Overview

overview

10

Static

static

Corporate_...in.exe

windows7_x64

10

Corporate_...in.exe

windows10_x64

8

Analysis

  • max time kernel
    122s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    04-09-2020 19:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Corporate_Detail-June.2020.bin.exe

  • Size

    1.3MB

  • MD5

    6b083c1bfd21eea2a3f18283f1f3c5f5

  • SHA1

    929b10f78565660535a07917d144d00b0c117571

  • SHA256

    f2363a355fe226cb2f7f1afa72daecc5edfe1cb0edc1295856fb3f874d941b6d

  • SHA512

    1ef2561ac5784bb90a1d39ab82f6f01122453bbe22cd55fa0a49aa534a7ece00c48b2bf1d31537e3fc5a447d1293bc23165c6a1fb00df2b3fda37a2eee62ee71

Score
10/10
ransomwarespywaresmaug

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\HACKED.txt

Family

smaug

Ransom Note
Your files have been encrypted using military grade encryption. They can never be accessed again without buying a decryption key. You can buy the decryption key at http://smaugrwmaystthfxp72tlmdbrzlwdp2pxtpvtzvhkv5ppg3difiwonad.onion. To access the site you need Tor Browser. to view site you can download torbrowser here - https://www.torproject.org/download/ need help?support ttviper@secmail.pro
Emails

ttviper@secmail.pro

URLs

http://smaugrwmaystthfxp72tlmdbrzlwdp2pxtpvtzvhkv5ppg3difiwonad.onion

Signatures

  • Smaug

    Ransomware-as-a-service first seen marketed on forums etc. in early 2020.

    ransomwaresmaug
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • JavaScript code in executable 4 IoCs
  • Drops file in System32 directory 406 IoCs
  • Drops file in Program Files directory 4749 IoCs
  • Drops file in Windows directory 3469 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Corporate_Detail-June.2020.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\Corporate_Detail-June.2020.bin.exe"
    1⤵
    • Loads dropped DLL
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1496
    • C:\Users\Admin\AppData\Local\Temp\11bdd939-1d45-421c-9be0-0addcdc8181c_windows.exe
      "C:\Users\Admin\AppData\Local\Temp\11bdd939-1d45-421c-9be0-0addcdc8181c_windows.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\11bdd939-1d45-421c-9be0-0addcdc8181c_windows.exe
    Download Submit
  • \Users\Admin\AppData\Local\Temp\11bdd939-1d45-421c-9be0-0addcdc8181c_windows.exe
    Download Submit
  • \Users\Admin\AppData\Local\Temp\11bdd939-1d45-421c-9be0-0addcdc8181c_windows.exe
    Download Submit
  • \Users\Admin\AppData\Local\Temp\11bdd939-1d45-421c-9be0-0addcdc8181c_windows.exe
    Download Submit
  • memory/1496-10-0x0000000005280000-0x00000000052A3000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1836-0-0x000007FEF6510000-0x000007FEF678A000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/2028-8-0x0000000000000000-mapping.dmp
    Download
  • memory/2028-12-0x0000000000400000-0x00000000006A6000-memory.dmp
    Filesize

    2.6MB

    Download
  • memory/2028-13-0x0000000000400000-0x00000000006A6000-memory.dmp
    Filesize

    2.6MB

    Download
  • memory/2028-14-0x0000000000400000-0x00000000006A6000-memory.dmp
    Filesize

    2.6MB

    Download