedcb612fe0ec2

              SHA256

              a21c3f23ea8a653b6823851ec4d71b8efccfc347939f9a02008e176eb7c68ac1

              SHA512

              1644c75167a47baf24f05c41aa7fd1c1eaa6ec2288171a788cb2e3aed6f75691930bfc22414e7bdbd13605fc874bd302c19ffbae2869ffcfb0cdb6662502ab9d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7944.exe
              Filesize

              713KB

              MD5

              b7bc860cee7201e0c810642890a03246

              SHA1

              d9edc9d61baf9d8cad3f840bba699ffd9219cce0

              SHA256

              ee58c869d7a419d55fe3e6a8cf001ffff107d5d922951b3999b79b2b6c7e1c27

              SHA512

              5e65e33f02c937167a03d283ab6510aab82f221d11ef3c65833bbf669df89136418889e09c5d2d6b6221fe3a47da3bb363a485b9f5ea210cfde35d7b50f7a594

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7944.exe
              Filesize

              713KB

              MD5

              b7bc860cee7201e0c810642890a03246

              SHA1

              d9edc9d61baf9d8cad3f840bba699ffd9219cce0

              SHA256

              ee58c869d7a419d55fe3e6a8cf001ffff107d5d922951b3999b79b2b6c7e1c27

              SHA512

              5e65e33f02c937167a03d283ab6510aab82f221d11ef3c65833bbf669df89136418889e09c5d2d6b6221fe3a47da3bb363a485b9f5ea210cfde35d7b50f7a594

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7944.exe
              Filesize

              713KB

              MD5

              b7bc860cee7201e0c810642890a03246

              SHA1

              d9edc9d61baf9d8cad3f840bba699ffd9219cce0

              SHA256

              ee58c869d7a419d55fe3e6a8cf001ffff107d5d922951b3999b79b2b6c7e1c27

              SHA512

              5e65e33f02c937167a03d283ab6510aab82f221d11ef3c65833bbf669df89136418889e09c5d2d6b6221fe3a47da3bb363a485b9f5ea210cfde35d7b50f7a594

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7BB6.dll
              Filesize

              1.8MB

              MD5

              4dca89f3a66ae9ac204beea85d7a3d75

              SHA1

              5cc81459e35f27a79047c4e041a65739cc91a067

              SHA256

              223759e9e0c53c73d5255e47c1b455d7ccda1d050809446300485c0747d16981

              SHA512

              67dd36ca578ae7bfe3ebd167f193fe35513841aaa3a5f3124c4a1ae04241c554a0ff26a9afcee4e3ad4aaa8528b96e99a89192c7f1fc22dead81ad9af36a4906

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7BB6.dll
              Filesize

              1.8MB

              MD5

              4dca89f3a66ae9ac204beea85d7a3d75

              SHA1

              5cc81459e35f27a79047c4e041a65739cc91a067

              SHA256

              223759e9e0c53c73d5255e47c1b455d7ccda1d050809446300485c0747d16981

              SHA512

              67dd36ca578ae7bfe3ebd167f193fe35513841aaa3a5f3124c4a1ae04241c554a0ff26a9afcee4e3ad4aaa8528b96e99a89192c7f1fc22dead81ad9af36a4906

              Download Submit

            • memory/1312-178-0x0000000000400000-0x0000000000537000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/1312-168-0x0000000000400000-0x0000000000537000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/1312-173-0x0000000000400000-0x0000000000537000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/1312-170-0x0000000000400000-0x0000000000537000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/1312-182-0x0000000000400000-0x0000000000537000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/1688-158-0x0000000000FF0000-0x0000000000FFC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3088-144-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/3088-165-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/3088-142-0x00000000005D9000-0x00000000005EA000-memory.dmp

              Filesize

              68KB

              Download

            • memory/3088-143-0x0000000000590000-0x0000000000599000-memory.dmp

              Filesize

              36KB

              Download

            • memory/3276-172-0x0000000002200000-0x000000000231B000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/3276-171-0x0000000002068000-0x00000000020FA000-memory.dmp

              Filesize

              584KB

              Download

            • memory/3588-174-0x0000000000C40000-0x0000000000CAB000-memory.dmp

              Filesize

              428KB

              Download

            • memory/3588-156-0x0000000000CB0000-0x0000000000D25000-memory.dmp

              Filesize

              468KB

              Download

            • memory/3588-159-0x0000000000C40000-0x0000000000CAB000-memory.dmp

              Filesize

              428KB

              Download

            • memory/3604-137-0x00000000004D8000-0x00000000004E9000-memory.dmp

              Filesize

              68KB

              Download

            • memory/3604-136-0x0000000002040000-0x0000000002049000-memory.dmp

              Filesize

              36KB

              Download

            • memory/3604-133-0x0000000002040000-0x0000000002049000-memory.dmp

              Filesize

              36KB

              Download

            • memory/3604-134-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/3604-135-0x00000000004D8000-0x00000000004E9000-memory.dmp

              Filesize

              68KB

              Download

            • memory/3604-138-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download

            • memory/3604-132-0x00000000004D8000-0x00000000004E9000-memory.dmp

              Filesize

              68KB

              Download

            • memory/4280-175-0x0000000003350000-0x00000000033FE000-memory.dmp

              Filesize

              696KB

              Download

            • memory/4280-164-0x0000000003130000-0x000000000325C000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/4280-179-0x0000000003130000-0x000000000325C000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/4280-166-0x0000000003270000-0x0000000003332000-memory.dmp

              Filesize

              776KB

              Download

            • memory/4280-163-0x0000000002ED0000-0x0000000002FFC000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/5116-160-0x0000000000629000-0x000000000063A000-memory.dmp

              Filesize

              68KB

              Download

            • memory/5116-161-0x00000000004B0000-0x00000000004B9000-memory.dmp

              Filesize

              36KB

              Download

            • memory/5116-162-0x0000000000400000-0x0000000000436000-memory.dmp

              Filesize

              216KB

              Download