Analysis
-
max time kernel
164s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
10-05-2022 16:07
Static task
static1
Behavioral task
behavioral1
Sample
3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exe
Resource
win10v2004-20220414-en
General
-
Target
3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exe
-
Size
262KB
-
MD5
991c52184801e3de9d2cf74a00febbcf
-
SHA1
f3eeeff5ebb09dbdc21ced35624c8dd9a466840b
-
SHA256
3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205
-
SHA512
ba93fca49ff98f2568e3938273cdaa5b8d725494de87725ca944aeeb171fad93bc5a32746196da701c065daa693177c42d824096f233ce6b99c217239777a44c
Malware Config
Extracted
smokeloader
2020
http://monsutiur4.com/
http://nusurionuy5ff.at/
http://moroitomo4.net/
http://susuerulianita1.net/
http://cucumbetuturel4.com/
http://nunuslushau.com/
http://linislominyt11.at/
http://luxulixionus.net/
http://lilisjjoer44.com/
http://nikogminut88.at/
http://limo00ruling.org/
http://mini55tunul.com/
http://samnutu11nuli.com/
http://nikogkojam.org/
Extracted
djvu
http://ugll.org/lancer/get.php
-
extension
.egfg
-
offline_id
QcVY9rkapJoL3nQkZAsvfTFVYLmscrM1v1QxGWt1
-
payload_url
http://zerit.top/dl/build2.exe
http://ugll.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-6Ti2DxXR3I Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: manager@time2mail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0474JIjdm
Extracted
vidar
52
1333
https://t.me/hollandracing
https://busshi.moe/@ronxik321
-
profile_id
1333
Signatures
-
Detected Djvu ransomware 5 IoCs
Processes:
resource yara_rule behavioral1/memory/4532-143-0x0000000002330000-0x000000000244B000-memory.dmp family_djvu behavioral1/memory/4984-151-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4984-153-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4984-155-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4984-158-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2568-141-0x0000000000640000-0x000000000068D000-memory.dmp family_vidar behavioral1/memory/2568-154-0x0000000000400000-0x00000000004FB000-memory.dmp family_vidar -
Executes dropped EXE 5 IoCs
Processes:
3023.exe3DEF.exe4F84.exe3023.exedwuewdhpid process 4532 3023.exe 2568 3DEF.exe 1448 4F84.exe 4984 3023.exe 2592 dwuewdh -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 100 api.2ip.ua -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3023.exedescription pid process target process PID 4532 set thread context of 4984 4532 3023.exe 3023.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exedwuewdhdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dwuewdh Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dwuewdh Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dwuewdh -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exepid process 2476 3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exe 2476 3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exe 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 2896 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2896 -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exedwuewdhpid process 2476 3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exe 2896 2896 2896 2896 2592 dwuewdh -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 2896 Token: SeCreatePagefilePrivilege 2896 -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
3023.exedescription pid process target process PID 2896 wrote to memory of 4532 2896 3023.exe PID 2896 wrote to memory of 4532 2896 3023.exe PID 2896 wrote to memory of 4532 2896 3023.exe PID 2896 wrote to memory of 2568 2896 3DEF.exe PID 2896 wrote to memory of 2568 2896 3DEF.exe PID 2896 wrote to memory of 2568 2896 3DEF.exe PID 2896 wrote to memory of 1448 2896 4F84.exe PID 2896 wrote to memory of 1448 2896 4F84.exe PID 2896 wrote to memory of 1448 2896 4F84.exe PID 4532 wrote to memory of 4984 4532 3023.exe 3023.exe PID 4532 wrote to memory of 4984 4532 3023.exe 3023.exe PID 4532 wrote to memory of 4984 4532 3023.exe 3023.exe PID 4532 wrote to memory of 4984 4532 3023.exe 3023.exe PID 4532 wrote to memory of 4984 4532 3023.exe 3023.exe PID 4532 wrote to memory of 4984 4532 3023.exe 3023.exe PID 4532 wrote to memory of 4984 4532 3023.exe 3023.exe PID 4532 wrote to memory of 4984 4532 3023.exe 3023.exe PID 4532 wrote to memory of 4984 4532 3023.exe 3023.exe PID 4532 wrote to memory of 4984 4532 3023.exe 3023.exe PID 2896 wrote to memory of 4280 2896 explorer.exe PID 2896 wrote to memory of 4280 2896 explorer.exe PID 2896 wrote to memory of 4280 2896 explorer.exe PID 2896 wrote to memory of 4280 2896 explorer.exe PID 2896 wrote to memory of 2388 2896 explorer.exe PID 2896 wrote to memory of 2388 2896 explorer.exe PID 2896 wrote to memory of 2388 2896 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exe"C:\Users\Admin\AppData\Local\Temp\3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\3023.exeC:\Users\Admin\AppData\Local\Temp\3023.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3023.exeC:\Users\Admin\AppData\Local\Temp\3023.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3DEF.exeC:\Users\Admin\AppData\Local\Temp\3DEF.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4F84.exeC:\Users\Admin\AppData\Local\Temp\4F84.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Users\Admin\AppData\Roaming\dwuewdhC:\Users\Admin\AppData\Roaming\dwuewdh1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3023.exeFilesize
793KB
MD563af65fe36babc095e343bf05cff70cc
SHA197c72008b97c8d043336b76c55dd62b5b16393a8
SHA256a0cc5a24c9107b52177d612d342172612662287ad8ced1243966cf9ef5a687a3
SHA51207f65fa77ca068d86435b039a29c3af8f3c61f83d89db1047bb80f4beb6c5755c666e8a1056b23de1cc3557bcc272cabd7e1fb7e6ded17b5dd584c94f51d5cb3
-
C:\Users\Admin\AppData\Local\Temp\3023.exeFilesize
793KB
MD563af65fe36babc095e343bf05cff70cc
SHA197c72008b97c8d043336b76c55dd62b5b16393a8
SHA256a0cc5a24c9107b52177d612d342172612662287ad8ced1243966cf9ef5a687a3
SHA51207f65fa77ca068d86435b039a29c3af8f3c61f83d89db1047bb80f4beb6c5755c666e8a1056b23de1cc3557bcc272cabd7e1fb7e6ded17b5dd584c94f51d5cb3
-
C:\Users\Admin\AppData\Local\Temp\3023.exeFilesize
793KB
MD563af65fe36babc095e343bf05cff70cc
SHA197c72008b97c8d043336b76c55dd62b5b16393a8
SHA256a0cc5a24c9107b52177d612d342172612662287ad8ced1243966cf9ef5a687a3
SHA51207f65fa77ca068d86435b039a29c3af8f3c61f83d89db1047bb80f4beb6c5755c666e8a1056b23de1cc3557bcc272cabd7e1fb7e6ded17b5dd584c94f51d5cb3
-
C:\Users\Admin\AppData\Local\Temp\3DEF.exeFilesize
411KB
MD54d4aacaaac0146811970c85ce456cc2a
SHA1bb25d5c6d7a9cc289c5195e13b2a0575289e6134
SHA256771e19ccac62a39284a2e7e6929b5b3d770c151f0e1e79b54a987e41a02595e9
SHA5124a0483cb4622240c6d9ad321e3e653f8bb0bc983feb20237473a63865eb5b284710081a06e563af5be69416b0e019c5da22a3bd6fd0dc91f6c009f01032ddef4
-
C:\Users\Admin\AppData\Local\Temp\3DEF.exeFilesize
411KB
MD54d4aacaaac0146811970c85ce456cc2a
SHA1bb25d5c6d7a9cc289c5195e13b2a0575289e6134
SHA256771e19ccac62a39284a2e7e6929b5b3d770c151f0e1e79b54a987e41a02595e9
SHA5124a0483cb4622240c6d9ad321e3e653f8bb0bc983feb20237473a63865eb5b284710081a06e563af5be69416b0e019c5da22a3bd6fd0dc91f6c009f01032ddef4
-
C:\Users\Admin\AppData\Local\Temp\4F84.exeFilesize
583KB
MD56dc93b1c4f33daa01c3820905e7a46d7
SHA1164fa25aa71ae510efa8fa525c00a9a650920596
SHA256064a2978517c3f85867bd6219e4017420be47181fd4d2b6b26e9f29312482bdc
SHA5128074970f179fb6307ac1898e490763c5a2a53ff97d739a1d66f83253a1a48ddb5e811162ae80f3d22ff352dde0080a829493376f40e116c2b85018dcc52f0a42
-
C:\Users\Admin\AppData\Local\Temp\4F84.exeFilesize
583KB
MD56dc93b1c4f33daa01c3820905e7a46d7
SHA1164fa25aa71ae510efa8fa525c00a9a650920596
SHA256064a2978517c3f85867bd6219e4017420be47181fd4d2b6b26e9f29312482bdc
SHA5128074970f179fb6307ac1898e490763c5a2a53ff97d739a1d66f83253a1a48ddb5e811162ae80f3d22ff352dde0080a829493376f40e116c2b85018dcc52f0a42
-
C:\Users\Admin\AppData\Roaming\dwuewdhFilesize
262KB
MD5991c52184801e3de9d2cf74a00febbcf
SHA1f3eeeff5ebb09dbdc21ced35624c8dd9a466840b
SHA2563d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205
SHA512ba93fca49ff98f2568e3938273cdaa5b8d725494de87725ca944aeeb171fad93bc5a32746196da701c065daa693177c42d824096f233ce6b99c217239777a44c
-
C:\Users\Admin\AppData\Roaming\dwuewdhFilesize
262KB
MD5991c52184801e3de9d2cf74a00febbcf
SHA1f3eeeff5ebb09dbdc21ced35624c8dd9a466840b
SHA2563d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205
SHA512ba93fca49ff98f2568e3938273cdaa5b8d725494de87725ca944aeeb171fad93bc5a32746196da701c065daa693177c42d824096f233ce6b99c217239777a44c
-
memory/1448-144-0x0000000000000000-mapping.dmp
-
memory/1448-149-0x0000000000400000-0x00000000004D0000-memory.dmpFilesize
832KB
-
memory/1448-148-0x0000000000610000-0x000000000064A000-memory.dmpFilesize
232KB
-
memory/1448-147-0x00000000007E7000-0x0000000000813000-memory.dmpFilesize
176KB
-
memory/2388-157-0x0000000000000000-mapping.dmp
-
memory/2476-130-0x00000000006F7000-0x0000000000707000-memory.dmpFilesize
64KB
-
memory/2476-132-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2476-131-0x00000000008F0000-0x00000000008F9000-memory.dmpFilesize
36KB
-
memory/2568-137-0x0000000000000000-mapping.dmp
-
memory/2568-154-0x0000000000400000-0x00000000004FB000-memory.dmpFilesize
1004KB
-
memory/2568-141-0x0000000000640000-0x000000000068D000-memory.dmpFilesize
308KB
-
memory/2568-140-0x000000000078C000-0x00000000007BA000-memory.dmpFilesize
184KB
-
memory/2592-163-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2592-161-0x0000000000827000-0x0000000000837000-memory.dmpFilesize
64KB
-
memory/2592-162-0x00000000006E0000-0x00000000006E9000-memory.dmpFilesize
36KB
-
memory/2896-164-0x0000000002940000-0x0000000002956000-memory.dmpFilesize
88KB
-
memory/2896-133-0x0000000000640000-0x0000000000656000-memory.dmpFilesize
88KB
-
memory/4280-156-0x0000000000000000-mapping.dmp
-
memory/4532-142-0x00000000021E1000-0x0000000002272000-memory.dmpFilesize
580KB
-
memory/4532-143-0x0000000002330000-0x000000000244B000-memory.dmpFilesize
1.1MB
-
memory/4532-134-0x0000000000000000-mapping.dmp
-
memory/4984-151-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4984-158-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4984-155-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4984-153-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4984-150-0x0000000000000000-mapping.dmp