Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2023, 12:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a0add1af79f26efea50912be3f14ee915ebfbe26da5fba1a3078cb1cf625f51.exe

  • Size

    772KB

  • MD5

    23b2b6a29cba5939630648642b891a28

  • SHA1

    b2799905c99fab232a7d86695e14591e41966e45

  • SHA256

    0a0add1af79f26efea50912be3f14ee915ebfbe26da5fba1a3078cb1cf625f51

  • SHA512

    be29cf3f830c5f97019336ddb7e0eace811f709f7cdd57c5aec10fbb98afdbe042e2799910613ad95814feb60a13ec54770fef6bc91db97facddb7ad6bcb0cc0

  • SSDEEP

    12288:YA6Whr1sa4XVDQm9EQ6RMO7UfGQOrQQV7Rv38lj5qohTLxDtrdUZY:YAjrea4X8QHGBPVlUVEohT91dUZY

Score
10/10
djvudiscoverypersistenceransomware

Malware Config

Extracted

Family

djvu

C2

http://zexeq.com/test1/get.php

Attributes
  • extension

    .xash

  • offline_id

    uK3VnHYy6oibGbO8t2PDOMcT40gQoh5oUUCe2Lt1

  • payload_url

    http://colisumy.com/dl/build2.exe

    http://zexeq.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-otP8Wlz4eh Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0707JOsie

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 16 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a0add1af79f26efea50912be3f14ee915ebfbe26da5fba1a3078cb1cf625f51.exe
    "C:\Users\Admin\AppData\Local\Temp\0a0add1af79f26efea50912be3f14ee915ebfbe26da5fba1a3078cb1cf625f51.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Users\Admin\AppData\Local\Temp\0a0add1af79f26efea50912be3f14ee915ebfbe26da5fba1a3078cb1cf625f51.exe
      "C:\Users\Admin\AppData\Local\Temp\0a0add1af79f26efea50912be3f14ee915ebfbe26da5fba1a3078cb1cf625f51.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\a489c808-8c11-491e-9694-4bae8c47f9a0" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        PID:3768
      • C:\Users\Admin\AppData\Local\Temp\0a0add1af79f26efea50912be3f14ee915ebfbe26da5fba1a3078cb1cf625f51.exe
        "C:\Users\Admin\AppData\Local\Temp\0a0add1af79f26efea50912be3f14ee915ebfbe26da5fba1a3078cb1cf625f51.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2464
        • C:\Users\Admin\AppData\Local\Temp\0a0add1af79f26efea50912be3f14ee915ebfbe26da5fba1a3078cb1cf625f51.exe
          "C:\Users\Admin\AppData\Local\Temp\0a0add1af79f26efea50912be3f14ee915ebfbe26da5fba1a3078cb1cf625f51.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • Checks computer location settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3160
          • C:\Users\Admin\AppData\Local\8e53a592-47b3-4ecd-adad-00e72b76a35a\build3.exe
            "C:\Users\Admin\AppData\Local\8e53a592-47b3-4ecd-adad-00e72b76a35a\build3.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3144
            • C:\Windows\SysWOW64\schtasks.exe
              /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
              6⤵
              • Creates scheduled task(s)
              PID:3220
  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
      2⤵
      • Creates scheduled task(s)
      PID:4220

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    2KB

    MD5

    91425cdf7f700e70ded152906a8897d4

    SHA1

    91934f4da3b05318a7f9c13772c3148502095f90

    SHA256

    3d84c7f6ae4a5c248c01b6c0821b9df6931d93453d2cdd98b6acb14715d2662b

    SHA512

    f76c4f299d06decf930463e3d642edf25e099ab1a6cc4f24e5b91bc37d4aacf373733d98d87407b23e28569719721c1e0bed90d99338514e4be1788b329ef348

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    1KB

    MD5

    a9a657bb9fbf982c38587ee2b9590a7d

    SHA1

    ba348aa472b2d143c829cd5a764605b8e22a353c

    SHA256

    d08e18ff8411d67ed596edcbf1aa36365d0cab8f4de48c7abfdb4062c4ab2b9c

    SHA512

    1dcfba62c5977a3dcdf70f3fb46f6e16ab2542b68d6ebbbc4bce76c0edc4982af8ad9e4afe1d71fd3f222e01da404254e6cfdb02605ba73e21987f09522d33e1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
    Filesize

    488B

    MD5

    b020eed8c01084c318855a1f3ca750bc

    SHA1

    0f32462f3dbb02035e68ab5a5828f7f934efddb3

    SHA256

    578d23d498aed27e8cdf0682f0f22095c542e68bb8f4b2f8098ecaa5ebffe928

    SHA512

    84a32072a658da6f0d4eed3d786e0fea8210ff40a2299830a12196dff53adc59c56b468fb21e9ba0cc20f0d816184461df6398fa725b2fedc54ecdcf40c5d86d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    482B

    MD5

    6f5bb8c4a5dcd20dd8589c91b40d8288

    SHA1

    ea4bef28b08a30cbab339cb30840930937c86d6e

    SHA256

    8081365bfbedf68ecd9749d7a8fff946706025423d118285f0f185ae6521131c

    SHA512

    d608cce296bd9c693903a1cbe3182e130d3cf7d6c0b5b7d15ec85a0c63d6345e3c47334c0b7d5c0c6eb639e93b9cc4d89cf2cf96dc2642674ef62985b373d304

    Download Submit

  • C:\Users\Admin\AppData\Local\8e53a592-47b3-4ecd-adad-00e72b76a35a\build3.exe
    Filesize

    9KB

    MD5

    9ead10c08e72ae41921191f8db39bc16

    SHA1

    abe3bce01cd34afc88e2c838173f8c2bd0090ae1

    SHA256

    8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

    SHA512

    aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

    Download Submit

  • C:\Users\Admin\AppData\Local\8e53a592-47b3-4ecd-adad-00e72b76a35a\build3.exe
    Filesize

    9KB

    MD5

    9ead10c08e72ae41921191f8db39bc16

    SHA1

    abe3bce01cd34afc88e2c838173f8c2bd0090ae1

    SHA256

    8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

    SHA512

    aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

    Download Submit

  • C:\Users\Admin\AppData\Local\8e53a592-47b3-4ecd-adad-00e72b76a35a\build3.exe
    Filesize

    9KB

    MD5

    9ead10c08e72ae41921191f8db39bc16

    SHA1

    abe3bce01cd34afc88e2c838173f8c2bd0090ae1

    SHA256

    8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

    SHA512

    aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

    Download Submit

  • C:\Users\Admin\AppData\Local\a489c808-8c11-491e-9694-4bae8c47f9a0\0a0add1af79f26efea50912be3f14ee915ebfbe26da5fba1a3078cb1cf625f51.exe
    Filesize

    772KB

    MD5

    23b2b6a29cba5939630648642b891a28

    SHA1

    b2799905c99fab232a7d86695e14591e41966e45

    SHA256

    0a0add1af79f26efea50912be3f14ee915ebfbe26da5fba1a3078cb1cf625f51

    SHA512

    be29cf3f830c5f97019336ddb7e0eace811f709f7cdd57c5aec10fbb98afdbe042e2799910613ad95814feb60a13ec54770fef6bc91db97facddb7ad6bcb0cc0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    Filesize

    9KB

    MD5

    9ead10c08e72ae41921191f8db39bc16

    SHA1

    abe3bce01cd34afc88e2c838173f8c2bd0090ae1

    SHA256

    8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

    SHA512

    aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    Filesize

    9KB

    MD5

    9ead10c08e72ae41921191f8db39bc16

    SHA1

    abe3bce01cd34afc88e2c838173f8c2bd0090ae1

    SHA256

    8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

    SHA512

    aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

    Download Submit

  • memory/2076-137-0x0000000002420000-0x000000000253B000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2196-148-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2196-135-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2196-136-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2196-138-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2196-139-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3160-169-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3160-168-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3160-153-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3160-152-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3160-166-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3160-179-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3160-161-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3160-183-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3160-160-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3160-158-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download